Iraq Oil Worm Targeting TCP Port 445
Posted on 18.12.2002
On December 14, 2002 at 11:00 UTC the myNetWatchman system identified a worm-like surge in port scanning activity targeting TCP port 445. This port is associated with Microsoft's networking protocol (Server Message Block - SMB) when used with Windows 2000 and XP systems.

The worm propagates by generating a psuedo-random IP address and exploiting hosts which have the following weak security configuration:
  • Anonymous Null Sessions fully enabled
  • Weak (or null) passwords on privileged user accounts
Detailed analysis of the worm can be read from myNetWatchman.



OBrien, Brennan posted the following to the Incidents mailing list:
Apparently this has been identified as WORM_LIOTEN.A through TREND, W32.HLLW.Lioten via Symantec and W32/Lioten.worm via McAfee.



Internet Storm Center reports an increase in port 445 scans, which can be seen from their report located at:
http://isc.incidents.org/port_details.html?port=445



Steve Friedl: "Iraq Oil" worm reverse engineering & analysis
http://www.unixwiz.net/iraqworm/





Spotlight

Most popular Android apps open users to MITM attacks

Posted on 21 August 2014.  |  An analysis of the 1,000 most popular free Android apps from the Google Play store has revealed a depressing fact: most of them sport an SSL/TLS vulnerability that can be misused for executing MITM attacks, and occasionally additional ones, as well.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Aug 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //