Re: Update: UDP 770 Potential Worm

From: H C (keydet89at_private)
Date: Mon Mar 04 2002 - 05:12:09 PST

Next message: Tom Gerritsen: "Re: Rcon trojan"

Previous message: Andreas Östling: "Re: FYI - slow scans for https..."
In reply to: Byrne Ghavalas: "Re: Update: UDP 770 Potential Worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Byrne,

> After analysing the network capture, I noticed that
> the UDP
> packets were being originated from a variety of
> hosts, not
> just the proxy.  This could be the result of a
> variety of things,
> one of which could be a worm that has propogated
> itself
> around the network. I don't know this for sure and
> need to
> conduct further analysis of the host(s).

That fact that this is still being investigated is a
very important point.  The reason I say that is that
you continue to believe that this is a worm of some
kind...even after saying that you'll refer to it as an
'anomoly'.  The problem, as I see it, with this is
that:

(a) By calling it a worm and posting to public forums,
the fact that this is, in fact, a worm, is stuck in
many people's minds.  Now, anyone who fires up a
sniffer and sees similar traffic will assume they have
a worm.  (Let me say, up front, that I know most
people, like yourself, are very intelligent.  However,
spending as little 3 months simply reviewing some of
the public lists at SecurityFocus will also show that
many people aren't comfortable w/ security, and will
bow to your expertise...basically, if you're saying
it's a worm...even w/ incomplete information and an
investigation that hasn't been completed...they will
believe you).

(b) Calling it a worm at this point in the
investigation narrows your focus and thought
processes, as well.

(c) Calling it a 'worm' when you have no proof of
that, particularly in front of the client, is bad for
business.  If you don't know yet, simply say that you
haven't completed the investigation.

Here's something to consider...can the client
reinstall the Proxy from clean media again?  If so,
try this...immediately before they plug the system
into the network, run a tripwire-like scan of the
system and hash every file.  Check for alternate data
streams (assuming NTFS).  Get a complete process
listing using multiple tools.  Then compare this to
what you find in the lab w/ the dup'd drive.

Carv
  
 



__________________________________________________
Do You Yahoo!?
Yahoo! Sports - sign up for Fantasy Baseball
http://sports.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Tom Gerritsen: "Re: Rcon trojan"
Previous message: Andreas Östling: "Re: FYI - slow scans for https..."
In reply to: Byrne Ghavalas: "Re: Update: UDP 770 Potential Worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 04 2002 - 18:08:55 PST