sasser virus (was Re: [unisog] student fees for cleaning.)

John Kristoff jtk at northwestern.edu
Sat May 8 14:30:53 GMT 2004


On Sat, 08 May 2004 11:56:13 +1200
Russell Fulton <r.fulton at auckland.ac.nz> wrote:

> We do scan, but not with nessus.  I generally us scanners dedicated to a
> single vulnerability (eg from foundstone, eeye or (my favourite - base
> on the uconn resnet scanner).

This stuff is all great and many institutions are moving to an automated
scan on attachment/authentication system.  This will help a lot, but as
something like the XP firewall gets enabled by default it will be harder
to tell if a system is in fact compromised.  The good news we hope will
be that the systems will be less susceptible to a remote initiated
compromise of course, but prepare for attacks that come from other vectors
will increase (e.g. email, p2p, web sites) and become more sophisticated.

I know a few people, particularly Russell, are fond of Argus.  These
kinds of tools, will likely be increasingly helpful to help find problem
hosts where scans will fail.  If you (the collective you, not Russell
alone) are not already getting good at detecting problems based on
traffic flows, patterns and DNS query analysis, then you should probably
start.  It may be especially helpful to have some history, because the
compromised machines may keep quiet up until the point of further spread
or attack.

Unfortunately watching traffic comes with it's own set of problems for
many, especially related to privacy concerns.  However, at a minimum some
less intrusive monitoring can be done and I suspect will need to be done
more than is commonly done today.

John



More information about the unisog mailing list