RE: New Nimda?

From: Steve (steveat_private)
Date: Thu Mar 07 2002 - 18:45:15 PST

Next message: Matt Zimmerman: "Bug#137492: PAM pam_set_item: NULL pam handle passed"

Previous message: Mark J. DeFilippis: "We have lots of users with SonicWalls for VPN connectivity in to FW-1, possible major security hole"
In reply to: Bradley, Tony: "New Nimda?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Tony.

I don't think it is a new variant, as I had always seen the spoofed Mail
From: field in any Nimda mailing I have seen.  I have also seen another
wave of default.ida attempts recently -- just in time to test the new
IDS.

Steve Manzuik
Secure Solutions
www.securesolutions.org

> -----Original Message-----
> From: Bradley, Tony [mailto:tony.bradleyat_private] 
> Sent: Thursday, March 07, 2002 12:48 PM
> To: 'incidentsat_private'
> Subject: New Nimda?
> 
> 
> The ideas and opinions expressed in this email do not in any 
> way reflect or represent the opinions of my employer...
> 
> Has anyone been seeing any new variation of Nimda? From my 
> research Nimda was alleged to be able to spoof the "from" 
> address in its mass-mailing propagation, but I was under the 
> impression that piece was not functional.
> 
> Twice in the last week I have seen blank messages with the 
> Sample.exe file attachment that are picked up by all major 
> anti-virus software as Nimda, but the from address was 
> spoofed. The systems that were alleged to have propagated the 
> virus checked out clean and did not send any email during the 
> timeframe that the recipients got the infected messages.
> 
> It seems as if someone has fixed that spoofing functionality 
> but I can't find any evidence of an officially recognized new 
> variant. Has anyone else seen something similar or have any 
> more information on Nimda spoofing the email address?
> 
> 
> Tony Bradley, MCSE, MCSA, MCP, A+
> Threat & Vulnerability Monitor
> Electronic Data Systems
> 
> "The price of success is hard work, dedication to the job at 
> hand, and the determination that whether we win or lose, we 
> have applied the best of ourselves to the task at hand."  ~ 
> Vince Lombardi ~
> 
>   
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer 
> service. For more information on this free incident handling, 
> management 
> and tracking system please see: http://aris.securityfocus.com
> 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Matt Zimmerman: "Bug#137492: PAM pam_set_item: NULL pam handle passed"
Previous message: Mark J. DeFilippis: "We have lots of users with SonicWalls for VPN connectivity in to FW-1, possible major security hole"
In reply to: Bradley, Tony: "New Nimda?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 19:42:10 PST