Great research from Daniel Clemens and Mcafee:
http://www.avertlabs.com/research/blog/index.php/2008/11/25/further-067-woes/
http://www.packetninjas.net/?p=73
Daniel has put up a signature that ought to be reliable. It's in CURRENT_EVENTS as this worm may not last long. We'll drp it ina couple weeks if so.
As far as we know the existing sigs for the actual MS08-067 will catch the exploit attempts internally.
Some activity seems related to ushealthmart.com. This domain has been known bad for a very long time, and I've personally reported it to GoDaddy where it's registered several times months ago on other trojans. No response unfortunately. Thanks GoDaddy! Making the world a safer place... for someone.
Happy de-worming!!
Matt
| < Prev | Next > |
|---|
