Anyone know if this is real? boep-blackd

We are testing a software called ISS Proventia and it seems to have discovered a Buffer Overflow Exploit virus on a network currently being scanned by McAfee Enterprise. Can I have some input if this looks legitimate, or if its a bug in the software causing false possitives.

2000003 : Teardrop IP fragmentation

A "TearDrop" attack consists of an attacker sending a series of fragmented IP datagram pairs to the target system (how many pairs depends on the operating system; Windows NT can take up to 50, while Linux can be crashed with one pair). The first fragment is sent with an offset of 0 (telling the IP that it is the first fragment in the list) and a payload of size N. Subsequent fragments are sent with an offset that tells the IP that it should overlap inside the previous fragment. However, the fragment's payload is either non-existent, or very small (1 or 2 bytes). Affected systems either crash or restart.

Other variations of this attack are known as "NewTear," "Nestea," "SynDrop," and "Bonk," among others.

Process ID 976
SystemCall NTcreatefile
Blocked YES
Killed NO
C:\ISS\Proventia Desktop\blackd.exe
User SYSTEM
Domain NTAUTHORITY
SecChkID 16199
Alert Name BOEP-blackd
Return Addr 01980e88

Any ideas?


Thanks!

Trekk

 

Try looking for what started it. The PID is 976, and this can be viewed in the Processes List under Task Manager in Windows XP. This will give you an idea as to whether it is a real process, or some injection of code into a running process.