Re: network worm

[Mario Pascucci <ilpettegolo () yahoo it>]

Il mer, 2004-12-08 alle 23:24, l c ha scritto:
> Hi all,
> in the past days our network was stressed from a lot
> of network worm (not find from local antivirus,
> already up to date) with a stop of the traffic caused
> from a lots of arp request. The last one was the
> WORM_SDBOT.ACJ a worm that propagates itself using
> network shares and a worm that trend micro (up to
> date) was unable to find, causing the saturation of
> the network switches and the related stop of all the
> work. The question is: "is there the possibility to
> setup an instrument (even linux based) to sniff the
> network traffic with capabilities to find worm?". We
> have already a linux based tool for network
> monitoring, this tool is useful to isolate host with a
> lots of ARP request (typical of the worm), but this
> tool can't point us to which worm is doing the
> traffic.
>
> Thanks a lot
> Luis
I use a Linux box with Samba share named "C$" configured to be "world"
writable, with a directory tree like:
winnt\
     |
     \system
     \system32
and with two users "admin" and "administrator" without password, so that
these worms that propagates through shares can be easily "trapped" in
it.
I capture about 10-15 new worms at week directly from Internet (I have a
flat ADSL).
Mail me at the private address if you want more details.
HTH
-- 
Mario "Reliant" Pascucci
http://ilpettegolo.altervista.org/