[Dshield] MyDoom/NoVarg DoS details

Daniel G. Kluge dkluge at acm.org
Wed Jan 28 18:41:55 GMT 2004


Am 28.01.2004 um 15:09 schrieb Johannes B. Ullrich:

>> I suppose one could add an entry into there own DNS that points 
>> toward there
>> own static intranet webpage,
>
> well, the infected user will not see the page (unless they happen to
> visit sco.com). However, the idea is sound. Redirect traffic for 
> sco.com
> to a 'sink' and notify users that hit it more then n-times.
>

127.0.0.1 ? That would be the easiest solution to take care of it....

Also since lots of enterprises have proxies (and proxy.pac definitions) 
it won't even hinder the user to look at the sco.com pages if he or she 
really needs to (that is unless MyDoom can use the proxy definition).

Speaking of Enterprises... I received a mail to all from our IT guys 
two days ago, urging everybody to check that their Virus definition is 
up to date, and if not or even *gasp* if nor Anti-Virus were running to 
contact them ASAP. Apparently our mail-gateways were discarding MyDoom 
at a rate of 90 per minute!

Speaking of not having an Anti-Virus.. My previous PC at work somehow 
came without (mandated) Virus-Scanner from IT, and when I called them 
b/c of some strangeness, they found no less than three Virii on it...

> If you happen to run iptables, you could even rate limit traffic to
> sco.com, or trigger based on number of requests, so you don't prevent
> random users from going to sco.com to sign up for their Linux licenses.
>
> On the other hand, in particular if this is a corporate environment,
> just scan for open port 3127. I think at least Eeye now released a
> scanner if you don't want to break out nmap.
>

That would help, the last time I used nmap my PC rebooted immediately.

> I would assume that your false positive rate is rather low, even if you
> don't look at the response (just a ']' in the case of MyDoom).
>

I'm so glad that I'm not using PCs at home...

-daniel




More information about the list mailing list