Re: RE: Worm attack on our network this morning -- anyone else see this?

["Jamie Riden" <jamesr () europe com>]

On 14/12/06, David Gillett <gillettdavid () fhda edu> wrote:
>   What I've got so far is that the 7654 IRC connection is
> typical of the "SDBot" family of malware.
>
>   The number of infections has stabilized -- only one new
> infected machine in the last three hours.  That strongly
> suggests that machines with up to date patches and/or
> antivirus and/or non-blank passwords are probably immune,
> which argues against the 0day hypothesis.

Sounds like a typical bot infection - you won't really know exactly
which until you can get a sample and analyze it. There are so many new
variants of bots coming out, a lot of AV won't recognise new ones, or
may simply report detection of a generic exploit. (I like
virustotal.com for checking up on suspect binaries.)

I saw quite a few of these incidents when I worked at a uni - the
initial infection was carried inside the  perimeter on someone's
laptop and then spread to unpatched internal machines. I found the
bleeding snort sigs for IRC traffic pretty helpful, as well as the
portscan detection stuff.

cheers,
Jamie
--
Jamie Riden, CISSP / jamesr () europe com / jamie.riden () gmail com
NZ Honeynet project - http://www.nz-honeynet.org/

------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. 
World renowned security experts reveal tomorrow's threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------