Searching \ for '[OT] worm and traffic' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=worm+traffic
Search entire site for: 'worm and traffic'.

Exact match. Not showing close matches.
PICList Thread
'[OT] worm and traffic'
2007\05\04@065651 by Dennis Crawley

picon face

Yesterday, I've spent many hours searching the source of traffic in a
network.

After discover the PC, I've run "wireshark" and saw that the PC was sending
a lot of mail with a phishing gif. Something about "The 53-rd Bank USA
Commercial please".

The file responsible was aspi3695.exe in system32 folder. It was discovered
by Bitdefender free version. AVG, and others could not detected it.

Today I got a response from wireshark forum:
the virus is " Email.Phishing.RB-732 "


I hope this helps someone.

Regards,
Dennis




2007\05\04@084956 by Russell McMahon

face
flavicon
face
> Yesterday, I've spent many hours searching the source of traffic in
> a
> network.
>
> After discover the PC, I've run "wireshark" and saw that the PC was
> sending
> a lot of mail with a phishing gif. Something about "The 53-rd Bank
> USA
> Commercial please".
>
> The file responsible was aspi3695.exe in system32 folder. It was
> discovered
> by Bitdefender free version. AVG, and others could not detected it.
>

> Today I got a response from wireshark forum:
> the virus is " Email.Phishing.RB-732 "


This recent New Scientist article

       http://www.newscientisttech.com/channel/tech/mg19426026.000?DCMP=NLC-nletter&nsref=mg19426026.000

provides good comment on recent trends in this area.

They note that compromising trusted websites so that they download
"bot" software into your system. They note that traditional firewalls
do not protect against such attacks.

There seems to be little protection     against such software compared
to what is available for more traditional methods of attack. Running
something like wireshark and looking for unexpected traffic may be as
good a solution as any. If anyone here can make a more useful comment
than that, please do.



       Russell


2007\05\04@101459 by Dario Greggio

face picon face
Dennis Crawley wrote:

> The file responsible was aspi3695.exe in system32 folder. It was discovered
> by Bitdefender free version. AVG, and others could not detected it.

I find bitdefender rather good, I advice it to my customers.

Dario

2007\05\04@103254 by Gerhard Fiedler

picon face
Russell McMahon wrote:

> www.newscientisttech.com/channel/tech/mg19426026.000?DCMP=NLC-nletter&nsref=mg19426026.000
>
> provides good comment on recent trends in this area.

Not really "good", I'd say.

> They note that compromising trusted websites so that they download "bot"
> software into your system.

"Lured to a site by spam and then promised pirated software or pornography,
for example, visitors click on a link only to download a bot." Do I have to
say you shouldn't do this? Or you're on your own and better know what
you're doing if you do this? :)

or

"To test for malicious software, or malware, they loaded a program designed
to simulate a computer with a vulnerable version of Internet Explorer and
monitored what happened."

They didn't say what exactly they mean with "a vulnerable version of
Internet Explorer", but in all likelihood it's one with known
vulnerabilities for which patches exist for ages. Do I have to say you
shouldn't do this? Or ... ? :)  (Not to mention that there are alternatives
with fewer vulnerabilities.)

or

"As firewalls allow free passage to code or programs downloaded through the
browser, the bot is able to install itself on the PC."

The bot is not a piece of magic. It needs to download an executable and run
it and make sure it will be run in the future automatically. The user
normally has to participate in this in some way. Do I have to say ... ? :)


> They note that traditional firewalls do not protect against such attacks.

I'm not sure what you mean with "traditional firewalls". There are all
kinds of "traditional firewalls". Most such attacks would get stopped by a
"traditional firewall" that's installed on a PC and supervises outbound
activity.

They say "Ultimately what is needed is a new type of firewall that inspects
the content of programs downloaded through the browser, says Zou."

I'm not sure they invented sliced bread here for the umpteenth time. This
technique is known for a long time.


> There seems to be little protection against such software

How about common sense mixed with some knowledge and a bit of
self-discipline? I know this is an uncommon proposition, but IME it goes a
long way :)

Gerhard

2007\05\04@134221 by Mauricio Giovagnini

flavicon
face
Dario Greggio escribió:
> Dennis Crawley wrote:
>
>  
>> The file responsible was aspi3695.exe in system32 folder. It was discovered
>> by Bitdefender free version. AVG, and others could not detected it.
>>    
>
> I find bitdefender rather good, I advice it to my customers.
>
> Dario
>  
I found that the 'best antivirus/malware software' changes from time to
time.  Some years ago, McAfee was the best, later on, it was Norton AV,
later Kaspersky... and so on.

I left using Bitdefender a couple of years ago, because it didn't
detected what many others did... perhaps now they hired better
programmers or they have a better feedback from their clientes...

I always suspected that around this 'business' of doing virus and
malwares and so on... there's a lot of "people making money", not just a
couple of geeks trying to probe themselves.

2007\05\04@144032 by Tamas Rudnai

face picon face
That's funny, i've been in this field very long time and many people
ask this time to time. Unfortunately we don't have to write threats,
there are more in our queue than we could handle manually, you can't
even imagine how long is that Q.

Tamas


On 5/4/07, Mauricio Giovagnini <spam_OUTmaugiovagniniTakeThisOuTspamyahoo.com.ar> wrote:
{Quote hidden}

>

2007\05\04@224957 by William Chops Westfield

face picon face

On May 4, 2007, at 5:49 AM, Russell McMahon wrote:

> If anyone here can make a more useful comment
> than that, please do.

According to our propaganda, cisco has some equipment that
detects traffic patterns typical of MalWare and will do things
like shutting off that port of the switch.  I don't enough about
those product lines to tell how much is true and how much is
hype, but it certainly seems like it ought to be possible
to do something like that (without the "shut down" part)
in a relatively small number of cycles in a network monitoring
box or app.

BillW

2007\05\05@050936 by Dario Greggio

face picon face
Tamas Rudnai wrote:

> That's funny, i've been in this field very long time and many people
> ask this time to time. Unfortunately we don't have to write threats,[..]

You know, Italy is the home country to political "plots", unknown
government acting and so on... not to mention unfaithful customers and
long-term payment, so here it is the *rule* blaming on antivirus
companies :-)

--
Ciao, Dario il Grande (522-485 a.C.)
--
ADPM Synthesis sas - Torino
--
http://www.adpm.tk

2007\05\05@052030 by Dario Greggio

face picon face
Mauricio Giovagnini wrote:

> I found that the 'best antivirus/malware software' changes from time to
> time.  Some years ago, McAfee was the best, [...]

of course it does!

> I left using Bitdefender a couple of years ago, because it didn't [..]

I've been using BitDefender for 2-3 years now, and Avast for personal
users. They both perform well IMO and are light enough.
Norton & McAfee become way too heavy 2-3 years ago. Not to mention
"Internet Security" which has the bad habit of disabling each ingoing
connection even on LANs... :-(

--
Ciao, Dario

2007\05\05@080415 by Gerhard Fiedler

picon face
William ChopsWestfield wrote:

>> If anyone here can make a more useful comment than that, please do.
>
> According to our propaganda, cisco has some equipment that detects
> traffic patterns typical of MalWare and will do things like shutting off
> that port of the switch.  

Cheaper than Cisco hardware may be something like Proxomitron
<http://www.proxomitron.info/>. It's a proxy server (freeware) that you can
install anywhere on your network (or your only computer) and configure to
filter out whatever you want. It's nothing new -- when the Yahoo group
started in 2000, the program was already old. And I'm sure it's not the
only program in its class.

Gerhard

2007\05\05@182051 by peter green

flavicon
face

>There seems to be little protection     against such software compared
>to what is available for more traditional methods of attack. Running
>something like wireshark and looking for unexpected traffic may be as
>good a solution as any. If anyone here can make a more useful comment
>than that, please do.
make sure AV software is up to date but remember it won't protect you from everything.

don't use IE unless you absoloutely have to. its the biggest target for malware and is also known to be full of security holes.

if you run a network have software set ups that look for unusual traffic patterns.

don't allow smtp out of your network from any boxes other than mailservers. Lot and rate limit at the mailserver and treat attempts to connect to other hosts on port 25 as suspicious especially if you get a lot of them.



2007\05\05@193931 by Jake Anderson

flavicon
face
peter green wrote:
>> There seems to be little protection     against such software compared
>> to what is available for more traditional methods of attack. Running
>> something like wireshark and looking for unexpected traffic may be as
>> good a solution as any. If anyone here can make a more useful comment
>> than that, please do.
>>    
> make sure AV software is up to date but remember it won't protect you from everything.
>
> don't use IE unless you absoloutely have to. its the biggest target for malware and is also known to be full of security holes.
>
> if you run a network have software set ups that look for unusual traffic patterns.
>
> don't allow smtp out of your network from any boxes other than mailservers. Lot and rate limit at the mailserver and treat attempts to connect to other hosts on port 25 as suspicious especially if you get a lot of them.
>
>
>
>  
I use snort as part of ipcop for intrusion detection from outside and
malware detection from the inside of my clients networks. If they are
using a hub rather than a switch for their network then it even picks up
on stuff that tries to propagate solely within the network too, its a
great way of finding virii.

More... (looser matching)
- Last day of these posts
- In 2007 , 2008 only
- Today
- New search...