[Dshield] MyDoom/NoVarg DoS details

Johannes B. Ullrich jullrich at sans.org
Tue Jan 27 23:42:15 GMT 2004


for the last 20+ days of port 3127 data see
feeds.dshield.org/port3127.dat

the target IP is replaced with a simple integer.
(e.g. 'target1' -> '1'...)



On Tue, 2004-01-27 at 18:03, Pete Cap wrote:
> Johannes,
>  
> I read that the worm listens on TCP 3127-3198.
> Checked out a few of those ports on DShield and noticed that a few of them exhibit the same behavior: generally pretty quiet, enormous spikes, then back to being quiet.  A few of those ports a very noisy, but obviously you see where I'm going with this...is the author scanning for infected machines?  Would be interesting to see if we could capture that traffic and try to get the worm to respond to it.
>  
> In your lab, have you tried communicating with it on the ports it's supposed to open (basic syns etc.)?
>  
> Regards,
>  
> Pete
>  
> 
> 
> "Johannes B. Ullrich" <jullrich at sans.org> wrote:
> On Tue, 2004-01-27 at 15:30, Eric Hines wrote:
> > Does anyone here have any details on the type of Denial of Service attack that 
> > MyDoom/Novarg launches against SCO.COM in Feb? What solutions if any are 
> > recommended for this date, a null route? Is it just outbound port 80 SYN floods?
> 
> I haven't been able to trigger the sco.com attack yet in my lab.
> However, the virus includes these strings:
> 
> GET / HTTP/1.1
> Host: www.sco.com
> 
> suggesting that it will try to issue a full request.
> 
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040127/2fa4e11f/attachment.bin


More information about the list mailing list