[unisog] New Worm?
defconoii at gmail.com
Sat Feb 2 14:53:57 GMT 2008
There isnt much you can do with some of the new worm variants, some of them
hide processes, ports and connect through normal ports like 443/80 via ssl
to avoid detection, allot have been made to be polymorphic and avoid
detection completely from antivirus's. Some run completely transparent of
the operating system as a boot virus. I suggest md5/sha checking your whole
drive while it is offline to see any differences in core files. I suggest
pushing open source alternatives like Ubuntu that are not effected by the
malware or implementing a good firewall with good rulesets with an IDS to
detect suspicious activities although some activities will be false positive
and some will go undetected.
On Feb 1, 2008 2:49 PM, Ray Strubinger <ray.strubinger at oit.gatech.edu>
> Here are a few things that you could use to locate the source of the
> Do you have a way to determine if there are new binaries on the system?
> MAC time analysis may be helpful here.
> There are a couple of free tools, fport and aports that will show the
> processes binding to ports or on newer systems, netstat -naob will give
> you similar information. That might help you determine what application
> is talking on the network. If the application isn't constantly bound to
> the port, the a tool like autoruns which scans the registry might be
> helpful in showing unusual applications that are starting on boot.
> Port scan the system (nmap or something similar) just to see if there
> are any unexpected open ports. Netstat (or other tools you run from the
> local system) may not give you an accurate representation of the ports
> that are open.
> If you find any binaries that are unexpected, feel free to contact me.
> Bob Henry wrote:
> > We are spotting a growing list of machines sweeping several subnets
> > like this:
> > First, try a Ping:
> > if get a response, try 2 times
> > if no response, try 4 times
> > Next, send an NBSTAT -a packet, full of <00> (or AA)
> > if no response, try 3 times
> > All windows boxes, none show viruses when scanned with our Symantec
> > Enterprise AV, no rootkits according to rootkit revealer and sophos. 8
> > out of 50 (or so) show up in our Facetime logs trying to phone home, so
> > they have adware on them.
> > Has anyone seen anything like this and what was your response?
> > Robert Henry, CISSP, GCIH
> > Information Security Officer
> > Office of Information Technology
> > Boise State University
> > 208-426-5701
> > bhenry at boisestate.edu
> > http://boisestate.edu/oit/iso
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.dshield.org
> > https://lists.sans.org/mailman/listinfo/unisog
> Ray Strubinger
> Information Security Program Manager
> Georgia Institute of Technology
> OIT Information Security
> 258 Fourth St, Rich 222
> Atlanta, Georgia 30332-0700
> unisog mailing list
> unisog at lists.dshield.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the unisog