Security Incidents mailing list archives
Re: Repository of virus/worm propagation methods?
From: Harlan Carvey <keydet89 () yahoo com>
Date: Mon, 29 Sep 2003 12:01:09 -0700 (PDT)
Alavan,
Is there a site that lists how all these virus/worms replicate?
Sure...most a/v sites maintain info on how worms and viruses propogate/replicate.
Clearly both are infected or compromised and are doing different things,
You lost me, dude. How did you come to this conclusion, based on denied ICMP packets? Timing? What about data content? How is this any different from someone on pinging?
but I would like a way to review a virus/worm listing of methods of propagation.
I'm not sure that there are many worms or viruses that propogate via denied ICMP packets.
I realize that requiring the customer to obtain a virus scanner would go toward solving the problem, but often times these machines are compromised and merely cleaning the original back door doesn't remove the intruder.
You're right. However, performing an incident response investigation and determining the root cause does...particularly if it's acted upon.
Traffic pattern recognitions would be extremely helpful in this case.
This happens a lot...a vulnerability is announced, and is followed by an increase in scanning for the affected port. Some systems do put out more than your usual amount of (ICMP) traffic when affected, but looking at a list of denied statements isn't going to help you determine if the system was compromised or not. At the very least, you need to capture some data, as well. But I think another issue at hand is the readiness with which many folks will cry "security breach". I've seen Linux-based SANS report CPU temps in excess of 400 degrees Celsius, and shut the system down. System malfunction, NOT a security incident. Nics and cards go bad, memory sticks fail, etc. Looking at a bunch of ICMP packets and deciding that a system is compromised can be a dangerous way of doing business. Harlan --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Repository of virus/worm propagation methods? Alavan (Sep 29)
- Re: Repository of virus/worm propagation methods? Harlan Carvey (Sep 29)
- Re: Repository of virus/worm propagation methods? dentonj1 (Sep 29)