Repository of virus/worm propagation methods?

From: Alavan (alavan_at_pangeatech.com)
Date: 09/29/03

  • Next message: Pavel Kankovsky: "Re: cron exploit?" 
    Date: Mon, 29 Sep 2003 09:50:32 -0700
To: incidents@securityfocus.com

    Hello,

    Is there a site that lists how all these virus/worms replicate?
    Specifically, as a SysAdmin of a small ISP I see patterns of traffic and
    would like to be able to identify them to help the user clean their
    machine. For instance, one user's machine is doing this:

    09-28-2003 20:52:51 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
    0002.3f92.3fb4) -> 211.250.128.84 (8/0), 1 packet
    09-28-2003 20:52:50 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
    0002.3f92.3fb4) -> 218.14.178.79 (8/0), 1 packet
    09-28-2003 20:52:49 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
    0002.3f92.3fb4) -> 220.163.35.8 (8/0), 1 packet
    09-28-2003 20:52:47 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
    0002.3f92.3fb4) -> 210.41.241.164 (8/0), 1 packet
    09-28-2003 20:52:47 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
    0002.3f92.3fb4) -> 61.234.104.60 (8/0), 1 packet

    And yet another is doing this:

    09-29-2003 09:29:14 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
    0050.bac6.e91a) -> 130.49.75.16 (3/3), 2 packets
    09-29-2003 09:29:10 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
    0050.bac6.e91a) -> 24.126.252.20 (3/3), 1 packet
    09-29-2003 09:29:05 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
    0050.bac6.e91a) -> 128.230.232.160 (3/3), 2 packets
    09-29-2003 09:29:01 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
    0050.bac6.e91a) -> 160.39.195.157 (3/3), 2 packets
    09-29-2003 09:28:58 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
    0050.bac6.e91a) -> 24.191.211.236 (3/3), 2 packets
    09-29-2003 09:28:52 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
    0050.bac6.e91a) -> 24.26.255.231 (3/3), 2 packets

    Clearly both are infected or compromised and are doing different things,
    but I would like a way to review a virus/worm listing of methods of
    propagation. Most virus companies require you to know the virus/worm name
    before you can view characteristics.

    I realize that requiring the customer to obtain a virus scanner would go
    toward solving the problem, but often times these machines are compromised
    and merely cleaning the original back door doesn't remove the intruder.
    Traffic pattern recognitions would be extremely helpful in this case.

    Any help would be appreciated.

    Alavan

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Pavel Kankovsky: "Re: cron exploit?"