Security Incidents mailing list archives
FW: PPark (was: Win 95 Question)
From: viha () CRYPTLINK NET (Ville)
Date: Fri, 25 Feb 2000 15:20:04 +0200
Hello. I noticed some of our servers were mentioned in a posting concerning PrettyPark. Here is a bit of information that might be of interest to the list readers. ...Unless it is moderated out like the rest of my messages do seem to be. *groan*
From nanog (heavily clipped):
On Fri, 25 Feb 2000 Valdis.Kletnieks () vt edu wrote: [ ... lots of text deleted ... ]
If ISPs and users had clues, we wouldn't have as big a potential DDoS problem. Oh, and this just in:
Notably users. I'm currently trying to deal with PPark (PrettyPark, a Windows virus|trojan). It automatically spreads itself via e-mail and keeps gaining more and more infections by the day. It is nasty. It wouldn't be much of my cake, but the virus unfortunately has been set to connect to one of the servers I administer to receive attack-coordinates and all that (the server refuses them right after they have been succesfully identified on connect). Doesn't sound quite nasty? It is - just to put people on the scale, we have _ninety-thousand_ unique hosts rapidly connecting to our server and practically bringing the server's accessibility down to its knees. If 90 000 of them opening a connection to server can do that, I must wonder what is their practical efficiency if people were to ever have control over them and use them for malicious purposes. Some weeks ago, I did a compilation of ISPs/TLDs involved. I, however, stripped the hostnames out to protect the innocent and to stop people from misusing that information. Brief stats are available at http://www.vip.fi/~viha/Stats/PPark_ISP.txt and http://www.vip.fi/~viha/Stats/PPark_TLD.txt These are Windows-hosts, not running any virus-detection by the looks of it. Some quotes might include -- % cat PPark_ISP.txt | egrep -i "\\.(gov|mil|int)"|head -3 10 navy.mil 4 nih.gov 4 army.mil % cat PPark_ISP.txt | head -3 4389 aol.com 4172 hinet.net 1732 com.sg Oh, before you suggest routing them to null - be warned we have tried a few things. We were quite lucky and most of the ways we tried only showed us a quick way to a table overflow... As for contacting antiviral-companies, the one we were in contact with didn't show much but the compulsory 'I see.'
Valdis Kletnieks
-- IPv6 Solutions | Security Coordination Ville(viha () cryptlink net, "Cryptlink Networking");
Current thread:
- FW: PPark (was: Win 95 Question) Ville (Feb 25)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Ville (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Ron Gula (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Russell Fulton (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Ville (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 26)