hoe mydoom.b en andere wormen te ontdekken

An aspect of MyDoomB that did not receive a lot of attention was it's ability to "gethostbyname()" to resolve its IP and scan it's LAN. A published ASN.1 DOS exploit requires the hostname to work. Resolving IP addresses to hostnames can arguably be a principal method that will be used by worms written to exploit some of the vulnerabilities described in MS-04-007. This information can be used for defensive purposes. If you have not patched 100% of your MS-04-007 vulnerable systems you may find the following information published by Symantec useful today or in the near future.

An example of what the "IP to hostname" traffic may look like on a network;

"Another thing to look for is a succession of ARP requests for consecutive addresses from the same host, like this:

11:43:50.435946 arp who-has tell
11:43:50.438301 arp who-has tell
11:43:50.445362 arp who-has tell
11:43:50.460087 arp who-has tell
11:43:50.466885 arp who-has tell
11:43:50.482358 arp who-has tell
11:43:50.484681 arp who-has tell
11:43:50.498546 arp who-has tell
11:43:50.505680 arp who-has tell
11:43:50.514562 arp who-has tell
11:43:50.531488 arp who-has tell
"Detecting network traffic that may be due to RPC worms"

00:19 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |

De commentaren zijn gesloten.