[Dshield] Re: Beagle/Bagle outband trigger

Andy Cuff offthecuff at lineone.net
Tue Jan 20 09:15:10 GMT 2004

Hi Johannes,
Thanks for the reply though I was trying to avoid writing a separate grep
signature for each remote host hence the /1.php and I don't see the threat
from this worm as sufficient enough to have the team write a protocol decode
signature.  My concern over the 404 response would be, why have the
compromised hosts call these sites when the pages aren't available, unless
they are confident that they can be owned and are waiting for the right
moment to upload the 1.php - then if we include the 404 element we won't see
the infested hosts that are making a bonafide connection to their master.

I'm not worried about signatures for detecting the email portion except well
within a network, as the noise would be horrendous if this really starts to
fly what does concern me is detecting infected hosts dialling out.  I
suspect the best course of action is to wait for the 1.php to appear then
write a signature for it's content.

Thanks again
take care
Talisker Security Tools Directory
----- Original Message ----- 
From: "Johannes B. Ullrich" <jullrich at sans.org>
To: "Andy Cuff" <talisker at securitywizardry.com>
Cc: <intrusions at incidents.org>; "General DShield Discussion List"
<list at dshield.org>
Sent: Monday, January 19, 2004 12:01 PM
Subject: [Dshield] Re: Beagle/Bagle outband trigger

> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list