Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Repository of virus/worm propagation methods?

From: Harlan Carvey <keydet89 () yahoo com>
Date: Mon, 29 Sep 2003 12:01:09 -0700 (PDT)
Alavan,


Is there a site that lists how all these virus/worms
replicate? 


Sure...most a/v sites maintain info on how worms and
viruses propogate/replicate.


Clearly both are infected or compromised and are
doing different things, 


You lost me, dude.  How did you come to this
conclusion, based on denied ICMP packets?  Timing? 
What about data content?  How is this any different
from someone on pinging?


but I would like a way to review a virus/worm
listing of methods of propagation. 


I'm not sure that there are many worms or viruses that
propogate via denied ICMP packets.


I realize that requiring the customer to obtain a
virus scanner would go 
toward solving the problem, but often times these
machines are compromised 
and merely cleaning the original back door doesn't
remove the intruder. 


You're right.  However, performing an incident
response investigation and determining the root cause
does...particularly if it's acted upon.


Traffic pattern recognitions would be extremely
helpful in this case.


This happens a lot...a vulnerability is announced, and
is followed by an increase in scanning for the
affected port.  Some systems do put out more than your
usual amount of (ICMP) traffic when affected, but
looking at a list of denied statements isn't going to
help you determine if the system was compromised or
not.  At the very least, you need to capture some
data, as well.  

But I think another issue at hand is the readiness
with which many folks will cry "security breach". 
I've seen Linux-based SANS report CPU temps in excess
of 400 degrees Celsius, and shut the system down. 
System malfunction, NOT a security incident.  Nics and
cards go bad, memory sticks fail, etc.  Looking at a
bunch of ICMP packets and deciding that a system is
compromised can be a dangerous way of doing business.

Harlan

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: