Tracking SirCam
From: Peter Krawczyk (petek@mc.net)Date: 07/25/01
- Previous message: Stuart Staniford: "Re: tcpdump traces of CodeRed (lab environment)"
- Next in thread: Don Hammond: "Re: Tracking SirCam"
- Reply: Don Hammond: "Re: Tracking SirCam"
- Reply: Greg A. Woods: "Re: Tracking SirCam"
- Reply: Gary Flynn: "Re: Tracking SirCam"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 Jul 2001 10:49:05 -0600 (MDT) From: Peter Krawczyk <petek@mc.net> To: <incidents@securityfocus.com> Subject: Tracking SirCam Message-ID: <Pine.LNX.4.33.0107251043150.6319-100000@equerry.bsod.net>
Trying to track the SirCam virus without looking at the body of the
message, we've found a way to track it via headers.
In the header of the message, everything looks dynamic, and so tracking it
seems to be hard. However, there is a slip -- the Date: header actaully
appears as 'date:'.
A cursory examination of thousands of emails from mailing lists, private
sources, and other sources shows that the only messages using the lower
case 'date:' for the header are sent by the SirCam virus.
This may help those of you who want to filter on headers and not on
message body.
-Pete K
-- Pete Krawczyk <petek@mc.net> Senior System Administrator mc.net <http://www.mc.net/> (847) 594-5111---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Stuart Staniford: "Re: tcpdump traces of CodeRed (lab environment)"
- Next in thread: Don Hammond: "Re: Tracking SirCam"
- Reply: Don Hammond: "Re: Tracking SirCam"
- Reply: Greg A. Woods: "Re: Tracking SirCam"
- Reply: Gary Flynn: "Re: Tracking SirCam"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
