Re: (Moderator Note) Re: Anyome else seeing a rise in Mydoom Virusesover email?

["O'Brien Sean" <o'brien_sean () bah com>]

   Is this virus using a hardcoded IP, or is it running a DNS lookup? I 
haven't seen this mentioned in
any of the analyses I've read. I suppose SCO could always null route 
www.sco.com if it is doing lookups. Of course this won't help 
availability, just their bandwidth bill.

Cavey, Jean-Luc wrote:

> The site of SCO his not pingable since hours.
>
> I assume that they are in the process to change their IP address as White
> House did with CodeRed 1
>
> Jean-Luc Cavey
> France
>
>  
>
> > -----Message d'origine-----
> > De : falcon () secureconsulting net [mailto:falcon () secureconsulting net]
> > Envoyé : mercredi 28 janvier 2004 15:38
> > À : incidents () securityfocus com
> > Objet : RE: (Moderator Note) Re: Anyome else seeing a rise in Mydoom
> > Virusesover email?
> >
> >
> > Just an fyi to the list...some (most? all?) groups have been unable to
> > verify that a DDoS against SCO actually launches (possibly 
> > faulty code). 
> > Furthermore, the DDoS routing seems to have a date-based 
> > routing limiting
> > it to activity between Feb 1-12.  Therefore, sigs aimed at 
> > monitoring for
> > port 80 attempts to www.sco.com may not be terribly effective 
> > for catching
> > infected hosts.
> >
> > Instead of monitoring for www.sco.com, it looks like 
> > monitoring for DNS
> > queries for hardcoded sites, or monitoring for port 25 
> > traffic to the same
> > sites, might be more appropriate.
> >
> >    
>
>
> ********************************************************************************************
> In KPMG's opinion, non-encrypted communication via the Internet 
> is not to be considered secure. 
> For that reason, it is KPMG's policy that uninvited use of the Internet
> concerning exchange of confidential information with our clients must not take place.
> When exchanging information, the client is held liable. 
> This e-mail may contain confidential information and is 
> intended solely for the addressee, and any disclosure of this information is 
> strictly prohibited and may be unlawful.  If you have received this e-mail by mistake, please notify us immediately and delete this mail.
> ********************************************************************************************
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>
>  


--
Sean O'Brien

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature