Security Incidents mailing list archives

Re: Repository of virus/worm propagation methods?

From: dentonj1 () cox net
Date: Mon, 29 Sep 2003 19:07:09 -0700 (MST)

On Mon, 29 Sep 2003, Alavan wrote:

09-28-2003    20:52:51        list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
0002.3f92.3fb4) -> 211.250.128.84 (8/0), 1 packet

09-29-2003    09:29:14        list 111 denied icmp 67.98.xxx.xxx (FastEthernet0
0050.bac6.e91a) -> 130.49.75.16 (3/3), 2 packets


You don't have much information to go by.  It looks like the icmp type
codes are included which means the first one is a ping and the second
one is a port unreachable error.  With the second one, the system may
just be a victim of something trying to connect to it.  Without more
information, it's hard to say what it is.

And if the second one is a port unreachable error, why are you blocking
it?  Blocking type 3 - Destination Unreachable icmp traffic will cause
all kinds of problems, including network applications taking forever to
timeout, downloads not being able to complete, applications simply
refusing to work, and complaints from customers that don't make any
sense and are hard to troubleshoot.  I'd leave an ISP if they started
blocking all icmp traffic.

Clearly both are infected or compromised and are doing different things,
but I would like a way to review a virus/worm listing of methods of
propagation. Most virus companies require you to know the virus/worm name
before you can view characteristics.


Start by reading the RFC's for TCP, IP, ICMP, etc.  You also need to
setup your firewall to provide a LOT more information in the logs.  The
lines you provided don't give you enough information to determine much
of anything.

I realize that requiring the customer to obtain a virus scanner would go
toward solving the problem, but often times these machines are compromised
and merely cleaning the original back door doesn't remove the intruder.
Traffic pattern recognitions would be extremely helpful in this case.


Use an IDS.  Snort works great and it will run on Windows.

dentonj

--
for(;P("\n"),R=;P("|"))for(e=C;e=P("_"+(*u++/8)%2))P("|"+(*u/4)%2);

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Repository of virus/worm propagation methods? Alavan (Sep 29)
- Re: Repository of virus/worm propagation methods? Harlan Carvey (Sep 29)
- Re: Repository of virus/worm propagation methods? dentonj1 (Sep 29)