[Dshield] W32/Kassbot-B worm combat

jmulkerin jmulkerin at comcast.net
Fri Jun 10 02:31:38 GMT 2005


 From what we've studied so far, its pretty hard to enforce any kind of 
port checking on the customer's computer so instead we're educating.   I 
think the only way we can attempt to combat it is to aggressively 
investigate each case and prosecute where we can if we can get law 
enforcement assistance.

I totally agree that ISPs need to stand up to this problem. They are the 
the only ones that will be able to stop the problem.   In this case, I 
can't even get the ISP to cooperate in researching it.   I personally 
think ISPs could block port scans, known trojans, and even a lot of the 
phishing. However, that would reduce their traffic load and maybe income.

Merrill Cook <dshieldlists at versateam.com> said:

> I'm not familiar with the Kassbot-B worm ... but can you detect its 
> outbound connections and simply turn off the Internet service for your 
> customers who appear to be infected?
>
> I personally don't think customer education about patching is going to 
> solve the problem of crime syndicates creating botnets and tricking 
> normal people into running them, whether through social engineering or 
> bugs in the operating system. This is not a minor problem that we can 
> address with "education"; it represents a cancer that is destroying 
> the Internet, and requires a radical solution.
>
> I'm almost ready to say that ISPs and even major backbone providers 
> should start blocking connections with any other ISP that allows 
> botnets to phone home. ISPs must take responsibility for preventing 
> compromised machines from participating in a criminal enterprise and 
> an ISP that is not being radically proactive against compromised 
> machines on its network is supporting a threat to every one of your 
> customers.
>
> jmulkerin wrote:
>
>> My company is a targeted web site in the W32/Kassbot-B worm.  A 
>> customer's windows machine not patched with MS04-012 or MS04-11 can  
>> be infected and include a keylogger and then pass the data to a 
>> Russian address. The details can then be used to compromise our 
>> customer's account.  We already are pretty tight inside, in the DMZ 
>> and at the firewall.  We're gonna target some customer education 
>> towards patching and virus protection. Any other suggestions on how 
>> to combat the problem?
>>
>>  
>>
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [Dshield] Missing submission confirmations / unreliable data 
> presented by DShield?
> From:
> <dshield.org at keithbergen.com>
> Date:
> Wed, 8 Jun 2005 12:55:30 -0400
> To:
> "'General DShield Discussion List'" <list at lists.dshield.org>
>
> To:
> "'General DShield Discussion List'" <list at lists.dshield.org>
>
>
>I have actually had very regular Daily Reports. I get them quite
>consistently. Most of the times that they have stopped is because of
>something on my side.
>
>For instance, I stopped sending reports 06/04 for some yet unknown
>reason. I think my combination of an old Linksys router and Kiwi may be
>problematic. It's currently not logging at all. I will have to try
>rebooting everything and see if that fixes it.
>
>Just my $0.02.
>
>Keith.
>
>-----Original Message-----
>From: list-bounces at lists.dshield.org
>[mailto:list-bounces at lists.dshield.org] On Behalf Of
>newatthis2 at comcast.net
>Sent: Wednesday, June 08, 2005 10:42 AM
>To: General DShield Discussion List
>Subject: Re: [Dshield] Missing submission confirmations / unreliable
>data presented by DShield?
>
>
>It's been that way. Always. Sometimes it gets better, sometimes worse. 
>If anyone at dshield really cares about it I haven't found them. I got a
>
>daily report on May 28, 2005 next one I got was June 6, 2005.
>
>Good Luck,
>
>Mike
>
>-------------- Sponsor Message ------------------------------------
>Join us at SANSFIRE 2005 in Atlanta!
>The Internet Storm Center Conference.
>Details: http://www.sans.org/sansfire2005
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see:
>http://www.dshield.org/mailman/listinfo/list
>
>
>  
>
>
> ------------------------------------------------------------------------
>
> Subject:
> [Dshield] data storage encryption
> From:
> Isaac <suscripcions at tsolucio.com>
> Date:
> Wed, 08 Jun 2005 19:53:59 +0200
> To:
> list at lists.dshield.org
>
> To:
> list at lists.dshield.org
>
>
> I have to create a system to encrypt data contained in a storage 
> server, the procedure will be:
> -extract the data from source server in a HD
> -insert the HD in the storage server
> -power on the server
> -copy the data
> -shut down the server
>
> This process should be as automatic as possible, only requiring the 
> insertion of the HD in the system.
> The data should be encrypted once in the server.
> My suggestion is to install linux with dm-crypt, and make a script 
> that mount the encrypted volum at the startup, copy the data and 
> shutdown the computer.
> The problem I see in my way it's the automatism of it, because I 
> should retain key/password to encrypt in any part of the script, so if 
> anyone has the server only should turn on.....
> I thought a solution, make a Livecd with the linux and the key inside, 
> and never has the server and the cd together without supervision.
> Of course maybe this method is a great stupid way of do it.
> I appreciate any suggestion to solve the problem or modify that I 
> thought.
> Suggestions on cipher algoritm will be welcome too.
> Thanks a lot
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [Dshield] New Virus?
> From:
> Krzysztof Cabaj <kcabaj at gmail.com>
> Date:
> Wed, 8 Jun 2005 20:22:41 +0200
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
>
>Hi,
>
>  
>
>>Submit it to viruslist.com.  Their system will scan with a dozen or so
>>av engines.  Might identify it, or hint at what it is.
>>    
>>
>Or try  virustotal.
>http://www.virustotal.com/flash/index_en.html
>
>Sincerely,
>Christopher
>
>
>  
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [Dshield] data storage encryption
> From:
> "Brenden Walker" <BKWalker at drbsystems.com>
> Date:
> Wed, 8 Jun 2005 15:22:01 -0400
> To:
> "General DShield Discussion List" <list at lists.dshield.org>
>
> To:
> "General DShield Discussion List" <list at lists.dshield.org>
>
>
>>-----Original Message-----
>>From: list-bounces at lists.dshield.org 
>>[mailto:list-bounces at lists.dshield.org] On Behalf Of Isaac
>>Sent: Wednesday, June 08, 2005 1:54 PM
>>To: list at lists.dshield.org
>>Subject: [Dshield] data storage encryption
>>
>>I have to create a system to encrypt data contained in a 
>>storage server, the procedure will be:
>>-extract the data from source server in a HD -insert the HD 
>>in the storage server -power on the server -copy the data 
>>-shut down the server
>>    
>>
>
>What's the purpose? 
>Is this just for long-term storage?  
>Does the data have to be on-line and available?  
>What physical security is present?
>System networked in any way?
>
>Those are just the first questions that pop into my mind, I'm sure the
>others here will have more ;-)
>
>
>  
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [Dshield] data storage encryption
> From:
> Josh Tolley <josh at raintreeinc.com>
> Date:
> Wed, 08 Jun 2005 14:28:57 -0600
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
>
> Brenden Walker wrote:
>
>>> I have to create a system to encrypt data contained in a storage 
>>> server, the procedure will be:
>>> -extract the data from source server in a HD -insert the HD in the 
>>> storage server -power on the server -copy the data -shut down the 
>>> server
>>
>>
>>
>> What's the purpose? Is this just for long-term storage?  Does the 
>> data have to be on-line and available?  What physical security is 
>> present?
>> System networked in any way?
>>
>> Those are just the first questions that pop into my mind, I'm sure the
>> others here will have more ;-)
>>
>
> - Does the operating system or software involved matter?
> - What sort of data is this (that is, what level of risk are you 
> willing to accept)?
> - What budget/time constraints are there involved?
>
> Josh Tolley
> Raintree Systems, Inc.
> http://www.raintreeinc.com
> Office Phone: (801) 293-3090
> Corporate Office: (760) 509-9000
>
>
>
> ------------------------------------------------------------------------
>
> Subject:
> [Dshield] modify hosts in a internet email server
> From:
> Isaac <suscripcions at tsolucio.com>
> Date:
> Wed, 08 Jun 2005 22:46:11 +0200
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
>
> When some server or firewalls without a internet domain send emails to 
> our mail server, it rejects because the domain doesn't exists.
> So I changed the hosts to add a line for the domain like:
> 500.200.3.1 unkwon-domain
> How my server never should send emails to this machines, don't need a 
> real ip.
> You think it should be a problem from the point of view of security or 
> spam?
> Thanks
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [Dshield] data storage encryption
> From:
> Isaac <suscripcions at tsolucio.com>
> Date:
> Wed, 08 Jun 2005 23:10:49 +0200
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
>
> Thanks for the response, I try to answer all your questions:
> The purpose is to storage the data for rally long term, all the 
> company data will go there after work with it, at least the results of 
> the work.
> I'm not sure about the availity of the data after encryption I'm still 
> working with that client, it's a important point, sure, but now I only 
> thinking how substitute the actual sistem (really bad win98 with a bat 
> coping the files, ejem, ejem)
> The system isn't networked in any way, no cable, no wifi.
> There is no practical physical security, but the environment isn't 
> "agressive", really dificult that someone steal that data physicalli.
> The operating system/software doesn't matter, if  the cost  isn't 
> really big, I  started with linux because my company uses it in our 
> servers, and i think it's a good choice.
> The acceptable level of risk, it's dificult to say in this moment, one 
> thing it's that I think, other that the client says and other really 
> different it's what the actual mesures demonstrate.
> I think the time constraints are 2 or 3 weeks, enough for implement a 
> solution with that caracteristics, at least I wish....
> The budgets...... i'm a techic, so no, idea of how will my boss charge 
> about my work, but I think spend a lot money more than 10h or 15h of 
> my time configuring a open source based software for that will be too 
> much, thinking in what only installing xp pro and using efs will 
> improve a lot the actual solution.
> The problem I see it's the availability of the data after the 
> encription, but seeing how works now, i think they don't use the data 
> after storing it.
> I know the explanation isn't as good as you need to make a good 
> answer, but not always we have all the information we need and in this 
> case anything will improve the situation.
> Thanks a lot for your help and time
>
> En/na Josh Tolley ha escrit:
>
>> Brenden Walker wrote:
>>  
>>
>>>> I have to create a system to encrypt data contained in a storage 
>>>> server, the procedure will be:
>>>> -extract the data from source server in a HD -insert the HD in the 
>>>> storage server -power on the server -copy the data -shut down the 
>>>> server
>>>>     
>>>
>>> What's the purpose? Is this just for long-term storage?  Does the 
>>> data have to be on-line and available?  What physical security is 
>>> present?
>>> System networked in any way?
>>>
>>> Those are just the first questions that pop into my mind, I'm sure the
>>> others here will have more ;-)
>>>
>>>   
>>
>>
>> - Does the operating system or software involved matter?
>> - What sort of data is this (that is, what level of risk are you 
>> willing to accept)?
>> - What budget/time constraints are there involved?
>>
>> Josh Tolley
>> Raintree Systems, Inc.
>> http://www.raintreeinc.com
>> Office Phone: (801) 293-3090
>> Corporate Office: (760) 509-9000
>>
>> -------------- Sponsor Message ------------------------------------
>> Join us at SANSFIRE 2005 in Atlanta!
>> The Internet Storm Center Conference.
>> Details: http://www.sans.org/sansfire2005
>>
>> _______________________________________________
>> send all posts to list at lists.dshield.org
>> To change your subscription options (or unsubscribe), see: 
>> http://www.dshield.org/mailman/listinfo/list
>>
>>  
>>
>
>
>
> ------------------------------------------------------------------------
>
> Subject:
> [Dshield] Iptables parsing
> From:
> "Don" <don at thewilders.org>
> Date:
> Wed, 8 Jun 2005 18:01:53 -0400
> To:
> "'General DShield Discussion List'" <list at lists.dshield.org>
>
> To:
> "'General DShield Discussion List'" <list at lists.dshield.org>
>
>
>I have been submitting my logs some time now from Iptables and a Dlink box.
>I noticed recently that the Dlink messages seem to parse correctly for
>submission but the Iptables input always seems to come back with no lines
>being submitted. Has anyone else seen this behavior, or did I miss something
>in the archives...
>
>Don
>
>
>  
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [Dshield] Iptables parsing
> From:
> David Cary Hart <DShield at TQMcube.com>
> Date:
> Wed, 08 Jun 2005 21:21:49 -0400
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
>
>On Wed, 2005-06-08 at 18:01 -0400, Don wrote:
>  
>
>>I have been submitting my logs some time now from Iptables and a Dlink box.
>>I noticed recently that the Dlink messages seem to parse correctly for
>>submission but the Iptables input always seems to come back with no lines
>>being submitted. Has anyone else seen this behavior, or did I miss something
>>in the archives...
>>
>>    
>>
>You might want to post your conf file. Possibly, there's an error.
>- 
>Multi-RBL Check:         http://www.TQMcube.com/rblcheck.htm
>Kill Spam at the Source: http://www.TQMcube.com/spam_trap.htm
>Today's Spam Trap Adds:  http://www.TQMcube.com/BlockedToday
>RBLDNSD HowTo:           http://www.TQMcube.com/rbldnsd.htm
>
>  
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [Dshield] data storage encryption
> From:
> Al Reust <areust at comcast.net>
> Date:
> Wed, 08 Jun 2005 18:59:30 -0700
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
>
> Isaac
>
> This is quick and for some would seem fairly obvious without all the 
> details.
>
> Generally the encryption "agent" should be the same on both the source 
> and the storage. So if you mix Win with Nix you could run into 
> recovery problems. You also run the risk of the business not trusting 
> you... YOU hold the "only" key to their business...
>
> Most competent encryption software have the user (which encrypts the 
> original data) and a recovery agent (administrator should the user 
> forget the password/phrase). This allows multiple chances should 
> something happen.
>
> You are relying on one hard drive to protect data to be stored on 
> another hard drive. While the odds of both failing are slim, many 
> could tell of coincidence and that backups failed because of (fill in 
> the blank)...
>
> Security is currently littered with missing/lost off site backups. Not 
> much is mentioned as to the encryption method used to protect the 
> backups in transit. NO UPS does not stand for Unbelievably Poor 
> Service... LOL
>
> Whatever method is used the client(workstation) has to be able to 
> decode the encrypted data to put the business back in operation. IF it 
> is double encrypted for off site storage then that is another matter. 
> What happens if the company decides that they no longer want your 
> services... They need access to the second decryption device and the 
> master password, that could a sealed envelope stored in a safety 
> deposit box. This places you above board and out of legal battles...
>
> CD and DVD have taken a hit over deterioration (ten years/less). Tapes 
> well we all know that tapes fail...
>
> Some companies are faced with restoring backup to drive media and then 
> re archiving mandatory data.
>
> Hard drive to hard drive is great for immediate restoration. CD/DVD is 
> great for larger long term... Storage and power for at risk components 
> and storage for archive media...
>
> So a second Hard drive and DVD in a Fireproof safe helps in case of 
> fire that topple the local machine and you could recommend that in the 
> same close off site storage a duplicate of the machine less the hard 
> drive could be ready incase of emergency... This all depends on what 
> they know they could lose per hour/day/week while rebuilding their 
> business.
>
> TEST YOUR BACKUPS!
>
> R/
>
> Al
>
> At 07:53 PM 6/8/2005 +0200, you wrote:
>
>> I have to create a system to encrypt data contained in a storage server,
>> the procedure will be:
>> -extract the data from source server in a HD
>> -insert the HD in the storage server
>> -power on the server
>> -copy the data
>> -shut down the server
>>
>> This process should be as automatic as possible, only requiring the
>> insertion of the HD in the system.
>> The data should be encrypted once in the server.
>> My suggestion is to install linux with dm-crypt, and make a script that
>> mount the encrypted volum at the startup, copy the data and shutdown the
>> computer.
>> The problem I see in my way it's the automatism of it, because I should
>> retain key/password to encrypt in any part of the script, so if anyone
>> has the server only should turn on.....
>> I thought a solution, make a Livecd with the linux and the key inside,
>> and never has the server and the cd together without supervision.
>> Of course maybe this method is a great stupid way of do it.
>> I appreciate any suggestion to solve the problem or modify that I 
>> thought.
>> Suggestions on cipher algoritm will be welcome too.
>> Thanks a lot
>> -------------- Sponsor Message ------------------------------------
>> Join us at SANSFIRE 2005 in Atlanta!
>> The Internet Storm Center Conference.
>> Details: http://www.sans.org/sansfire2005
>>
>> _______________________________________________
>> send all posts to list at lists.dshield.org
>> To change your subscription options (or unsubscribe), see: 
>> http://www.dshield.org/mailman/listinfo/list
>
>
>
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [Dshield] Missing submission confirmations / unreliable data 
> presented by DShield?
> From:
> "John B. Holmblad" <jholmblad at aol.com>
> Date:
> Wed, 08 Jun 2005 21:34:36 -0400
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
>
> I did not get daily summarie emails on June 4, 5, or 6 and today I 
> have not received any submission confirmation emails.
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [Dshield] data storage encryption
> From:
> Suscripcions tsolucio <suscripcions at tsolucio.com>
> Date:
> Thu, 09 Jun 2005 10:13:18 +0200
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
> To:
> General DShield Discussion List <list at lists.dshield.org>
>
>
>Thanks for your answer, I apreciate it a lot, in the general context of
>backups, but I think the answers are going in other way, the offsite,
>fireproof, long therm storage, bussiness relations, etc... Are covered,
>the recuperation agent will be determined based in the encryption
>method.
>I don't want any legal problem if the client stop working with us, so I
>will prepare all to prepare this incovenience.
>
>After that, I will explain a bit how works, and the motivation of the
>question here, to clarify all the theme.
>Data is gathered---processed--(when they finish)stored in a trust
>server.
>
>They have all the data duplicated in the work server and the storage
>server, if no virus incidence was occured in the 24h after a backup, the
>data is passed to trust server. In the trust server they need assurance
>of no virus is in it.
>The way trasnfering the data is with a "HD extraible" (don't know the
>english word), the client only asked me how make the process of coping
>the data in the trust server automatic.
>My surprise was when I see the trust server, windows 98, and the process
>copy: a bat archive. No comment......
>Of course I said to the client that I could improve that for automate
>it.
>My original think was to install a linux that start-copy-shut down.
>But how doing a encrypted partition isn't much more work, why not?
>The only problem was my original question: how store securly the key to
>automate it.
>I wish not being too much extend in my explanation.
>Thanks for your time.
>
>El mié, 08-06-2005 a las 18:59 -0700, Al Reust escribió:
>  
>
>>Isaac
>>
>>This is quick and for some would seem fairly obvious without all the details.
>>
>>Generally the encryption "agent" should be the same on both the source and 
>>the storage. So if you mix Win with Nix you could run into recovery 
>>problems. You also run the risk of the business not trusting you... YOU 
>>hold the "only" key to their business...
>>
>>Most competent encryption software have the user (which encrypts the 
>>original data) and a recovery agent (administrator should the user forget 
>>the password/phrase). This allows multiple chances should something happen.
>>
>>You are relying on one hard drive to protect data to be stored on another 
>>hard drive. While the odds of both failing are slim, many could tell of 
>>coincidence and that backups failed because of (fill in the blank)...
>>
>>Security is currently littered with missing/lost off site backups. Not much 
>>is mentioned as to the encryption method used to protect the backups in 
>>transit. NO UPS does not stand for Unbelievably Poor Service... LOL
>>
>>Whatever method is used the client(workstation) has to be able to decode 
>>the encrypted data to put the business back in operation. IF it is double 
>>encrypted for off site storage then that is another matter. What happens if 
>>the company decides that they no longer want your services... They need 
>>access to the second decryption device and the master password, that could 
>>a sealed envelope stored in a safety deposit box. This places you above 
>>board and out of legal battles...
>>
>>CD and DVD have taken a hit over deterioration (ten years/less). Tapes well 
>>we all know that tapes fail...
>>
>>Some companies are faced with restoring backup to drive media and then re 
>>archiving mandatory data.
>>
>>Hard drive to hard drive is great for immediate restoration. CD/DVD is 
>>great for larger long term... Storage and power for at risk components and 
>>storage for archive media...
>>
>>So a second Hard drive and DVD in a Fireproof safe helps in case of fire 
>>that topple the local machine and you could recommend that in the same 
>>close off site storage a duplicate of the machine less the hard drive could 
>>be ready incase of emergency... This all depends on what they know they 
>>could lose per hour/day/week while rebuilding their business.
>>
>>TEST YOUR BACKUPS!
>>
>>R/
>>
>>Al
>>
>>At 07:53 PM 6/8/2005 +0200, you wrote:
>>    
>>
>>>I have to create a system to encrypt data contained in a storage server,
>>>the procedure will be:
>>>-extract the data from source server in a HD
>>>-insert the HD in the storage server
>>>-power on the server
>>>-copy the data
>>>-shut down the server
>>>
>>>This process should be as automatic as possible, only requiring the
>>>insertion of the HD in the system.
>>>The data should be encrypted once in the server.
>>>My suggestion is to install linux with dm-crypt, and make a script that
>>>mount the encrypted volum at the startup, copy the data and shutdown the
>>>computer.
>>>The problem I see in my way it's the automatism of it, because I should
>>>retain key/password to encrypt in any part of the script, so if anyone
>>>has the server only should turn on.....
>>>I thought a solution, make a Livecd with the linux and the key inside,
>>>and never has the server and the cd together without supervision.
>>>Of course maybe this method is a great stupid way of do it.
>>>I appreciate any suggestion to solve the problem or modify that I thought.
>>>Suggestions on cipher algoritm will be welcome too.
>>>Thanks a lot
>>>-------------- Sponsor Message ------------------------------------
>>>Join us at SANSFIRE 2005 in Atlanta!
>>>The Internet Storm Center Conference.
>>>Details: http://www.sans.org/sansfire2005
>>>
>>>_______________________________________________
>>>send all posts to list at lists.dshield.org
>>>To change your subscription options (or unsubscribe), see: 
>>>http://www.dshield.org/mailman/listinfo/list
>>>      
>>>
>>-------------- Sponsor Message ------------------------------------
>>Join us at SANSFIRE 2005 in Atlanta!
>>The Internet Storm Center Conference.
>>Details: http://www.sans.org/sansfire2005
>>
>>_______________________________________________
>>send all posts to list at lists.dshield.org
>>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>>    
>>
>>
>> ------------------------------------------------------------------------
>>
>> Subject:
>> Re: [Dshield] data storage encryption
>> From:
>> M Cook <dshieldlists at versateam.com>
>> Date:
>> Wed, 08 Jun 2005 22:31:50 -0400
>> To:
>> General DShield Discussion List <list at lists.dshield.org>
>>
>> To:
>> General DShield Discussion List <list at lists.dshield.org>
>>
>>
>> If the issue is the automation, you could look at a public/private 
>> key encryption process (GNU Privacy Guard, for example). The public 
>> key can be relatively insecure (you don't want someone substituting 
>> theirs for yours, but otherwise it doesn't matter if they look at 
>> it). Only the private key can decipher material encrypted with the 
>> public key, and the private key is not needed for the routine 
>> automated encryption, so it could be stored in a safe place and 
>> brought out only when you need to decipher the material.
>>
>> One downside is that it's hard to predict how soon advances in 
>> computer technology could compromise the public/private key. If you 
>> want to preserve the material for, say, 50 or 100 years, the 
>> public/private key encryption that is strong today may be absurdly 
>> weak by the end of that time. Of course the same thing might be true 
>> of a symmetric key encryption process. Who knows what tomorrow may 
>> bring?
>>
>> Maybe there won't be any computers that can read your media by 
>> then... so you can solve both the media compatibility and strength of 
>> encryption issues by being prepared to "freshen" the storage and 
>> encryption every 3-5 years with whatever technology seems best at the 
>> time.
>>
>> Isaac wrote:
>>
>>> Thanks for the response, I try to answer all your questions:
>>> The purpose is to storage the data for rally long term, all the 
>>> company data will go there after work with it, at least the results 
>>> of the work.
>>> I'm not sure about the availity of the data after encryption I'm 
>>> still working with that client, it's a important point, sure, but 
>>> now I only thinking how substitute the actual sistem (really bad 
>>> win98 with a bat coping the files, ejem, ejem)
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> Subject:
>> Re: [Dshield] Is Mytob that bad?!?
>> From:
>> David Vincent <support at sleepdeprived.ca>
>> Date:
>> Wed, 08 Jun 2005 22:41:14 -0700
>> To:
>> General DShield Discussion List <list at lists.dshield.org>
>>
>> To:
>> General DShield Discussion List <list at lists.dshield.org>
>>
>>
>> Hi Eric!
>>
>> Rest assured my system is clean.  In my professional life I'm the guy 
>> people call about these things.  :)   What with the irony of the 
>> situation and the timing of the emails, I just had to mail the list 
>> and send a shout out to those who made a difference.
>>
>> There is more to my story of the cleanup, I simplified things a 
>> little for the list.  Mostly the usual stuff, checking for 
>> connections to suspicious servers with TCPView (great tip, 
>> Foundstone's Vision works too), full system scan with different 
>> antivirus engines and signature updates (symantec online scans, 
>> trendmicro online scans, etc for full paranoia relief), checks for 
>> new registry keys launching programs on startup (sysinternals' 
>> autoruns, or the "silent runners" script are my suggestions), all's 
>> good here.
>>
>> Good advice for the greener members of the list though, and anyone 
>> out there who's lurking and taking notes.  We both know no matter how 
>> many times this sort of thing is said, it cannot be said enough.  
>> More and more people everyday are discovering that surfing the net 
>> etc. means you need to think about security.  Then some of them even 
>> start turning to resources like this list for answers and education.  
>> And most of them never check the archives.  :)
>>
>> -d
>>
>>
>>
>> Eric Kedrosky wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> After reading this post I felt that it was time to throw my hat into 
>>> the
>>> ring.
>>>
>>> "... told me about the symantec definition update ... i applied it and
>>> nailed the virus."
>>>
>>> I wouldn't be too confident that you nailed the virus 100%.
>>>
>>> The latest variants of MyTob, circulating for almost 3 weeks ... or 
>>> more
>>> ... all have had BotNet backdoors associated with them.  This means 
>>> that
>>> when the virus is executed on your system it connects to an IRC server
>>> <somewhere> on the Internet and checks in.  After that, the first thing
>>> that it usually does is download a *virus upgrade* and, in most of the
>>> MyTob variants that I have researched recently, downloads Spyware and
>>> Adware ... all of which your AV scanner doesn't detect.
>>>
>>> Furthermore, the virus will update itself as often as possible ... 
>>> along
>>> with more spyware/adware .. from the BotNet.  Thus, it is actively
>>> staying one or two steps ahead of your AV scanner.
>>>
>>> Speaking of AV scanners, they can only detect what they know about.
>>> Thus, if the virus gets an update that your AV scanner doesn't know
>>> about then it won't find anything.  In one day I have submitted up to 5
>>> unique samples from one single infection point, all of which were
>>> unknown to a plethora of AV scanners.
>>>
>>> I honestly don't mean to single you out, that is not my purpose.  I
>>> would just like inform you, and anyone else, about how dangerous Bots
>>> really are.  I see this all the time, ppl get infected and use clean up
>>> tools from <an AV vendor> (insert the one you use here) but there
>>> infection doesn't go away.  They think it is gone b/c they don't see 
>>> any
>>> outward sign of infection and then forget about it after a few 
>>> days.  In
>>> 95% of the time, there is a Bot still lurking on the system, reporting
>>> home, getting updates, taking orders, fetching spyware/adware and who
>>> knows what else ... all under the nose of the AV software.
>>>
>>> All of that said, I am not sure what variant of MyTob that you were
>>> infected with, but a deeper inspection of your system might be worth
>>> while.  This can be easily done with programs like TcpView and/or
>>> Ethereal.  Shut down all apps the talk via the network and look for
>>> processes and/or traffic flows that are attempting to make connections.
>>> Ethereal is really good b/c you can view the TCP conversation 
>>> instead of
>>> the raw packets.  If you still have a Bot you'll see it talking to the
>>> BotNet Controller ... look for "PING and "PONG", "JOIN #" and other IRC
>>> messages as well.
>>>  
>>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> Subject:
>> Re: [Dshield] Missing submission confirmations / unreliable data 
>> presented by DShield?
>> From:
>> David Vincent <support at sleepdeprived.ca>
>> Date:
>> Wed, 08 Jun 2005 22:50:46 -0700
>> To:
>> General DShield Discussion List <list at lists.dshield.org>
>>
>> To:
>> General DShield Discussion List <list at lists.dshield.org>
>>
>>
>> Hi Peter.
>>
>> I'm having the same issues.  From one site/account, no response 
>> emails at all, no stats gathered, though it was working for about 
>> three days after setup/implementation at the end of May.
>>
>> From a second site, working fine until the 2nd of June, then nothing 
>> for days until a burst (working through a backlog possibly?) of 
>> response emails on the 6th, many more than I submitted that day.  
>> Then nothing again.
>>
>> In my last post on the subject I asked for someone at DShield to 
>> contact me offlist about this, no one did.  Possibly this is not the 
>> correct venue to raise such concerns.  Anyone want to sort us out?
>>
>> -d
>>
>>
>>
>> Peter Stendahl-Juvonen wrote:
>>
>>> Started seeing problems with submission confirmations around Monday May
>>> 30.
>>>
>>> Reported the issues to info at dshield.org.
>>>
>>> At present, am again NOT receiving submission confirmations.
>>>
>>> It would also appear that the data I send is not correctly stored into
>>> the DShield database.
>>>
>>>> From last Monday, I have automatically submitted 178 emails to 
>>>> DShield.
>>>
>>> I have received 115 confirmations, which include two empty ones with
>>> just confirmation skeletons, so the actual number of confirmations is
>>> 113 out of 178, i.e. still missing 65 confirmations, which means that
>>> more than one third is missing.
>>>
>>> Since each submission usually contains several lines of input for the
>>> DShield database, it is evident that a remarkable amount of data is
>>> hence missing.
>>>
>>> The database as well as the daily report for, e.g. yesterday (June 7)
>>> show only two lines for that day when I have actually submitted ca 95
>>> lines for that day. The same phenomenon appears at least for another 
>>> day
>>> that I took the trouble to check.
>>>
>>> IF this concerns not only my submissions but also submissions by other
>>> submitters as well, then the data gathered, refined and presented by
>>> DShield is likely false and possibly even misleading.
>>>
>>> The point is not to nag, but would like to hear are other DShielders
>>> experiencing same sort of problems, and what could be done about it.
>>>
>>> If not, then why do I experience these issues?
>>>
>>> - Pete
>>>
>>>
>>>           "If you don't know where you're going,
>>>          you will probably end up somewhere else".
>>>        Laurence J. Peter, 1919-1990), Canadian poet.
>>>
>>>
>>>
>>> -------------- Sponsor Message ------------------------------------
>>> Join us at SANSFIRE 2005 in Atlanta!
>>> The Internet Storm Center Conference.
>>> Details: http://www.sans.org/sansfire2005
>>>
>>> _______________________________________________
>>> send all posts to list at lists.dshield.org
>>> To change your subscription options (or unsubscribe), see: 
>>> http://www.dshield.org/mailman/listinfo/list
>>>
>>>
>>>  
>>>
>>
>>
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>list mailing list
>>list at lists.dshield.org
>>http://www.dshield.org/mailman/listinfo/list
>>    
>>



More information about the list mailing list