Security Incidents mailing list archives
Re: Follow-up on the Botnet incident.
From: Pierre Vandevenne <pierre () datarescue com>
Date: Wed, 16 Aug 2000 00:20:26 +0200
On Mon, 14 Aug 2000 14:11:52 -0500, PARKIN, MICHAEL M (PBI) wrote:
How to defend against them? Like any other DDoS, I'm sure defense is difficult, but if these bots are anything like Sub7 (in fact, I realize they may be a new variant of Sub7) it may be possible to disinfect the hosts. Comments?
I imagine you ran a good up-to-date anti virus and it came up clean ? When you are infected by a possible new trojan, you must absolutely get a sample. One way to achieve this is to use a program such as zonealarm or the recently released tdimon from http://www.sysinternals.com. These programs will allow you to discover the process that is generating the trafic. 9 62.50008320 Pmmailw 00040003 TDI_SEND_DATA GRAM UDP:0.0.0.0:1025 195.0.122.232:53 SUCCESS Length:37 (Here, my mail program querying our dns for example) Once you have the name of the process, it is fairly easy to identify the file(s) involved and monitor their activity through regmon and filemon (same url). Disinfection is simply a matter of undoing the changes the trojan made (to autostart itself, orther files modifications etc). Detection involves finding a signature in the files that is specific to the trojan. (ie doesn't have false positives) and sensitive (ie doesn't have false negative) Discovering what the trojan does is a matter of observation, source study or reverse engineering if the source is not available. anti-virus labs will be most interested in receiving the files, doing an analysis and providing you with a solution - you could also send the bot our way and we'll be glad to have a look. --- Pierre Vandevenne - DataRescue sa/nv Home of the IDA Pro Disassembler http://www.datarescue.com/idabase/ida.htm
Current thread:
- Follow-up on the Botnet incident. PARKIN, MICHAEL M (PBI) (Aug 15)
- <Possible follow-ups>
- Re: Follow-up on the Botnet incident. Pierre Vandevenne (Aug 18)
- Re: Follow-up on the Botnet incident. PARKIN, MICHAEL M (PBI) (Aug 18)