RE: Increasing ICMP Echo Requests

From: Ken Dunham (dunhamk_at_rmci.net)
Date: 08/18/03

  • Next message: Kevin Patz: "Re: Increasing ICMP Echo Requests"
    To: "Dan Hanson" <dhanson@securityfocus.com>, "Ken Eichman" <keichman@cas.org>
    Date: Mon, 18 Aug 2003 14:21:16 -0600
    
    

    > > A number of people have informed me that this traffic is probably
    > > generated by a "good samaritan" worm apparently named 'Msblast.d'
    > > or 'Welchia' (Symantec) or 'Nachi' (Mcafee), which removes msblast
    >
    > It might be my over-paranoid nature, but I think that labeling this, or
    > any other worm, as a good samaritan worm is dangerous. We have no way of
    > verifying or holding the author accountable, and it may be that some
    > hostile functionality exists in the worm and it is simply patching to
    > protect itself.

    It opens TCP port 707. doesn't sound nice to me.

    Patching is most likely a technique for the malicious actor to maintain
    exclusive control over the computer. This way others can't exploit the same
    wide open holes to compromise a computer.

    The whole argument of a good worm is nonsense anyway. Anyone making changes
    to my computer without my knowing about it going to hear about it loudly.
    Administrators managing thousands of computers feel the same way, especially
    when a patch mucks up their environment or causes down time. Sometimes
    delaying a patch is the best thing for an organization, forced to choose
    between the lesser of two evils. This reminds me of the Cheese worm, cheesy
    at best (2002).

    Ken
    Malicious Code Intelligence Manager
    PGP KeyID: 0x6A8AC63F
    iDEFENSE Inc. - www.idefense.com
    The power of intelligence starts here!

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------


  • Next message: Kevin Patz: "Re: Increasing ICMP Echo Requests"

    Relevant Pages

    • RE: mod to "killblast.vbs" script
      ... programming practices, but to copy the practices used by the worm. ... > - Ensure Reliable Performance of Mission Critical Applications ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ...
      (Incidents)
    • RE: Increasing ICMP Echo Requests
      ... exploits the same vulnerability that the original MSBLAST worm did, ... serious vulnerability like this one, same thing happened with the SQL ... > - Ensure Reliable Performance of Mission Critical Applications ... > - Precisely Define and Implement Network Security and Performance ...
      (Incidents)
    • Re: document_all.pif
      ... That sounds like the Sobig worm. ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: document_all.pif
      ... Standard Sobig Worm, ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: Increasing ICMP Echo Requests
      ... this may be part of the new so called "good" worm if that in fact really ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... Ensure Reliable Performance of Mission Critical Applications ... Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live ...
      (Incidents)