[unisog] New Worm?

defcon defconoii at gmail.com
Sat Feb 2 14:55:52 GMT 2008


also to add to this, some communicate via udp/icmp packets and dont require
ports to be open, ever heard of a connect back rootkit?  Even with good
firewall rulesets a smart attacker can bypass blocked outbound ports by
using any open outbound port
-defcon

On Feb 2, 2008 7:53 AM, defcon <defconoii at gmail.com> wrote:

> There isnt much you can do with some of the new worm variants, some of
> them hide processes, ports and connect through normal ports like 443/80 via
> ssl to avoid detection, allot have been made to be polymorphic and avoid
> detection completely from antivirus's.  Some run completely transparent of
> the operating system as a boot virus.  I suggest md5/sha checking your whole
> drive while it is offline to see any differences in core files.  I suggest
> pushing open source alternatives like Ubuntu that are not effected by the
> malware or implementing a good firewall with good rulesets with an IDS to
> detect suspicious activities although some activities will be false positive
> and some will go undetected.
> -defcon
>
>
> On Feb 1, 2008 2:49 PM, Ray Strubinger <ray.strubinger at oit.gatech.edu>
> wrote:
>
> > Here are a few things that you could use to locate the source of the
> > activity...
> >
> > Do you have a way to determine if there are new binaries on the system?
> >    MAC time analysis may be helpful here.
> >
> > There are a couple of free tools, fport and aports that will show the
> > processes binding to ports or on newer systems, netstat -naob will give
> > you similar information.  That might help you determine what application
> > is talking on the network.  If the application isn't constantly bound to
> > the port, the a tool like autoruns which scans the registry might be
> > helpful in showing unusual applications that are starting on boot.
> >
> > Port scan the system (nmap or something similar) just to see if there
> > are any unexpected open ports.  Netstat (or other tools you run from the
> > local system) may not give you an accurate representation of the ports
> > that are open.
> >
> > If you find any binaries that are unexpected, feel free to contact me.
> >
> > -Ray
> >
> > Bob Henry wrote:
> > >  We are spotting a growing list of machines sweeping several subnets
> > > like this:
> > >
> > > First, try a Ping:
> > > if get a response, try 2 times
> > > if no response, try 4 times
> > >
> > > Next, send an NBSTAT -a packet, full of <00>  (or AA)
> > > if no response, try 3 times
> > >
> > > All windows boxes, none show viruses when scanned with our Symantec
> > > Enterprise AV, no rootkits according to rootkit revealer and sophos.
> >  8
> > > out of 50 (or so) show up in our Facetime logs trying to phone home,
> > so
> > > they have adware on them.
> > >
> > > Has anyone seen anything like this and what was your response?
> > >
> > >
> > >
> > >
> > >
> > > Robert Henry, CISSP, GCIH
> > > Information Security Officer
> > > Office of Information Technology
> > > Boise State University
> > > 208-426-5701
> > > bhenry at boisestate.edu
> > > http://boisestate.edu/oit/iso
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > unisog mailing list
> > > unisog at lists.dshield.org
> > > https://lists.sans.org/mailman/listinfo/unisog
> >
> >
> > --
> > Ray Strubinger
> > Information Security Program Manager
> >
> > Georgia Institute of Technology
> > OIT Information Security
> > 258 Fourth St, Rich 222
> > Atlanta, Georgia 30332-0700
> > Phone:404-385-0334/Fax:404-385-2331
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.dshield.org
> > https://lists.sans.org/mailman/listinfo/unisog
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20080202/3dd6ab00/attachment.htm 


More information about the unisog mailing list