Re: Funlove virus attacking Print ques

From: Jagh, Kevin (TGA/MLOL) (KJagh@EXCHANGE.ML.COM)
Date: 02/06/02 

Date:         Wed, 6 Feb 2002 16:06:25 -0500
From: "Jagh, Kevin (TGA/MLOL)" <KJagh@EXCHANGE.ML.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I recommend also the honeypot, with an alphanumerically superior NETBIOS name (~Trap). This should be one of your oldest and slowest boxes. ;)

Create shares with a billion copies of regsrv32.exe (empirically I have discovered this to be readily infectable and my AV vendor has confirmed).

Script traps on it (net sessions). You can snmpwalk the attached boxes to confirm flcss. You can also script detection based on how many files are open (ie, we have lots of people who browse - and
therefore attach, but only someone with my target files is an infector by definition).

By the time your alerting mechanism is triggered, you'll still have HOURS before the virus is able to traverse that one box if you've created enough shares and regsrv32 copies within them.

Use CLEANFLC to restore machines (and also innoculate).

Hope this helps,
> Kevin Jagh
> VP, Manager
> SI&DS/Technology Support
> Kevin_Jagh@ml.com
>

-----Original Message-----
From: Exibar [mailto:exibar@THELAIR.COM]
Sent: Tuesday, February 05, 2002 2:07 PM
  I have a honeypot machine setup on each major subnet on my network that
<snip>

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Relevant Pages

  • [Full-Disclosure] RE: mi2g - fud, lies and libel
    ... Internet where system administrators and Independent Third Party Security ... **About 1 in 10 potential vulnerabilities that were submitted to PivX ... the Company granted 232,500 shares of Company's common stock. ...
    (Full-Disclosure)
  • Re: Windows domain user is sometimes denied access to server share
    ... I would also check the server with the share security log ... He can access the shares that do not have security on them OK, ... with windows user and or windows group accounts. ...
    (microsoft.public.windows.server.security)
  • RE: Internet security on "hotspots"
    ... there's a setting in the security policy under Network Access where ... Now if we're talking shares, anonymous never did have access in most cases, ... Disabling the guest account - it's been disabled by default since NT 3.5, ...
    (Focus-Microsoft)
  • Re: honeypot in conjunction with pen test?
    ... this is a question from the point of view of the customer of ... > You were happy but I expect that the pen-testers were really ... >> position a honeypot in the facility, ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: I need some expert advice regarding an upgrade
    ... If the computer you're upgrading is a domain controller and you plan on ... shares where users need to write. ... I don't need to backup the OS or files as I'm wiping the ... All I need is the shares and security permissions. ...
    (microsoft.public.win2000.active_directory)