Re: Repository of virus/worm propagation methods?

dentonj1_at_cox.net
Date: 09/30/03

  • Next message: Jeremiah Cornelius: "Re: cron exploit?"
    Date: Mon, 29 Sep 2003 19:07:09 -0700 (MST)
    To: Alavan <alavan@pangeatech.com>
    
    

    On Mon, 29 Sep 2003, Alavan wrote:

    > 09-28-2003 20:52:51 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
    > 0002.3f92.3fb4) -> 211.250.128.84 (8/0), 1 packet

    > 09-29-2003 09:29:14 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
    > 0050.bac6.e91a) -> 130.49.75.16 (3/3), 2 packets

    You don't have much information to go by. It looks like the icmp type
    codes are included which means the first one is a ping and the second
    one is a port unreachable error. With the second one, the system may
    just be a victim of something trying to connect to it. Without more
    information, it's hard to say what it is.

    And if the second one is a port unreachable error, why are you blocking
    it? Blocking type 3 - Destination Unreachable icmp traffic will cause
    all kinds of problems, including network applications taking forever to
    timeout, downloads not being able to complete, applications simply
    refusing to work, and complaints from customers that don't make any
    sense and are hard to troubleshoot. I'd leave an ISP if they started
    blocking all icmp traffic.

    > Clearly both are infected or compromised and are doing different things,
    > but I would like a way to review a virus/worm listing of methods of
    > propagation. Most virus companies require you to know the virus/worm name
    > before you can view characteristics.

    Start by reading the RFC's for TCP, IP, ICMP, etc. You also need to
    setup your firewall to provide a LOT more information in the logs. The
    lines you provided don't give you enough information to determine much
    of anything.

    > I realize that requiring the customer to obtain a virus scanner would go
    > toward solving the problem, but often times these machines are compromised
    > and merely cleaning the original back door doesn't remove the intruder.
    > Traffic pattern recognitions would be extremely helpful in this case.

    Use an IDS. Snort works great and it will run on Windows.

    dentonj

    --
    for(;P("\n"),R=;P("|"))for(e=C;e=P("_"+(*u++/8)%2))P("|"+(*u/4)%2);
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Jeremiah Cornelius: "Re: cron exploit?"

    Relevant Pages

    • RE: ICMP type 12 packets
      ... I am seeing ICMP type 12 packets being returned to my network from ... They are destined for 386 unique IPs in our network, ...
      (Incidents)
    • Re: ICMP Type 8 Echo Request packet security concerns
      ... > NT Kernel System ... > I looked up RFC 792 which describes ICMP, but I did not understand it as I ... > What is an ICMP Type 8 echo request? ... > Should I allow these ICMP Type 8 echo requests or should I deny them? ...
      (comp.security.misc)
    • Re: ICMP Type 8 Echo Request packet security concerns
      ... > NT Kernel System ... > I looked up RFC 792 which describes ICMP, but I did not understand it as I ... > What is an ICMP Type 8 echo request? ... > Should I allow these ICMP Type 8 echo requests or should I deny them? ...
      (comp.security.firewalls)
    • Re: ICMP Type 8 Echo Request packet security concerns
      ... > NT Kernel System ... > I looked up RFC 792 which describes ICMP, but I did not understand it as I ... > What is an ICMP Type 8 echo request? ... > Should I allow these ICMP Type 8 echo requests or should I deny them? ...
      (microsoft.public.security)
    • Re: ICMP 3 & 11 incoming but no outgoing traffic
      ... You'd have to look at the contents of the ICMP packets, but ICMP type 11 ... is normally associated with traceroute. ... no ICMP messages are sent about ICMP messages. ...
      (comp.security.firewalls)