[Emerging-Sigs] attack on Kaspersky users

Jim McQuaid jim.mcquaid at gmail.com
Tue Feb 26 22:22:16 EST 2008 

That is a good, plausible explanation.  I was installing the updated
version, but old code can leak through when rushing to get out a fix
for an exploit.  I don't have any PCaps; I had difficulty getting the
initial set of definitions updates through Snort Inline the first time
I installed it, and subsequently went through Smoothwall only.

On Tue, Feb 26, 2008 at 8:37 PM, David Glosser <david.glosser at gmail.com> wrote:
> Is it possible that kapersky used 69.80.225.21  and the older version is
> still pointing to it?
>
> That cnet isn't exactly clean,   kaspersky has some interesting
> neighbors....
>
> http://www.robtex.com/cnet/69.80.225.html
>
>
>
>
>
>
>
> On Tue, Feb 26, 2008 at 7:36 PM, Jim McQuaid <jim.mcquaid at gmail.com> wrote:
>
> >
> >
> >
> > I reloaded a Windows machine about a week ago, turned off NetBios,
> > etc., patched it, installed Kaspersky, and updated Kaspersky.  All the
> > while, it was protected from the LAN behind an AlphaShield.  In a
> > review of the firewall logs I found a connection attempt from
> > 69.80.225.21 to the machine, which is milfbordello.com.  I was
> > perplexed because the machine had not been surfed on at all (nor was
> > there any other traffic to or from 69.80.225.21).  So I did a Google
> > search and found other instances of this phenomena:
> > http://forum.kaspersky.com/lofiversion/index.php/t59862.html
> >
> > Kaspersky has virus definitions update servers on the same CNet at
> > 69.80.225.58 (dnl-us5.kaspersky-labs.com) and 69.80.225.110
> > (dnl-pr1.kaspersky-labs.com).   I purchased Kaspersky at a retail
> > store during Christmas season because I wanted to diversify my
> > anti-virus demographic such that the entire LAN wasn't relying on
> > AntiVir.   However, the version that came in the retail box is
> > vulnerable to exploit according to Secunia's PSI.  One has to
> > uninstall the retail box software and install a new version which is
> > available for download.  Is 69.80.225.21 being used to attack
> > Kaspersky users while they update?   In my case, I initially installed
> > the updated, non-vulnerable version.  The machine has come up clean
> > after numerous intensive setting scans (so intensive that you can't
> > use the machine).
> >
> > To block milfbordello.com, but not Kaspersky, one can block
> > 69.80.225.0/27 (which is 69.80.225.0 - 69.80.225.31).  Do we want to
> > make people aware of this?
> >
> > Also, note potential illegal activity in one of the domains at
> 69.80.225.69.
> >
> > James McQuaid
> > http://www.jamesmcquaid.com
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
>
>



-- 
James McQuaid
http://www.jamesmcquaid.com

More information about the Emerging-sigs mailing list