Nimda

From: Jeff Wulfekuhl (woffles@bellsouth.net)
Date: 09/21/01


Message-ID: <004301c142c5$66f35c60$0201a8c0@dualhat.com>
From: "Jeff Wulfekuhl" <woffles@bellsouth.net>
To: <focus-linux@securityfocus.com>
Subject: Nimda
Date: Fri, 21 Sep 2001 10:46:54 -0700

Have any of you tried Labrea for stopping the worm? I was told about it
last night and it sounds pretty interesting. It doesn't stop it completely
but frees up a lot of your bandwidth. From what I understand you put a
system on your network running it and it listens for ARP requests, when one
is not answered within three seconds by any of your systems it pretends to
be the system requested and answers the request. Once it sets up a dialog
with the infected machine it then request to change the window size down to
5 bytes and then down to 0. This temporarily locks up the distant end that
is attacking you. Sounds interesting and I believe it runs on Linux.

Jeff Wulfekuhl
RHCE #807101170003511



Relevant Pages

  • Re: Worm on 445/tcp?
    ... Subject: Worm on 445/tcp? ... >> and tracking system please see: ...
    (Incidents)
  • for all those wondering - CRII has a bug!
    ... for all those wondering - CRII has a bug! ... request method and start of url is missing ... headers, the overall length of the received worm is more than 3818 bytes. ...
    (Incidents)
  • Re: Re: msninst.exe?
    ... >>For example, connected with this worm: ... I have this new comp' and on its ... change the fact that itâ??s still potentialy a virus. ... at author's request ...
    (microsoft.public.windowsxp.newusers)
  • Re: URLScan Sent verb SEARCH WORM?
    ... Not sure if is related to worm or etc. but have been ... Request will be ... It bugs me I can't see all ... > information being sent from the logs. ...
    (microsoft.public.inetserver.iis.security)
  • Unicode worm?
    ... It doesn't appear to be Nimda, as it is a single request. ... When one server sees the hit, ... random IPs, while this seems to be more of a scan. ...
    (Incidents)