15-10-07

Belgacom infected Botnet attacks give Belgium Bronze in Botnet battle

Should it be true what sources are telling ? That the Russian problem on our Belgian net is bigger than the media let us to believe ?

The numbers on this international attack monitoring site may give us more info

http://atlas.arbor.net/cc/BE 

For the moment we are the third country in the whole world infected by attacks and attacking others just behind China and the US. Wow this little country can be famous in so many mysterious ways.

The traffic is mostly windows port 445 and 135 and some 139

80% of these attacks is according to Atlas  the ASN CVE-2003-0818

Age: 1321 daysSeverity: HighCVSS Score: 7.0
Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.

and for this kind of attack we have won the Olympic Gold medal

bot_001

 

And Belgacom network is the main source of the attack

 

bot_002

 

and the main sources are

 

bot_003

 

 We are also conducting botnet DDOS attacks against others, which is normal if you are infected and also scanning for other vulnerable computers.

And further down the pages you can see there is actually one botnet

So how much time will it cost to bring down 1 (you have read it right) botnet and clean up the mess of the infected pc/servers (before another botnet recuperates them) ?

Tips for network admins

* Block all ICQ  traffic on your firewall if you haven't do so already. Period. Why because most of the botnetcommands come by ICQ. Also block on every port any destination with ICQ in it. And are you sure everybody needs pure FTP on port 21 ? Or that any PC has to be he's own mailserver on port 25 ?  

* look at your firewall for internal scanning traffic if you have diverted all non-responsive scanning traffic (to non-existant servers for example). Throw the pc's and servers that are scanning wildly your internal network off the network. Period. Desinfect and monitor and if it ain't succesful you will need an antirootkit tool or in the worst case you have lost the pc/server and you will have to backup on a seperated backup the docs and totally re-install the server/pc.

* contact the networkadmins of the official network or the ISP's about belgian based scanning and attacking traffic. You can try the e-cops or BIPT but I am not sure if they already have a cyberinfrastructure defense procedure. ...

* limit your outbound traffic to normal ports (for users this would only be 80, 8000, 8080, 443, 53 (if you don't have an internal DNS relay server),....)

* I presume that your pc's/servers are all updated and have a antivirus, firewall and so on ?

and please, help those guys building placing more monitors http://www.arbornetworks.com/atlas_register.php

09:30 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

De commentaren zijn gesloten.