| Here's my concern. With worms like nimda, lion, and others, | sniffing is a major factor in analyzing the worm's | propogation and exploitatoin methods. An ssh based worm | could take sniffing out of the picture (the attack is over an | encrypted service) and reduce forensic analysis to artifact | examination. I might be wrong, but the way I understood it, the exploits that surround various sshds all take place before an encrypted tunnel is setup. So you can still sniff the network for evidence of the exploit taking place. What you may not be able to do however is track what it does next if the next phase takes place over encrypted channels. In the case of a worm you may find that it exploits the daemon only to run some arbitrary code, and does not do a great deal over an ssh tunnel. If this was the case then you would probably see strange behaviour from an infected machine, for example it would most likely start scanning other machines and trying to overflow their sshd's, again you could pickup this activity. The time at which you might not be able to track it, is if after exploitation it uses another means to spread between machines using encrypted channels, or it trojans some part of the system, like say the ssh client :/ </RANDOM THINKING> Lee -- Lee Brotherston - IP Security Manager, Easynet Ltd http://www.easynet.net/ Phone: +44 20 7900 4444 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 11:22:26 PST