[Intrusions] MyDoom.M/O Registration Process

Merton Campbell Crockett mcc at CATO.GD-AIS.COM
Wed Jul 28 13:20:58 GMT 2004 

I'm not sure what the percentage is in "shooting back".  Unless you can
refine your target to the system managing the array of compromised
systems, you will be subject to criminal investigation under Title 18 
U.S.C.

Merton Campbell Crockett


On Tue, 27 Jul 2004, Sean Rooney wrote:

> have you considered the possibility of "shooting back" ie: pull up your fave
> denial of service tools and disable your attackers as a defensive measure
> under the doctrine of "immediate pursuit in defence" or whatever that is. ??
> [a planned response is a useful thing to have for various scenarios preferably
> having been vetted, proofed and properly tested with formal rules of
> engagement and appropriate C3 structures]
> 
> just a thought.  wouldnt want to have running tank battles in cyberspace now
> do we?
> [in some places, doing that could potentially introduce liability vis a vis
> legal thingies that might be applicable, ask your lawyers first before even
> thinking about actually implementing such a tactical mechanism. ]
> 
> put another way, what is the value of what is being attacked??? how does its
> compromise directly impact the entity's ability to conduct business safely
> sanely etc??]
> 
> tis all a fine balance and every situation is different.
> cheers
> 
> 
> On Jul 26, 2004, at 8:52 PM, Merton Campbell Crockett wrote:
> 
> > One of our systems was compromised by the MyDoom.M/O worm today.  The
> > system has been disconnected from the network while IT attempts to remove
> > the worm from the system.
> > 
> > The system has been disconnected from the network for 7 hours.  I am still
> > seeing external systems attempting to establish connections to the
> > compromised system.
> > 
> > Has anyone identified the mechanism by which the system "registers" that
> > it is available for use and can be accessed on TCP port 1034?
> > 
> > Merton Campbell Crockett
> > 
> > 
> > -- 
> > BEGIN:       vcard
> > VERSION:     3.0
> > FN:  Merton Campbell Crockett
> > ORG: General Dynamics Advanced Information Systems;
> >      Intelligence and Exploitation Systems
> > N:   Crockett;Merton;Campbell
> > EMAIL;TYPE=internet: mcc at CATO.GD-AIS.COM
> > TEL;TYPE=work,voice,msg,pref:+1(805)497-5045
> > TEL;TYPE=work,fax:   +1(805)497-5050
> > TEL;TYPE=cell,voice,msg:     +1(805)377-6762
> > END: vcard
> > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> > 
> 
> -------------------------------------------------------------
> Sean Rooney, CTO
> ColdStream Associates Ltd.
> PGP fingerprint:
> C32C 88A0 86A8 2BBE 2911  D855 1CE1 1679 6B52 405C
> "Illos laetae devorunt, qui nos subicient."
> 
> TigerTeaming Whitepaper:
> http://www.coldstream.ca/resources/tigerteams.pdf
> 
> Ask about our spring special for packaged IT-Security Testing.
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard

More information about the Intrusions mailing list