> > A number of people have informed me that this traffic is probably > > generated by a "good samaritan" worm apparently named 'Msblast.d' > > or 'Welchia' (Symantec) or 'Nachi' (Mcafee), which removes msblast > > It might be my over-paranoid nature, but I think that labeling this, or > any other worm, as a good samaritan worm is dangerous. We have no way of > verifying or holding the author accountable, and it may be that some > hostile functionality exists in the worm and it is simply patching to > protect itself. It opens TCP port 707. doesn't sound nice to me. Patching is most likely a technique for the malicious actor to maintain exclusive control over the computer. This way others can't exploit the same wide open holes to compromise a computer. The whole argument of a good worm is nonsense anyway. Anyone making changes to my computer without my knowing about it going to hear about it loudly. Administrators managing thousands of computers feel the same way, especially when a patch mucks up their environment or causes down time. Sometimes delaying a patch is the best thing for an organization, forced to choose between the lesser of two evils. This reminds me of the Cheese worm, cheesy at best (2002). Ken Malicious Code Intelligence Manager PGP KeyID: 0x6A8AC63F iDEFENSE Inc. - www.idefense.com The power of intelligence starts here! --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 23:33:20 PDT