This reminds me of a few rather hilarious scenarios I recall from
several years ago. Well, hilarious from my point of view at that time.
I was performing an audit at that time and was informed by some of the
sys admins that AV would take care of whatever spyware problems, etc.
they would have. Tried to convince them otherwise. Went out to the
field and it was current definitions with happy fun fun spyware/worms
as you indicate below. I guess the great wall of China does not always
keep the Hun army out.
What is even more fun is to connect a vulnerable computer to the
Internet through a slower modem connection. It is fun to watch the
"slow motion" infection occur real time.
On Tue, Nov 10, 2009 at 5:49 PM, Jay Vlavianos
<jvlavianos (at) ecastnetwork (dot) com [email concealed]> wrote:
> McAfee is, by no means, a silver bullet. There are various attacks on
> the AV product itself that can mask infection and there are other
> methods of zombification that are not detected via AV.
>
> Disable system restore points and reboot to a bootable cd with
> malware / AV scanning to verify.
>
> Massive UDP could be an RTP broadcast but it would not be directed at
> root servers so your initial thoughts of a ddos are probably correct.
>
> -Jay
>
> On Nov 10, 2009, at 9:36 AM, "Tony Raboza" <tonyraboza (at) gmail (dot) com [email concealed]> wrote:
>
>> Hi,
>>
>> One of our workstations is broadcasting a huge amount of UDP traffic
>> (around 5Mbps) and I'm thinking it could be a zombied computer doing
>> DDOS as directed by its controller. But the weird thing is - it has
>> an updated McAfee AV with HIPS ?? Why was this not detected - or
>> could I be reading this wrong? Here's a portion of the tcpdump:
>>
>> 14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr:
>> UDP, length 1000
>> 14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP,
>> length 1000
>> 14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496:
>> UDP, length 1000
>> 14:00:20.521733 IP 192.168.10.10.brcm-comm-port >
>> b.root-servers.net.4710: UDP, length 1000
>> 14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826:
>> UDP, length 1000
>> 14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997:
>> UDP, length 1000
>> 14:00:20.525251 IP 192.168.10.10.csvr-sslproxy >
>> E.ROOT-SERVERS.NET.funk-license: UDP, length 1000
>> 14:00:20.526385 IP 192.168.10.10.firemonrcc >
>> f.root-servers.net.sonuscallsig: UDP, length 1000
>> 14:00:20.527798 IP 192.168.10.10.spandataport >
>> G.ROOT-SERVERS.NET.4130: UDP, length 1000
>> 14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp:
>> UDP, length 1000
>> 14:00:20.529947 IP 192.168.10.10.ncu-1 >
>> i.root-servers.net.direcpc-dll: UDP, length 1000
>> 14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer:
>> UDP, length 1000
>> 14:00:20.538422 IP 192.168.10.10.embrace-dp-s >
>> 77.91.227.67.bluelance: UDP, length 1000
>> 14:00:20.538712 IP 192.168.10.10.embrace-dp-c >
>> a.root-servers.net.embrace-dp-s: UDP, length 1000
>> 14:00:20.540010 IP 192.168.10.10.dmod-workspace >
>> b.root-servers.net.bvcontrol: UDP, length 1000
>> 14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925:
>> UDP, length 1000
>> 14:00:20.541412 IP 192.168.10.10.cpq-tasksmart >
>> b.root-servers.net.bnt-manager: UDP, length 1000
>> 14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864:
>> UDP, length 1000
>> 14:00:20.542941 IP 192.168.10.10.netwatcher-mon >
>> c.root-servers.net.sbi-agent: UDP, length 1000
>> 14:00:20.544113 IP 192.168.10.10.netwatcher-db >
>> d.root-servers.net.4467: UDP, length 1000
>> 14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP,
>> length 1000
>> 14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374:
>> UDP, length 1000
>>
>>
>> ==
>>
>> Its sending UDP traffic to the root nameservers ....
>>
>> Any ideas?
>> Thanks.
>>
>>
>> Best,
>> Tony
>>
>> ---
>> ---------------------------------------------------------------------
>> Securing Apache Web Server with thawte Digital Certificate
>> In this guide we examine the importance of Apache-SSL and who needs
>> an SSL certificate. We look at how SSL works, how it benefits your
>> company and how your customers can tell if a site is secure. You
>> will find out how to test, purchase, install and use a thawte
>> Digital Certificate on your Apache web server. Throughout, best
>> practices for set-up are highlighted to help you ensure efficient
>> ongoing management of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>> ---
>> ---------------------------------------------------------------------
>>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
several years ago. Well, hilarious from my point of view at that time.
I was performing an audit at that time and was informed by some of the
sys admins that AV would take care of whatever spyware problems, etc.
they would have. Tried to convince them otherwise. Went out to the
field and it was current definitions with happy fun fun spyware/worms
as you indicate below. I guess the great wall of China does not always
keep the Hun army out.
What is even more fun is to connect a vulnerable computer to the
Internet through a slower modem connection. It is fun to watch the
"slow motion" infection occur real time.
On Tue, Nov 10, 2009 at 5:49 PM, Jay Vlavianos
<jvlavianos (at) ecastnetwork (dot) com [email concealed]> wrote:
> McAfee is, by no means, a silver bullet. There are various attacks on
> the AV product itself that can mask infection and there are other
> methods of zombification that are not detected via AV.
>
> Disable system restore points and reboot to a bootable cd with
> malware / AV scanning to verify.
>
> Massive UDP could be an RTP broadcast but it would not be directed at
> root servers so your initial thoughts of a ddos are probably correct.
>
> -Jay
>
> On Nov 10, 2009, at 9:36 AM, "Tony Raboza" <tonyraboza (at) gmail (dot) com [email concealed]> wrote:
>
>> Hi,
>>
>> One of our workstations is broadcasting a huge amount of UDP traffic
>> (around 5Mbps) and I'm thinking it could be a zombied computer doing
>> DDOS as directed by its controller. But the weird thing is - it has
>> an updated McAfee AV with HIPS ?? Why was this not detected - or
>> could I be reading this wrong? Here's a portion of the tcpdump:
>>
>> 14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr:
>> UDP, length 1000
>> 14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP,
>> length 1000
>> 14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496:
>> UDP, length 1000
>> 14:00:20.521733 IP 192.168.10.10.brcm-comm-port >
>> b.root-servers.net.4710: UDP, length 1000
>> 14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826:
>> UDP, length 1000
>> 14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997:
>> UDP, length 1000
>> 14:00:20.525251 IP 192.168.10.10.csvr-sslproxy >
>> E.ROOT-SERVERS.NET.funk-license: UDP, length 1000
>> 14:00:20.526385 IP 192.168.10.10.firemonrcc >
>> f.root-servers.net.sonuscallsig: UDP, length 1000
>> 14:00:20.527798 IP 192.168.10.10.spandataport >
>> G.ROOT-SERVERS.NET.4130: UDP, length 1000
>> 14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp:
>> UDP, length 1000
>> 14:00:20.529947 IP 192.168.10.10.ncu-1 >
>> i.root-servers.net.direcpc-dll: UDP, length 1000
>> 14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer:
>> UDP, length 1000
>> 14:00:20.538422 IP 192.168.10.10.embrace-dp-s >
>> 77.91.227.67.bluelance: UDP, length 1000
>> 14:00:20.538712 IP 192.168.10.10.embrace-dp-c >
>> a.root-servers.net.embrace-dp-s: UDP, length 1000
>> 14:00:20.540010 IP 192.168.10.10.dmod-workspace >
>> b.root-servers.net.bvcontrol: UDP, length 1000
>> 14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925:
>> UDP, length 1000
>> 14:00:20.541412 IP 192.168.10.10.cpq-tasksmart >
>> b.root-servers.net.bnt-manager: UDP, length 1000
>> 14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864:
>> UDP, length 1000
>> 14:00:20.542941 IP 192.168.10.10.netwatcher-mon >
>> c.root-servers.net.sbi-agent: UDP, length 1000
>> 14:00:20.544113 IP 192.168.10.10.netwatcher-db >
>> d.root-servers.net.4467: UDP, length 1000
>> 14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP,
>> length 1000
>> 14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374:
>> UDP, length 1000
>>
>>
>> ==
>>
>> Its sending UDP traffic to the root nameservers ....
>>
>> Any ideas?
>> Thanks.
>>
>>
>> Best,
>> Tony
>>
>> ---
>> ---------------------------------------------------------------------
>> Securing Apache Web Server with thawte Digital Certificate
>> In this guide we examine the importance of Apache-SSL and who needs
>> an SSL certificate. We look at how SSL works, how it benefits your
>> company and how your customers can tell if a site is secure. You
>> will find out how to test, purchase, install and use a thawte
>> Digital Certificate on your Apache web server. Throughout, best
>> practices for set-up are highlighted to help you ensure efficient
>> ongoing management of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>> ---
>> ---------------------------------------------------------------------
>>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]