Re: network worm

["Brandon Glaze" <bglaze () northstar k12 ak us>]

I am not sure if you have been answered yet, but when my network was hit with 
the same FBOT worm (as Kaspersky called it) I implemented honeyd as a quick 
linux script which uses Doug Songs ArpD to arp poison your switch and give you 
the ability to have one machine answer on behalf of an entire subnet. The 
quick config files that come with honeyd are usually enough to emulate several 
key types of vulnerable machines. Just tail -f the /var/log/honeyd file and 
any connections to this box are invalid. I also implemented the no ip 
unreachables on all of my Cisco switches so that the routers were not bogged 
down trying to answer on behalf of all the infected clients request for non 
existant network pings. Hope that helps...

On Thu, 9 Dec 2004 09:13:30 +0530
 "Harshul Nayak" <harshul.nayak () patni com> wrote:
> Hello luis,
> running an IDS and monitoring it's logs should be a useful deployment , if
> you still feel the threat of malicious traffic on your network.
> I would even suggest having a look into latest snort-inline ;) u can do a
> lot more than mere monitoring.
>
> -regs
> Harshul
>
>
> -----Original Message-----
> From: l c [mailto:neo_italy02 () yahoo it]
> Sent: Thursday, December 09, 2004 3:55 AM
> To: security-basics () securityfocus com
> Subject: network worm
>
>
> Hi all,
> in the past days our network was stressed from a lot
> of network worm (not find from local antivirus,
> already up to date) with a stop of the traffic caused
> from a lots of arp request. The last one was the
> WORM_SDBOT.ACJ a worm that propagates itself using
> network shares and a worm that trend micro (up to
> date) was unable to find, causing the saturation of
> the network switches and the related stop of all the
> work. The question is: "is there the possibility to
> setup an instrument (even linux based) to sniff the
> network traffic with capabilities to find worm?". We
> have already a linux based tool for network
> monitoring, this tool is useful to isolate host with a
> lots of ARP request (typical of the worm), but this
> tool can't point us to which worm is doing the
> traffic.
>
> Thanks a lot
> Luis
>
>
>
> ___________________________________
> Nuovo Yahoo! Messenger: E' molto più divertente: Audibles, Avatar, Webcam,
> Giochi, Rubrica… Scaricalo ora!
> http://it.messenger.yahoo.it
>
>
> http://www.patni.com
> World-Wide Partnerships. World-Class Solutions.
> _____________________________________________________________________
>
> This e-mail message may contain proprietary, confidential or legally
> privileged information for the sole use of the person or entity to
> whom this message was originally addressed. Any review, e-transmission
> dissemination or other use of or taking of any action in reliance upon
> this information by persons or entities other than the intended
> recipient is prohibited. If you have received this e-mail in error
> kindly delete  this e-mail from your records. If it appears that this
> mail has been forwarded to you without proper authority, please notify
> us immediately at netadmin () patni com and delete this mail. 
> _____________________________________________________________________