Security Incidents mailing list archives
Repository of virus/worm propagation methods?
From: Alavan <alavan () pangeatech com>
Date: Mon, 29 Sep 2003 09:50:32 -0700
Hello,Is there a site that lists how all these virus/worms replicate? Specifically, as a SysAdmin of a small ISP I see patterns of traffic and would like to be able to identify them to help the user clean their machine. For instance, one user's machine is doing this:
09-28-2003 20:52:51 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0 0002.3f92.3fb4) -> 211.250.128.84 (8/0), 1 packet 09-28-2003 20:52:50 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0 0002.3f92.3fb4) -> 218.14.178.79 (8/0), 1 packet 09-28-2003 20:52:49 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0 0002.3f92.3fb4) -> 220.163.35.8 (8/0), 1 packet 09-28-2003 20:52:47 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0 0002.3f92.3fb4) -> 210.41.241.164 (8/0), 1 packet 09-28-2003 20:52:47 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0 0002.3f92.3fb4) -> 61.234.104.60 (8/0), 1 packet
And yet another is doing this:09-29-2003 09:29:14 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0 0050.bac6.e91a) -> 130.49.75.16 (3/3), 2 packets 09-29-2003 09:29:10 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0 0050.bac6.e91a) -> 24.126.252.20 (3/3), 1 packet 09-29-2003 09:29:05 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0 0050.bac6.e91a) -> 128.230.232.160 (3/3), 2 packets 09-29-2003 09:29:01 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0 0050.bac6.e91a) -> 160.39.195.157 (3/3), 2 packets 09-29-2003 09:28:58 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0 0050.bac6.e91a) -> 24.191.211.236 (3/3), 2 packets 09-29-2003 09:28:52 list 111 denied icmp 67.98.xxx.xxx (FastEthernet0 0050.bac6.e91a) -> 24.26.255.231 (3/3), 2 packets
Clearly both are infected or compromised and are doing different things, but I would like a way to review a virus/worm listing of methods of propagation. Most virus companies require you to know the virus/worm name before you can view characteristics.
I realize that requiring the customer to obtain a virus scanner would go toward solving the problem, but often times these machines are compromised and merely cleaning the original back door doesn't remove the intruder. Traffic pattern recognitions would be extremely helpful in this case.
Any help would be appreciated.Alavan
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Repository of virus/worm propagation methods? Alavan (Sep 29)
- Re: Repository of virus/worm propagation methods? Harlan Carvey (Sep 29)
- Re: Repository of virus/worm propagation methods? dentonj1 (Sep 29)