[Intrusions] MyDoom.M/O Registration Process

Sean Rooney sean at coldstream.ca
Wed Jul 28 02:30:59 GMT 2004 

have you considered the possibility of "shooting back" ie: pull up your 
fave denial of service tools and disable your attackers as a defensive 
measure under the doctrine of "immediate pursuit in defence" or 
whatever that is. ?? [a planned response is a useful thing to have for 
various scenarios preferably having been vetted, proofed and properly 
tested with formal rules of engagement and appropriate C3 structures]

just a thought.  wouldnt want to have running tank battles in 
cyberspace now do we?
[in some places, doing that could potentially introduce liability vis a 
vis legal thingies that might be applicable, ask your lawyers first 
before even thinking about actually implementing such a tactical 
mechanism. ]

put another way, what is the value of what is being attacked??? how 
does its compromise directly impact the entity's ability to conduct 
business safely sanely etc??]

tis all a fine balance and every situation is different.
cheers


On Jul 26, 2004, at 8:52 PM, Merton Campbell Crockett wrote:

> One of our systems was compromised by the MyDoom.M/O worm today.  The
> system has been disconnected from the network while IT attempts to 
> remove
> the worm from the system.
>
> The system has been disconnected from the network for 7 hours.  I am 
> still
> seeing external systems attempting to establish connections to the
> compromised system.
>
> Has anyone identified the mechanism by which the system "registers" 
> that
> it is available for use and can be accessed on TCP port 1034?
>
> Merton Campbell Crockett
>
>
> -- 
> BEGIN:				vcard
> VERSION:			3.0
> FN:				Merton Campbell Crockett
> ORG:				General Dynamics Advanced Information Systems;
> 				Intelligence and Exploitation Systems
> N:				Crockett;Merton;Campbell
> EMAIL;TYPE=internet:		mcc at CATO.GD-AIS.COM
> TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
> TEL;TYPE=work,fax:		+1(805)497-5050
> TEL;TYPE=cell,voice,msg:	+1(805)377-6762
> END:				vcard
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>

-------------------------------------------------------------
Sean Rooney, CTO
ColdStream Associates Ltd.
PGP fingerprint:
C32C 88A0 86A8 2BBE 2911  D855 1CE1 1679 6B52 405C
"Illos laetae devorunt, qui nos subicient."

TigerTeaming Whitepaper:
http://www.coldstream.ca/resources/tigerteams.pdf

Ask about our spring special for packaged IT-Security Testing.

More information about the Intrusions mailing list