Security Incidents mailing list archives

FW: PPark (was: Win 95 Question)

From: viha () CRYPTLINK NET (Ville)
Date: Fri, 25 Feb 2000 15:20:04 +0200


Hello.

I noticed  some of our servers were mentioned in a posting concerning
PrettyPark. Here is a bit of information that might be of interest to
the list readers.  ...Unless it is moderated out like the rest  of my
messages do seem to be. *groan*

From nanog (heavily clipped):


On Fri, 25 Feb 2000 Valdis.Kletnieks () vt edu wrote:

[ ... lots of text deleted ... ]

If ISPs and users had clues, we wouldn't have as big a potential
DDoS problem.  Oh, and this just in:


Notably users.

I'm currently  trying to deal with PPark (PrettyPark, a Windows
virus|trojan).  It automatically spreads itself  via e-mail and
keeps gaining more and more infections by the day. It is nasty.

It wouldn't be much of my cake, but the virus unfortunately has
been  set  to  connect to one of the  servers  I administer  to
receive  attack-coordinates  and  all that  (the server refuses
them  right after  they have  been  succesfully  identified  on
connect).

Doesn't  sound quite nasty?  It is - just to put  people on the
scale,  we   have  _ninety-thousand_   unique   hosts   rapidly
connecting to our server and practically  bringing the server's
accessibility down to its knees.

If 90 000 of them opening a connection to server can do that, I
must wonder  what is their practical  efficiency if people were
to ever  have control  over  them  and use  them for  malicious
purposes.

Some weeks ago,  I did a compilation  of ISPs/TLDs  involved. I,
however, stripped the hostnames out to protect the innocent and
to stop people from misusing that information.

Brief stats are available at

        http://www.vip.fi/~viha/Stats/PPark_ISP.txt and
        http://www.vip.fi/~viha/Stats/PPark_TLD.txt

These are Windows-hosts, not running any virus-detection by the
looks of it. Some quotes might include --

% cat PPark_ISP.txt | egrep -i "\\.(gov|mil|int)"|head -3
          10 navy.mil
           4 nih.gov
           4 army.mil

% cat PPark_ISP.txt | head -3
        4389 aol.com
        4172 hinet.net
        1732 com.sg
                                                              
Oh, before you suggest routing them to null - be warned we have
tried a few things.   We were quite lucky  and most of the ways
we tried only showed us a quick way to a table overflow...

As for  contacting  antiviral-companies,  the one  we  were  in
contact with didn't show much but the compulsory 'I see.'

                              Valdis Kletnieks


-- 
        IPv6 Solutions | Security Coordination

        Ville(viha () cryptlink net, "Cryptlink Networking");

Current thread:

FW: PPark (was: Win 95 Question) Ville (Feb 25)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 26)
  - Re: FW: PPark (was: Win 95 Question) Ville (Feb 26)
    - Re: FW: PPark (was: Win 95 Question) Ron Gula (Feb 28)
    - Re: FW: PPark (was: Win 95 Question) Russell Fulton (Feb 28)
    - Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 28)