Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: cuebot-d infection method

From: Irwan Ismail <irwan.ismail () gmail com>
Date: Thu, 25 Aug 2005 12:39:54 +0800
I think you should know that blocking ports at the firewall isn't
enough anymore these days. With VPNs and remote access, your
teleworker & mobile users can easily get infected at home (or wherever
they may be) while there's an open path directly into your
organization.

On 8/25/05, Matt Stockdale <mstockda () logicworks net> wrote:

Jeff -

  I've just cleaned up four machines here, all Windows 2000. We're
scratching our heads, as the "published" propagation method is over port
445, which wasn't open on the firewall.

  We suspect it may have come through the client's VPN access, or maybe
someone wrapped this backdoor in another exploit for delivery.

Thanks,
  Matt

On Wed, 2005-08-24 at 12:03, Jeff Bryner wrote:

I've seen a couple cuebot-d infections over the last couple days and am
trying to track down the source of them. Has anyone seen enough of this
to know the universe of ways the pc gets initially infected?

The pcs that have gotten infected have mcafee running on them  which
incorrectly picks it up as W32/Sdbot.worm.gen.by when a scan is
requested. It didn't seem to pick it up *until* a scan was requested.

The writeup at http://www.sophos.com/virusinfo/analyses/w32cuebotd.html
fits the scenario, but it doesn't say exactly what the initial
infection vector is.

Thanks for any help.

Jeff
CISSP, GCIH, GCFA
Previous By Date Next
Previous By Thread Next

Current thread: