[Dshield] W32/Kassbot-B worm combat

Merrill Cook dshieldlists at versateam.com
Wed Jun 8 15:02:00 GMT 2005

I'm not familiar with the Kassbot-B worm ... but can you detect its 
outbound connections and simply turn off the Internet service for your 
customers who appear to be infected?

I personally don't think customer education about patching is going to 
solve the problem of crime syndicates creating botnets and tricking 
normal people into running them, whether through social engineering or 
bugs in the operating system. This is not a minor problem that we can 
address with "education"; it represents a cancer that is destroying the 
Internet, and requires a radical solution.

I'm almost ready to say that ISPs and even major backbone providers 
should start blocking connections with any other ISP that allows botnets 
to phone home. ISPs must take responsibility for preventing compromised 
machines from participating in a criminal enterprise and an ISP that is 
not being radically proactive against compromised machines on its 
network is supporting a threat to every one of your customers.

jmulkerin wrote:

>My company is a targeted web site in the W32/Kassbot-B worm.  A 
>customer's windows machine not patched with MS04-012 or MS04-11 can  be 
>infected and include a keylogger and then pass the data to a Russian 
>address. The details can then be used to compromise our customer's 
>account.  We already are pretty tight inside, in the DMZ and at the 
>firewall.  We're gonna target some customer education towards patching 
>and virus protection. Any other suggestions on how to combat the problem?

More information about the list mailing list