Security Incidents mailing list archives
Re: Update: UDP 770 Potential Worm
From: H C <keydet89 () yahoo com>
Date: Mon, 4 Mar 2002 05:12:09 -0800 (PST)
Byrne,
After analysing the network capture, I noticed that the UDP packets were being originated from a variety of hosts, not just the proxy. This could be the result of a variety of things, one of which could be a worm that has propogated itself around the network. I don't know this for sure and need to conduct further analysis of the host(s).
That fact that this is still being investigated is a very important point. The reason I say that is that you continue to believe that this is a worm of some kind...even after saying that you'll refer to it as an 'anomoly'. The problem, as I see it, with this is that: (a) By calling it a worm and posting to public forums, the fact that this is, in fact, a worm, is stuck in many people's minds. Now, anyone who fires up a sniffer and sees similar traffic will assume they have a worm. (Let me say, up front, that I know most people, like yourself, are very intelligent. However, spending as little 3 months simply reviewing some of the public lists at SecurityFocus will also show that many people aren't comfortable w/ security, and will bow to your expertise...basically, if you're saying it's a worm...even w/ incomplete information and an investigation that hasn't been completed...they will believe you). (b) Calling it a worm at this point in the investigation narrows your focus and thought processes, as well. (c) Calling it a 'worm' when you have no proof of that, particularly in front of the client, is bad for business. If you don't know yet, simply say that you haven't completed the investigation. Here's something to consider...can the client reinstall the Proxy from clean media again? If so, try this...immediately before they plug the system into the network, run a tripwire-like scan of the system and hash every file. Check for alternate data streams (assuming NTFS). Get a complete process listing using multiple tools. Then compare this to what you find in the lab w/ the dup'd drive. Carv __________________________________________________ Do You Yahoo!? Yahoo! Sports - sign up for Fantasy Baseball http://sports.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Update: UDP 770 Potential Worm Byrne Ghavalas (Mar 01)
- Re: Update: UDP 770 Potential Worm H C (Mar 03)
- Re: Update: UDP 770 Potential Worm Byrne Ghavalas (Mar 04)
- Re: Update: UDP 770 Potential Worm H C (Mar 04)
- Re: Update: UDP 770 Potential Worm H C (Mar 04)
- Re: Update: UDP 770 Potential Worm Byrne Ghavalas (Mar 04)
- Re: Update: UDP 770 Potential Worm H C (Mar 03)