Security Incidents mailing list archives
Re: Repository of virus/worm propagation methods?
From: dentonj1 () cox net
Date: Mon, 29 Sep 2003 19:07:09 -0700 (MST)
On Mon, 29 Sep 2003, Alavan wrote:
09-28-2003 20:52:51 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0 0002.3f92.3fb4) -> 211.250.128.84 (8/0), 1 packet
09-29-2003 09:29:14 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0 0050.bac6.e91a) -> 130.49.75.16 (3/3), 2 packets
You don't have much information to go by. It looks like the icmp type codes are included which means the first one is a ping and the second one is a port unreachable error. With the second one, the system may just be a victim of something trying to connect to it. Without more information, it's hard to say what it is. And if the second one is a port unreachable error, why are you blocking it? Blocking type 3 - Destination Unreachable icmp traffic will cause all kinds of problems, including network applications taking forever to timeout, downloads not being able to complete, applications simply refusing to work, and complaints from customers that don't make any sense and are hard to troubleshoot. I'd leave an ISP if they started blocking all icmp traffic.
Clearly both are infected or compromised and are doing different things, but I would like a way to review a virus/worm listing of methods of propagation. Most virus companies require you to know the virus/worm name before you can view characteristics.
Start by reading the RFC's for TCP, IP, ICMP, etc. You also need to setup your firewall to provide a LOT more information in the logs. The lines you provided don't give you enough information to determine much of anything.
I realize that requiring the customer to obtain a virus scanner would go toward solving the problem, but often times these machines are compromised and merely cleaning the original back door doesn't remove the intruder. Traffic pattern recognitions would be extremely helpful in this case.
Use an IDS. Snort works great and it will run on Windows. dentonj -- for(;P("\n"),R=;P("|"))for(e=C;e=P("_"+(*u++/8)%2))P("|"+(*u/4)%2); --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Repository of virus/worm propagation methods? Alavan (Sep 29)
- Re: Repository of virus/worm propagation methods? Harlan Carvey (Sep 29)
- Re: Repository of virus/worm propagation methods? dentonj1 (Sep 29)