[Intrusions] MyDoom.M/O Registration Process

Sean Rooney sean at coldstream.ca
Wed Jul 28 15:35:08 GMT 2004 

precisely!  first rule of engagement, 	ALWAYS be absolutely certain of 
what you are looking at before deciding what to do next.  [the 
attackers could be zombiePCs controlled by a third party without the 
knowledge of the owners of the zombiePCs for example.]

ok, say the attacker is in the former USSR and the target is in the 
USA.  who's set of laws applies? [this is why i suggest talking to 
lawyers and sanity checking everything]

Here in Canada, it could be covered under section 342.1 or 326 or 340 
of the C.C.C.

Cheers
-sr [really hates 'blue on blue' incidents.]



On Jul 28, 2004, at 9:20 AM, Merton Campbell Crockett wrote:

> I'm not sure what the percentage is in "shooting back".  Unless you can
> refine your target to the system managing the array of compromised
> systems, you will be subject to criminal investigation under Title 18
> U.S.C.
>
> Merton Campbell Crockett
>
>
> On Tue, 27 Jul 2004, Sean Rooney wrote:
>
>> have you considered the possibility of "shooting back" ie: pull up 
>> your fave
>> denial of service tools and disable your attackers as a defensive 
>> measure
>> under the doctrine of "immediate pursuit in defence" or whatever that 
>> is. ??
>> [a planned response is a useful thing to have for various scenarios 
>> preferably
>> having been vetted, proofed and properly tested with formal rules of
>> engagement and appropriate C3 structures]
>>
>> just a thought.  wouldnt want to have running tank battles in 
>> cyberspace now
>> do we?
>> [in some places, doing that could potentially introduce liability vis 
>> a vis
>> legal thingies that might be applicable, ask your lawyers first 
>> before even
>> thinking about actually implementing such a tactical mechanism. ]
>>
>> put another way, what is the value of what is being attacked??? how 
>> does its
>> compromise directly impact the entity's ability to conduct business 
>> safely
>> sanely etc??]
>>
>> tis all a fine balance and every situation is different.
>> cheers
>>
>>
>> On Jul 26, 2004, at 8:52 PM, Merton Campbell Crockett wrote:
>>
>>> One of our systems was compromised by the MyDoom.M/O worm today.  The
>>> system has been disconnected from the network while IT attempts to 
>>> remove
>>> the worm from the system.
>>>
>>> The system has been disconnected from the network for 7 hours.  I am 
>>> still
>>> seeing external systems attempting to establish connections to the
>>> compromised system.
>>>
>>> Has anyone identified the mechanism by which the system "registers" 
>>> that
>>> it is available for use and can be accessed on TCP port 1034?
>>>
>>> Merton Campbell Crockett
>>>
>>>
>>> -- 
>>> BEGIN:       vcard
>>> VERSION:     3.0
>>> FN:  Merton Campbell Crockett
>>> ORG: General Dynamics Advanced Information Systems;
>>>      Intelligence and Exploitation Systems
>>> N:   Crockett;Merton;Campbell
>>> EMAIL;TYPE=internet: mcc at CATO.GD-AIS.COM
>>> TEL;TYPE=work,voice,msg,pref:+1(805)497-5045
>>> TEL;TYPE=work,fax:   +1(805)497-5050
>>> TEL;TYPE=cell,voice,msg:     +1(805)377-6762
>>> END: vcard
>>>
>>> _______________________________________________
>>> Intrusions mailing list
>>> Intrusions at lists.sans.org
>>> http://www.dshield.org/mailman/listinfo/intrusions
>>>
>>>
>>
>> -------------------------------------------------------------
>> Sean Rooney, CTO
>> ColdStream Associates Ltd.
>> PGP fingerprint:
>> C32C 88A0 86A8 2BBE 2911  D855 1CE1 1679 6B52 405C
>> "Illos laetae devorunt, qui nos subicient."
>>
>> TigerTeaming Whitepaper:
>> http://www.coldstream.ca/resources/tigerteams.pdf
>>
>> Ask about our spring special for packaged IT-Security Testing.
>>
>> _______________________________________________
>> Intrusions mailing list
>> Intrusions at lists.sans.org
>> http://www.dshield.org/mailman/listinfo/intrusions
>>
>
> -- 
> BEGIN:				vcard
> VERSION:			3.0
> FN:				Merton Campbell Crockett
> ORG:				General Dynamics Advanced Information Systems;
> 				Intelligence and Exploitation Systems
> N:				Crockett;Merton;Campbell
> EMAIL;TYPE=internet:		mcc at CATO.GD-AIS.COM
> TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
> TEL;TYPE=work,fax:		+1(805)497-5050
> TEL;TYPE=cell,voice,msg:	+1(805)377-6762
> END:				vcard
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>

-------------------------------------------------------------
Sean Rooney, CTO
ColdStream Associates Ltd.
PGP fingerprint:
C32C 88A0 86A8 2BBE 2911  D855 1CE1 1679 6B52 405C
"Illos laetae devorunt, qui nos subicient."

TigerTeaming Whitepaper:
http://www.coldstream.ca/resources/tigerteams.pdf

Ask about our spring special for packaged IT-Security Testing.

More information about the Intrusions mailing list