Again, I am not proposing a worm. Simply a cleaner that would neuter the
worm that connected. What I am proposing would _ONLY_ provide software
that,
if the connecting client chose to execute it, would neuter the worm on the
connecting client that executed it. Nothing that would worm to other
On Thu, 28 Aug 2003, Owen DeLong wrote:
Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS
blacklist
based on such connections to a honeypot. Any system which made the correct
request could then have it's address published via BGP or DNS for ISPs and
the like to do as
At 12:54 PM 28/08/2003 -0700, Dan Hollis wrote:
Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS
blacklist
based on such connections to a honeypot. Any system which made the correct
request could then have it's address published via BGP or DNS for ISPs and
the like to do
Mike Tancsa wrote:
I dont think this would work too well. The users who are infected
often think something is wrong because their connection and computer
are not working quite right. So they disconnect / reconnect / reboot
so they burn through quite a few dynamic IP addresses along the way.
At 11:14 PM 28/08/2003 +0300, Petri Helenius wrote:
Mike Tancsa wrote:
I dont think this would work too well. The users who are infected often
think something is wrong because their connection and computer are not
working quite right. So they disconnect / reconnect / reboot so they burn
Thus spake Petri Helenius ([EMAIL PROTECTED]) [28/08/03 16:23]:
I dont think this would work too well. The users who are infected
often think something is wrong because their connection and computer
are not working quite right. So they disconnect / reconnect / reboot
so they burn through
On Thursday 28 August 2003 04:24 pm, Mike Tancsa wrote:
At 11:14 PM 28/08/2003 +0300, Petri Helenius wrote:
Mike Tancsa wrote:
I dont think this would work too well. The users who are infected often
think something is wrong because their connection and computer are not
working quite right.
Damian Gerow wrote:
Or potentially an artifact of wanting more IP space from ARIN, as
opposed to
assigning a static IP to every user we have, even the ones that are only
connected for about an hour a month. But hey, that's just a minor detail.
Sorry for momentarily phasing to our local
At 11:47 PM 28/08/2003 +0300, Petri Helenius wrote:
connections has passed the dialup ones a few years ago. Dialup users also
cannot generate any
significant DDoS traffic even if combined by a factor of 1.
a)http://www.acm.org/sigcomm/sigcomm2003/papers.html#p75-kuzmanovic
b)Trinity
| Jim Dawson
| Sent: Friday, August 22, 2003 2:02 PM
| Subject: Sobig.f surprise attack today
|
| F-Secure Corporation is warning about a new level of attack to be
| unleashed by the Sobig.F worm today. Supposed to take place at 1900
UTC.
|
|
OK... Maybe I'm smoking crack here, but, if they have the list of 20
machines,
wouldn't it make more sense to replace them with honey-pots that download
code to remove SOBIG instead of just disabling them?
Let's use the virus against itself. At this point, I think that's a
legitimate
I wish all surprise attacks came at preannounced times from known locations.
Matthew Kaufman
If you're responsible for any of the IPs on the list, better
permanently remove them from your DHCP pools, IP assignments,
dial-up pools, or anything else that assigns IP addresses,
because these will be filtered and forgotten for the next
200 years.
OK... Maybe I'm smoking crack here, but, if they have the list of 20
machines,wouldn't it make more sense to replace them with honey-pots that download
code to remove SOBIG instead of just disabling them?
Only if we make assumptions that what they state is 100% fact and the whole truth of
the
On Fri, 22 Aug 2003, Owen DeLong wrote:
OK... Maybe I'm smoking crack here, but, if they have the list of 20
machines,
wouldn't it make more sense to replace them with honey-pots that download
code to remove SOBIG instead of just disabling them?
Let's use the virus against itself. At
Where does one get hold of The List to know if your on it.
I've read many of the briefing/press releases put out by the anti-virus
companies but they all seem to be witholding the list of master
servers.
-R
-Original Message-
Behalf Of Omachonu Ogali
Sent: August 22, 2003 2:46 PM
If
FYI:
At 1500 GMT, Mikko Hypponen, director of anti-virus research at
F-Secure, told New Scientist that 18 of the 20 internet addresses his
company had identified in the virus had been blocked. But if even one
OK... Maybe I'm smoking crack here, but, if they have the list of 20
machines,wouldn't it make more sense to replace them with honey-pots that download
code to remove SOBIG instead of just disabling them?
Only if we make assumptions that what they state is 100% fact and the whole truth of
http://xforce.iss.net/xforce/alerts/id/151
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Randy Neals (ORION)
Sent: Friday, August 22, 2003 2:54 PM
To: 'Omachonu Ogali'; 'Todd Mitchell - lists'
Cc: [EMAIL PROTECTED]
Subject: RE: Sobig.f surprise
Randy Neals (ORION) wrote:
Where does one get hold of The List to know if your on it.
I've read many of the briefing/press releases put out by the anti-virus
companies but they all seem to be witholding the list of master
servers.
Its been posted here, and f-secure has it, but I wrote a quick
:[EMAIL PROTECTED] Behalf Of
Randy Neals (ORION)
Sent: Friday, August 22, 2003 2:54 PM
To: 'Omachonu Ogali'; 'Todd Mitchell - lists'
Cc: [EMAIL PROTECTED]
Subject: RE: Sobig.f surprise attack today
Where does one get hold of The List to know if your on it.
I've read many
On Fri, 22 Aug 2003, Andrew Kerr wrote:
Its been posted here, and f-secure has it, but I wrote a quick script to
keep an eye on the 20 servers and dump the output to a simple page:
http://207.195.54.37/sobig.html
(Updates about every 5 mins)
You're probing the list of NTP servers the worm
Jay Hennigan wrote:
On Fri, 22 Aug 2003, Andrew Kerr wrote:
Its been posted here, and f-secure has it, but I wrote a quick script to
keep an eye on the 20 servers and dump the output to a simple page:
http://207.195.54.37/sobig.html
(Updates about every 5 mins)
You're probing the list of NTP
: Re: Sobig.f surprise attack today
Jay Hennigan wrote:
On Fri, 22 Aug 2003, Andrew Kerr wrote:
Its been posted here, and f-secure has it, but I wrote a quick script
to keep an eye on the 20 servers and dump the output to a simple page:
http://207.195.54.37/sobig.html
(Updates about every
user and ask permission to
put a honeypot on their IP and that's not going to happen in the next 30
minutes.
- Original Message -
From: Owen DeLong [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Friday, August 22, 2003 1:27 PM
Subject: Re: Sobig.f surprise
FCI Broadband
-Original Message-
From: netadm [mailto:[EMAIL PROTECTED]
Sent: August 22, 2003 3:50 PM
To: [EMAIL PROTECTED]
Subject: RE: Sobig.f surprise attack today
From http://www.f-secure.com/v-descs/sobig_f.shtml
. :)
-Original Message-
From: Mark Segal [mailto:[EMAIL PROTECTED]
Sent: Friday, August 22, 2003 4:05 PM
To: 'netadm'; '[EMAIL PROTECTED]'
Subject: RE: Sobig.f surprise attack today
My questions is what were those servers.. Was the purpose to denial of
service attack them? If so we just
Omachonu Ogali wrote:
If you're responsible for any of the IPs on the list, better
permanently remove them from your DHCP pools, IP assignments,
dial-up pools, or anything else that assigns IP addresses,
because these will be filtered and forgotten for the next
200 years.
If the virus guys get
On Fri, 22 Aug 2003 14:13:27 -0400, Todd Mitchell - lists wrote:
See the following message sent out by X-Force a few hours ago.Todd
Computers infected with the Sobig.F worm are programmed
to automatically download an executable of unknown function
from a hard-coded list of servers at 19:00 UTC
On Fri, 22 Aug 2003, Owen DeLong wrote:
Sure, it won't happen in 30 minutes, but, I don't understand why this
wasn't started when F-Secure first noticed the situation.
I seriously doubt that most (any?) ISP would be willing to accept the
legal liability for altering anything on the computer
30 matches
Mail list logo
