hoe mydoom.b en andere wormen te ontdekken
An aspect of MyDoomB that did not receive a lot of attention was it's ability to "gethostbyname()" to resolve its IP and scan it's LAN. A published ASN.1 DOS exploit requires the hostname to work. Resolving IP addresses to hostnames can arguably be a principal method that will be used by worms written to exploit some of the vulnerabilities described in MS-04-007. This information can be used for defensive purposes. If you have not patched 100% of your MS-04-007 vulnerable systems you may find the following information published by Symantec useful today or in the near future.
An example of what the "IP to hostname" traffic may look like on a network;
"Another thing to look for is a succession of ARP requests for consecutive addresses from the same host, like this:
11:43:50.435946 arp who-has 169.254.14.115 tell 169.254.56.166
11:43:50.438301 arp who-has 169.254.14.116 tell 169.254.56.166
11:43:50.445362 arp who-has 169.254.14.117 tell 169.254.56.166
11:43:50.460087 arp who-has 169.254.14.118 tell 169.254.56.166
11:43:50.466885 arp who-has 169.254.14.119 tell 169.254.56.166
11:43:50.482358 arp who-has 169.254.14.120 tell 169.254.56.166
11:43:50.484681 arp who-has 169.254.14.121 tell 169.254.56.166
11:43:50.498546 arp who-has 169.254.14.122 tell 169.254.56.166
11:43:50.505680 arp who-has 169.254.14.123 tell 169.254.56.166
11:43:50.514562 arp who-has 169.254.14.124 tell 169.254.56.166
11:43:50.531488 arp who-has 169.254.14.125 tell 169.254.56.166
"Detecting network traffic that may be due to RPC worms"