[Dshield] W32/Kassbot-B worm combat
dshieldlists at versateam.com
Wed Jun 8 15:02:00 GMT 2005
I'm not familiar with the Kassbot-B worm ... but can you detect its
outbound connections and simply turn off the Internet service for your
customers who appear to be infected?
I personally don't think customer education about patching is going to
solve the problem of crime syndicates creating botnets and tricking
normal people into running them, whether through social engineering or
bugs in the operating system. This is not a minor problem that we can
address with "education"; it represents a cancer that is destroying the
Internet, and requires a radical solution.
I'm almost ready to say that ISPs and even major backbone providers
should start blocking connections with any other ISP that allows botnets
to phone home. ISPs must take responsibility for preventing compromised
machines from participating in a criminal enterprise and an ISP that is
not being radically proactive against compromised machines on its
network is supporting a threat to every one of your customers.
>My company is a targeted web site in the W32/Kassbot-B worm. A
>customer's windows machine not patched with MS04-012 or MS04-11 can be
>infected and include a keylogger and then pass the data to a Russian
>address. The details can then be used to compromise our customer's
>account. We already are pretty tight inside, in the DMZ and at the
>firewall. We're gonna target some customer education towards patching
>and virus protection. Any other suggestions on how to combat the problem?
More information about the list