I noticed that in the past two days, there is a suspicious activity on port 80(HTTP). Our smallpot system captured packets sent to this port and after some rough analysis; it is known that the packets is exploiting the ASN.1 vulnerability (MS04-007) so un-patched machines from MS04-007 are affected. Below, I show a part of the packet when it is still Base64 encoded and the payload part of the packet after decoding.
Still base64 encoded:
After decoding:
This incident is not as proliferate as what we had way back 2005. This incident means that there are still users with machines un-patched from known vulnerabilities. On the bright side, the fact that the count of packets received is low means that users are getting educated to security threats and are applying security patches to their machines.
Again, it advised that users apply security patches provided by the software vendor to be secured from attacks exploiting known old vulnerabilities. Always have your antivirus pattern files updated. This is important if your business relies on connecting to the wild internet to have lesser chance of getting infected by malicious software.
