Re: Repository of virus/worm propagation methods?
From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 09/29/03
- Previous message: Matt Zimmerman: "Re: cron exploit?"
- In reply to: Alavan: "Repository of virus/worm propagation methods?"
- Next in thread: dentonj1_at_cox.net: "Re: Repository of virus/worm propagation methods?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Sep 2003 12:01:09 -0700 (PDT) To: incidents@securityfocus.com
Alavan,
> Is there a site that lists how all these virus/worms
> replicate?
Sure...most a/v sites maintain info on how worms and
viruses propogate/replicate.
> Clearly both are infected or compromised and are
> doing different things,
You lost me, dude. How did you come to this
conclusion, based on denied ICMP packets? Timing?
What about data content? How is this any different
from someone on pinging?
> but I would like a way to review a virus/worm
> listing of methods of propagation.
I'm not sure that there are many worms or viruses that
propogate via denied ICMP packets.
> I realize that requiring the customer to obtain a
> virus scanner would go
> toward solving the problem, but often times these
> machines are compromised
> and merely cleaning the original back door doesn't
> remove the intruder.
You're right. However, performing an incident
response investigation and determining the root cause
does...particularly if it's acted upon.
> Traffic pattern recognitions would be extremely
> helpful in this case.
This happens a lot...a vulnerability is announced, and
is followed by an increase in scanning for the
affected port. Some systems do put out more than your
usual amount of (ICMP) traffic when affected, but
looking at a list of denied statements isn't going to
help you determine if the system was compromised or
not. At the very least, you need to capture some
data, as well.
But I think another issue at hand is the readiness
with which many folks will cry "security breach".
I've seen Linux-based SANS report CPU temps in excess
of 400 degrees Celsius, and shut the system down.
System malfunction, NOT a security incident. Nics and
cards go bad, memory sticks fail, etc. Looking at a
bunch of ICMP packets and deciding that a system is
compromised can be a dangerous way of doing business.
Harlan
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Matt Zimmerman: "Re: cron exploit?"
- In reply to: Alavan: "Repository of virus/worm propagation methods?"
- Next in thread: dentonj1_at_cox.net: "Re: Repository of virus/worm propagation methods?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
