[unisog] New Worm?

defcon defconoii at gmail.com
Sat Feb 2 14:53:57 GMT 2008


There isnt much you can do with some of the new worm variants, some of them
hide processes, ports and connect through normal ports like 443/80 via ssl
to avoid detection, allot have been made to be polymorphic and avoid
detection completely from antivirus's.  Some run completely transparent of
the operating system as a boot virus.  I suggest md5/sha checking your whole
drive while it is offline to see any differences in core files.  I suggest
pushing open source alternatives like Ubuntu that are not effected by the
malware or implementing a good firewall with good rulesets with an IDS to
detect suspicious activities although some activities will be false positive
and some will go undetected.
-defcon

On Feb 1, 2008 2:49 PM, Ray Strubinger <ray.strubinger at oit.gatech.edu>
wrote:

> Here are a few things that you could use to locate the source of the
> activity...
>
> Do you have a way to determine if there are new binaries on the system?
>    MAC time analysis may be helpful here.
>
> There are a couple of free tools, fport and aports that will show the
> processes binding to ports or on newer systems, netstat -naob will give
> you similar information.  That might help you determine what application
> is talking on the network.  If the application isn't constantly bound to
> the port, the a tool like autoruns which scans the registry might be
> helpful in showing unusual applications that are starting on boot.
>
> Port scan the system (nmap or something similar) just to see if there
> are any unexpected open ports.  Netstat (or other tools you run from the
> local system) may not give you an accurate representation of the ports
> that are open.
>
> If you find any binaries that are unexpected, feel free to contact me.
>
> -Ray
>
> Bob Henry wrote:
> >  We are spotting a growing list of machines sweeping several subnets
> > like this:
> >
> > First, try a Ping:
> > if get a response, try 2 times
> > if no response, try 4 times
> >
> > Next, send an NBSTAT -a packet, full of <00>  (or AA)
> > if no response, try 3 times
> >
> > All windows boxes, none show viruses when scanned with our Symantec
> > Enterprise AV, no rootkits according to rootkit revealer and sophos.  8
> > out of 50 (or so) show up in our Facetime logs trying to phone home, so
> > they have adware on them.
> >
> > Has anyone seen anything like this and what was your response?
> >
> >
> >
> >
> >
> > Robert Henry, CISSP, GCIH
> > Information Security Officer
> > Office of Information Technology
> > Boise State University
> > 208-426-5701
> > bhenry at boisestate.edu
> > http://boisestate.edu/oit/iso
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.dshield.org
> > https://lists.sans.org/mailman/listinfo/unisog
>
>
> --
> Ray Strubinger
> Information Security Program Manager
>
> Georgia Institute of Technology
> OIT Information Security
> 258 Fourth St, Rich 222
> Atlanta, Georgia 30332-0700
> Phone:404-385-0334/Fax:404-385-2331
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20080202/69aadc7c/attachment.htm 


More information about the unisog mailing list