Security Incidents mailing list archives
Re: RE: Worm attack on our network this morning -- anyone else see this?
From: "Jamie Riden" <jamesr () europe com>
Date: Sat, 16 Dec 2006 10:21:40 +1300
On 14/12/06, David Gillett <gillettdavid () fhda edu> wrote:
What I've got so far is that the 7654 IRC connection is typical of the "SDBot" family of malware. The number of infections has stabilized -- only one new infected machine in the last three hours. That strongly suggests that machines with up to date patches and/or antivirus and/or non-blank passwords are probably immune, which argues against the 0day hypothesis.
Sounds like a typical bot infection - you won't really know exactly which until you can get a sample and analyze it. There are so many new variants of bots coming out, a lot of AV won't recognise new ones, or may simply report detection of a generic exploit. (I like virustotal.com for checking up on suspect binaries.) I saw quite a few of these incidents when I worked at a uni - the initial infection was carried inside the perimeter on someone's laptop and then spread to unpatched internal machines. I found the bleeding snort sigs for IRC traffic pretty helpful, as well as the portscan detection stuff. cheers, Jamie -- Jamie Riden, CISSP / jamesr () europe com / jamie.riden () gmail com NZ Honeynet project - http://www.nz-honeynet.org/ ------------------------------------------------------------------------------ This List Sponsored by: Black HatAttend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- RE: Worm attack on our network this morning -- anyone else see this? David Gillett (Dec 13)
- <Possible follow-ups>
- RE: RE: Worm attack on our network this morning -- anyone else see this? David Gillett (Dec 13)
- Re: RE: Worm attack on our network this morning -- anyone else see this? Jamie Riden (Dec 15)