[Dshield] FW: New virus alert: W32/Bugbear.B-mm

Deb Hale haled at pionet.net
Fri Jun 6 12:53:41 GMT 2003

Hash: SHA1


Deborah F Hale
Certified Business Continuity Professional/Computer Security Specialist
BCP Enterprise, Inc
Telephone: (712) 252-0361

- -----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf Of James C. Slora Jr.
Sent: Thursday, June 05, 2003 2:14 PM
To: list at dshield.org
Subject: Re: [Dshield] FW: New virus alert: W32/Bugbear.B-mm

John Hardin wrote 05 Jun 2003 08:05:14 -0700

> > Attachment names are also variable, possibly based on from filenames
> > on the infected machine with an extension of either .scr, .pif or 
> > .exe
> Trivially easy to block.

Yeah, trivially easy.
Cocky> Just make sure all computers have properly updated Outlook or OE 
Cocky> and
have their security set properly.

Paranoid> Oh wait, some users disable security because they trade Word
documents in email.
Cocky> That's OK - we'll drop .pif .scr and .exe at our MTA - IF it is
capable of that.

Paranoid> Yeah but what about third party web mail?
Cocky> OK we'll block users from accessing Hotmail and other similar
services - IF we have a firewall/proxy/etc configurable for that.

Paranoid> But there are too many sites to know you've blocked them all -
message boards, personal webmail servers, etc
Cocky> OK, we'll use content filtering to block user downloads of EXEs 
Cocky> etc -
IF we have the filtering software and if this is approved by our bosses.

Paranoid> So all we have to worry about is infected VPN users sending
Bugbear encrypted into our network through file shares that are the primary purpose of the VPN?
Cocky> Ummm... virus definitions should cover that - if our vendor has
released new definitions

Paranoid> Wait, Bugbear is also a file infector. That means it could
actually hide within any executable on any network where a compromise has occurred. If we're already infected, Bugbear could insert itself into the self-extracting virus definitions we download.
Cocky> We'll verify checksums of the virus definitions. I'll just learn 
Cocky> how
our AV vendor provides checksums, and master the simple utility that checks them against the downloaded definitions.

Paranoid> Yeah but Bugbear kills AV programs and can infect them 
Paranoid> afterwards,
so downloading new defs won't help if you're already infected.
Cocky> We can configure our IDS to watch for signs of infection, once we
know what to look for. Our rock-solid backup system will let us quickly recover all infected systems after we disconnect them from the network.

Paranoid> And how do we know there aren't any trojans left on uninfected
systems if the Bugbear owner goes fishing from one of the infected computers inside our main defenses?

etc. etc.

Easy as pie! Easy to stop it, and easy to get burned by it too. There are lots of measures you can and should take to help make networks more secure, but a little bad luck can defeat the best defenses just as easily as a skilled hacker.

I never feel the network is protected. I just do what I can, try to learn and to anticipate threats, and hope for the best.

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Version: PGP 8.0


More information about the list mailing list