Security Incidents mailing list archives
Re: FW: PPark (was: Win 95 Question)
From: viha () CRYPTLINK NET (Ville)
Date: Sat, 26 Feb 2000 22:24:00 +0200
On Sat, 26 Feb 2000, Brett Glass wrote:
previous months they only caught about one copy per month. Perhaps the creator(s) are making a greater effort to spread it and/or have introduced a new vector.
Actually, I would dare doubt that. The growth we are seeing in the logs is not sudden, though, it does seem to be on stable raise and is showing no signs of relief. Maybe it is normal for such viruses. The server they are trying to fetch their data off tells me that so far 2.6 million unique hosts have implied they are infected. The figures (90 000) I gave earlier are based on the certain infections we see by the day. 2.6 million infected IPs is the count with all the IPs from weeks back and is thus a bit misleading - some hosts may have been fixed and others are dynamic (24 connections would mean 24 entries at the most). For this and other reasons I prefer using the very much lower count. OTOH, 2.6 million may not be enough as an 'extreme peak' figure: Our port has gone beyond the OS's SYN-limits and we do not wish to add any uncertain infections to the logs (as these connections do not have all the necessary identification-data). Does anybody have any clear or exact statistics how wide-spread the average e-mail viruses are? They could make an interesting comparison. As for analyzing the executable, it's encrypted with a commercial product, AFAIR. I only had a look at it when this was more urgent for us, ie. months back). I doubt it can reveal any one-fix-for-all details, even if we managed to read it all over. I think trying to come up with a finger-print to detect PP would be useful if we got any major IDS db-administrators to include it in their detectors. I'm afraid the sequence may be too fuzzy for any effective way to spot it, but this is an example case: src:any -> any:6667 data: 'USER <rchar(5)> <rchar(6)> <rchar(7)> :<rchar(8)>' ie. windows:1042 -> box:6667 data: 'USER dP{DC TyPvaR Q}FwDHv :oAOKNI{q' (without the quotes) In case people are interested - % cat log|egrep -c "^(mail|ntserv|www|secur|gateway|gw|router|noc)" 1274 </> The size of the log-file with the plain, unique hostnames is about 65 megs. As a sidenote, when you run an 8 000 user server which is assumably stable, and the figures suddenly go exponential, even the OS/sw seem to work hard on inventing new symptoms... Well, more bugs fixed and more experience with the OS as a result, I guess. Maybe this is the one good thing I can find about it...
--Brett
-- Life, a conspiracy built to force the humankind have a good time. Ville(viha () cryptlink net, 'Cryptlink Networking');
Current thread:
- FW: PPark (was: Win 95 Question) Ville (Feb 25)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Ville (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Ron Gula (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Russell Fulton (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Ville (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 26)