RE: RE: Worm attack on our network this morning -- anyone else see this? Dec 13 2006 10:56PM
David Gillett (gillettdavid fhda edu) (1 replies)
Re: RE: Worm attack on our network this morning -- anyone else see this? Dec 15 2006 09:21PM
Jamie Riden (jamesr europe com)
On 14/12/06, David Gillett <gillettdavid (at) fhda (dot) edu [email concealed]> wrote:
> What I've got so far is that the 7654 IRC connection is
> typical of the "SDBot" family of malware.
> The number of infections has stabilized -- only one new
> infected machine in the last three hours. That strongly
> suggests that machines with up to date patches and/or
> antivirus and/or non-blank passwords are probably immune,
> which argues against the 0day hypothesis.

Sounds like a typical bot infection - you won't really know exactly
which until you can get a sample and analyze it. There are so many new
variants of bots coming out, a lot of AV won't recognise new ones, or
may simply report detection of a generic exploit. (I like for checking up on suspect binaries.)

I saw quite a few of these incidents when I worked at a uni - the
initial infection was carried inside the perimeter on someone's
laptop and then spread to unpatched internal machines. I found the
bleeding snort sigs for IRC traffic pretty helpful, as well as the
portscan detection stuff.

Jamie Riden, CISSP / jamesr (at) europe (dot) com [email concealed] / jamie.riden (at) gmail (dot) com [email concealed]
NZ Honeynet project -

This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus