Nimda

From: Jeff Wulfekuhl (woffles@bellsouth.net)
Date: 09/21/01


Message-ID: <004301c142c5$66f35c60$0201a8c0@dualhat.com>
From: "Jeff Wulfekuhl" <woffles@bellsouth.net>
To: <focus-linux@securityfocus.com>
Subject: Nimda
Date: Fri, 21 Sep 2001 10:46:54 -0700

Have any of you tried Labrea for stopping the worm? I was told about it
last night and it sounds pretty interesting. It doesn't stop it completely
but frees up a lot of your bandwidth. From what I understand you put a
system on your network running it and it listens for ARP requests, when one
is not answered within three seconds by any of your systems it pretends to
be the system requested and answers the request. Once it sets up a dialog
with the infected machine it then request to change the window size down to
5 bytes and then down to 0. This temporarily locks up the distant end that
is attacking you. Sounds interesting and I believe it runs on Linux.

Jeff Wulfekuhl
RHCE #807101170003511