[Dshield] Increase in scanning activity coincident with release of Novarg?

Pete Cap peteoutside at yahoo.com
Tue Jan 27 17:55:15 GMT 2004

Correct me if I'm wrong but the worm's vector is mass-mailing...therefore as the number of infected host rises, the amount of viral dandruff floating around the GIG ought to spike as well.
Good bit of traffic analysis there.
If I may respectfully suggest, had you noticed this right away, it would have given us a one-hour headstart on the worm (no fault implied).
Do you suppose you might be able to set in place some kind of threshhold (e.g. "increase of x% over time period y") which would alert you (or anyone using a tarpit) that anomalous activity was occurring?
Not trying to saddle you with more work...just thinking out loud :)

John Hardin <johnh at aproposretail.com> wrote:

I just checked my email quarantine and tarpit graphs this morning and
there's an interesting correlation: tarpitted traffic here increased
quite a bit almost exactly one hour after the first instances of Novarg
attacks started coming through, and has been steadily high since.

It appears to be primarily 1433/tcp traffic.

Can anyone else confirm this? Anybody think it means anything?


John Hardin KA7OHZ 
Internal Systems Administrator/Guru voice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
Failure to plan ahead on someone else's part does not constitute an
emergency on my part.
- David W. Barts in a.s.r
34 days until ICQ Corp goes away - have you installed Jabber yet?

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!

More information about the list mailing list