Re: FW: PPark (was: Win 95 Question)

[viha () CRYPTLINK NET (Ville)]

On Sat, 26 Feb 2000, Brett Glass wrote:

> previous months they only caught about one copy per month. Perhaps the
> creator(s) are making a greater effort to spread it and/or have introduced
> a new vector.

Actually, I would dare doubt that.

The growth we are seeing in the logs is not sudden, though, it does
seem to be on stable raise and is showing no signs of relief. Maybe
it is normal for such viruses.

The server they are trying to fetch their data off tells me that so
far  2.6 million unique hosts  have implied they are infected.  The
figures (90 000) I gave earlier are based on the certain infections
we see by the day.

2.6 million infected IPs is the  count with all the  IPs from weeks
back and is thus a bit misleading - some  hosts may have been fixed
and others are dynamic (24 connections would mean 24 entries at the
most).  For this and  other reasons  I prefer  using the  very much
lower count.

OTOH,  2.6 million  may  not be enough as an 'extreme peak' figure:

Our port  has gone beyond the OS's SYN-limits  and  we  do not wish
to add any uncertain infections to  the logs  (as these connections
do not have all the necessary identification-data).

Does anybody  have any  clear or  exact statistics  how wide-spread
the  average e-mail  viruses are?  They  could make  an interesting
comparison.

As for  analyzing the executable,  it's encrypted with a commercial
product, AFAIR.  I only had  a look at it when this was more urgent
for us, ie. months back). I doubt it can reveal any one-fix-for-all
details, even if we managed to read it all over.

I think trying to come up with a finger-print to detect PP would be
useful  if we got any major  IDS db-administrators to include it in
their detectors.

I'm afraid the sequence may be too fuzzy for  any effective  way to
spot it, but this is an example case:

        src:any -> any:6667
        data: 'USER <rchar(5)> <rchar(6)> <rchar(7)> :<rchar(8)>'

ie.
        windows:1042 -> box:6667
        data: 'USER dP{DC TyPvaR Q}FwDHv :oAOKNI{q'

        (without the quotes)

In case people are interested -

% cat log|egrep -c "^(mail|ntserv|www|secur|gateway|gw|router|noc)"
        1274
</>

The size  of the log-file with the plain, unique hostnames is about
65 megs.

As a sidenote, when you run an 8 000 user server which is assumably
stable,  and the  figures suddenly  go exponential, even  the OS/sw
seem to  work hard on  inventing  new symptoms...   Well, more bugs
fixed and more experience with  the OS as a result, I guess.  Maybe
this is the one good thing I can find about it...

> --Brett

--
Life, a conspiracy built to force the humankind have a good time.

        Ville(viha () cryptlink net, 'Cryptlink Networking');