Zero Day Exploits

From the Internet Storm Center:

 
>McD's Bomber Message Malware
 We've had several reports from folks reporting receipt of messages with the subject line "McDonald's bomber jailed for life". This message includes a link to various sites with the common domain lastrez_DONOTCLICK_.com. (_DONOTCLICK_ added for emphasis!)

Visiting the site redirects to a page "mc.html" on the same site that attempts to exploit the MS05-038 [4] bug, creating a file called w.hta. Handler David Goldsmith has called upon the Yesnic registry to stop resolving this domain, and the China-Netcom ISP to stop hosting this site, but at the time of this writing, the site is still operational. Organizations may want to consider blocking the site at 210.22.50.80 to prevent click-happy users from infecting their systems

Last Tuesday was Microsoft Patch Tuesday. As you know from my incessant emails, it’s the second Tuesday of every month. In the past, it took the hackers and evil doers a couple of days to reverse engineer the patches and design tools to exploit unpatched systems. The Internet Storm Center (1) is reporting that this has changed. They refer to it as the zero-day exploit problem. Attacks and exploits start circulating almost immediately.

We firewall our network and use a layered defense on incoming email (2) (3), but you can pick up some of these malware through websites. There is also some delay before our vendors detect the new malware and distribute the code to detect it.

Therefore, be cautious. If you see something suspicious, let us know. When you see the Microsoft auto-update icon in the system tray next to the clock, open it and install all security related updates. Don’t let it wait.

  1. Internet Storm Center: http://isc.sans.org
  2. Symantec AntiVirus Corporate Edition: http://www.sarc.com
  3. ClamAV: http://www.clamav.net
  4. Microsoft Security Bulletin MS05-038: http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx