Tracking SirCam

From: Peter Krawczyk (petekat_private)
Date: Wed Jul 25 2001 - 09:49:05 PDT

Next message: Stuart Staniford: "Re: tcpdump traces of CodeRed (lab environment)"

Previous message: Tobias Diedrich: "weird sequence in packet filter log"
Next in thread: Don Hammond: "Re: Tracking SirCam"
Reply: Don Hammond: "Re: Tracking SirCam"
Reply: Greg A. Woods: "Re: Tracking SirCam"
Reply: Gary Flynn: "Re: Tracking SirCam"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Trying to track the SirCam virus without looking at the body of the
message, we've found a way to track it via headers.

In the header of the message, everything looks dynamic, and so tracking it
seems to be hard.  However, there is a slip -- the Date: header actaully
appears as 'date:'.

A cursory examination of thousands of emails from mailing lists, private
sources, and other sources shows that the only messages using the lower
case 'date:' for the header are sent by the SirCam virus.

This may help those of you who want to filter on headers and not on
message body.

-Pete K
--
Pete Krawczyk <petekat_private>
  Senior System Administrator
  mc.net <http://www.mc.net/>
  (847) 594-5111



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Stuart Staniford: "Re: tcpdump traces of CodeRed (lab environment)"
Previous message: Tobias Diedrich: "weird sequence in packet filter log"
Next in thread: Don Hammond: "Re: Tracking SirCam"
Reply: Don Hammond: "Re: Tracking SirCam"
Reply: Greg A. Woods: "Re: Tracking SirCam"
Reply: Gary Flynn: "Re: Tracking SirCam"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 11:58:05 PDT