[Dshield] Re: Honey File Sharing & Nimda

David Sentelle David.Sentelle at cnbcbank.com
Fri Aug 9 16:45:41 GMT 2002


On the original honeyfile idea, in my non-legal opinion, I don't think that warnings about IPs being submitted, etc., etc., are required.  The P2P services I've used tell people to be very careful about EXEs.  Of course, this is assuming that the software does no harm.  I still think that by clicking on an EXE downloaded from any P2P service, you're basically stating that you don't care what happens to your PC.  Not to mention the fact that a URL can't be hit without revealing the source IP.  (partially untrue, I realize) 

For the record, I don't think EICAR should be included, as its easy (for some) to write something that AV software wouldn't pickup.  (A modified WinVNC for instance)  

This does sound like a great idea.  Let's hope the RIAA doesn't listen to this list though, they'd take the idea and figure out all they'd need to do was populate P2P networks with WMVs with embedded URLs to their counters.  If URLs can't be embedded in WMV's, I know SWFs can do that.  (Speaking of which, watch out for the SWF vulnerability, see
 http://www.macromedia.com/v1/handlers/index.cfm?ID=23293&Method=Full&Title=M%20PSB02%2D09%20%2D%20Macromedia%20Flash%20Malformed%20Header%20Vulnerability%20Issue&Cache=False 
) 

Regarding the Nimda question.  I've been hit with a lot of SQL Snakes lately, and I've been emailing the IP Admin & abuse @ ipadmin's domain, with a short note stating 'It appears that a SQL Snake infected PC on your subnet is scanning our subnet for vulnerable hosts'.  Then I append the logfiles pertinent to their net block.  I've gotten lots of automated replies in the last week I've been doing this.  I also got 2 handwritten replies of thanks.  It takes 5 minutes or less per email, and hopefully makes some sort of difference, right?  :)

(I don't bother with asian ip admins, and usually ignore the european ones, too.)

I would treat NIMDA the same.  Note that there's a few services, but I've been using samspade.org's 'do stuff' feature, as it bypasses our firewall, enabling some things I can't do manually.  


----------------------------------------
David Sentelle
Network Operations Specialist
Commerce National Bank
614.334.6282 Voice    614.848.8830 Fax
There are only 10 types of people in this world: 
Those who understand binary, and those who don't.

>>> list-request at dshield.org 08/09/02 12:00PM >>>
Message: 1
Date: Thu, 8 Aug 2002 08:30:42 -0400
From: Johannes Ullrich <jullrich at sans.org>
To: intrusions at incidents.org, list at dshield.org 
Organization: Euclidian Consulting
Subject: [Dshield] file sharing honeyfile idea
Reply-To: list at dshield.org 

anybody willing to write something like this? Are there any
technical or legal problems I am overlooking?

This should allow us to count how many gullible users are
willing to execute everything they find...

--__--__--

Message: 2
From: Russell Washington <russ.washington at vaultsentry.com>
To: "'list at dshield.org'" <list at dshield.org>
Date: Thu, 8 Aug 2002 10:52:05 -0700 
Subject: [Dshield] Nimda box reporting
Reply-To: list at dshield.org 

Anyway, just a thought.  Does any centralized notification thingamabob like
this exist?  Or is the upshot that folks don't pay attention when they get
these kinds of notifications anyway?


--__--__--



This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which 
they are addressed. If you have received this e-mail in error, 
please notify admin at cnbcbank.com and delete it from your system.




More information about the list mailing list