RE: Increasing ICMP Echo Requests
From: Ken Dunham (dunhamk_at_rmci.net)
Date: 08/18/03
- Previous message: Ken Eichman: "Re(2): Increasing ICMP Echo Requests"
- In reply to: Dan Hanson: "Re: Increasing ICMP Echo Requests"
- Next in thread: Jeff Kell: "Re: Increasing ICMP Echo Requests"
- Reply: Jeff Kell: "Re: Increasing ICMP Echo Requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Dan Hanson" <dhanson@securityfocus.com>, "Ken Eichman" <keichman@cas.org> Date: Mon, 18 Aug 2003 14:21:16 -0600
> > A number of people have informed me that this traffic is probably
> > generated by a "good samaritan" worm apparently named 'Msblast.d'
> > or 'Welchia' (Symantec) or 'Nachi' (Mcafee), which removes msblast
>
> It might be my over-paranoid nature, but I think that labeling this, or
> any other worm, as a good samaritan worm is dangerous. We have no way of
> verifying or holding the author accountable, and it may be that some
> hostile functionality exists in the worm and it is simply patching to
> protect itself.
It opens TCP port 707. doesn't sound nice to me.
Patching is most likely a technique for the malicious actor to maintain
exclusive control over the computer. This way others can't exploit the same
wide open holes to compromise a computer.
The whole argument of a good worm is nonsense anyway. Anyone making changes
to my computer without my knowing about it going to hear about it loudly.
Administrators managing thousands of computers feel the same way, especially
when a patch mucks up their environment or causes down time. Sometimes
delaying a patch is the best thing for an organization, forced to choose
between the lesser of two evils. This reminds me of the Cheese worm, cheesy
at best (2002).
Ken
Malicious Code Intelligence Manager
PGP KeyID: 0x6A8AC63F
iDEFENSE Inc. - www.idefense.com
The power of intelligence starts here!
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
- Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------
- Previous message: Ken Eichman: "Re(2): Increasing ICMP Echo Requests"
- In reply to: Dan Hanson: "Re: Increasing ICMP Echo Requests"
- Next in thread: Jeff Kell: "Re: Increasing ICMP Echo Requests"
- Reply: Jeff Kell: "Re: Increasing ICMP Echo Requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
