Hello and welcome to the Tuesday, June 2nd, 2006 edition of the Sands Internet Storms Center's Stormcast.

My name is Johannes Ulrich, recorded today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu created certificate program in cyber security

engineering. In diaries today, we have a post by Brad talking about a new rat or remote access

tool that Brad found. Now, in the end, this particular infection ends up with net support rat, and it starts out with

sort of a standard click fix campaign.

But in the middle, there is an interesting rat that really shows some odd behavior.

For example, it uses HTTP over Port 443, and then it also uses just data over Port 443. That's not TLS. It uses some kind of custom

encoding. So nothing that Brad really sort of found being written up to before. Definitely is

something that also I don't remember seeing particular, seeing just HTTP over Port 443.

Not really sure why if that's supposed to basically fit in with other HGPS traffic.

These days, the bad guys pretty much use HGPS exclusively, just like anybody on the Internet.

So if anybody has any insight here for Brad,

please let us know.

And the Belgium Center for Cybersecurity

is warning that Warnability at Microsoft patched in May,

that's the Windows Net Logon vulnerability,

is already being exploited.

Haven't seen anything official from Microsoft, but they

may be busy consulting with their lawyers about this. So assume it's being compromised, make sure

you are patched in order to exploit this war on a billion. And hacker would actually have to

connect to Port 389 to the LDAB port.

...