frame   frame
SANS Logo SANS Homepage SANS Bookstore SANS Reading Room SANS Portal
  border   border  
CDI East 2006
To register for the SANS classes, use brochure code "ISC"
SC Magazine Award
border Handler on Duty: William Salusky space 02:46:17 UTC Oct 17 2006, 22:46:17 Oct 16 2006 border  
Handler's Diary: Active exploit of Open Conference Systems web application;ClamAV fixes multiple vulnerabilities;Hawaii connectivity

Handler's Diary October 18th 2005

previous - next

MS05-012 not MS05-051 exploit found

Published: 2005-10-18,
Last Updated: 2005-10-18 05:18:40 UTC by Johannes Ullrich (Version: 4(click to highlight changes))


Later this evening Trend updated their webpage concerning the TROJ_SSPLOIT.A virus to show that it was not MS05-051, but was MS05-012 instead.  Thanks Microsoft for updating us on this as well.

Original Message:

Trend Micro reports that they spotted a POC for MS05-051 in the wild. They found it included  as a new exploit in other malware. We don't have any details yet beyond what can be found in at Trend Micro. If you find a copy of this malware, please forward it.

Trend Micro states that the malware was written in Visual Basic, which usually indicates some low skilled bot-kid. Kind of odd to see it surface this way, but having it included as a new warhead in existing malware matches past patterns.

Trend Micros virus statistics do not report any "captures" of this exploit in the wild. Not exactly sure if this is just a lab sample, or if it was actually seen in the "wild".

We will update this diary as we learn more.

previous - next