Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: The future .. virii ..Worms,, etc

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    Question The future .. virii ..Worms,, etc

    Hi Guy's,

    With Sobig.F's effects starting to enter our rear-vision mirrors. We know that the Version "G" is comming.. How will it attack, what should we be doing now to prevent the severity of its blow? Our preparation Now will determine how much damage it will do to us..

    Here is a news Item i Found Here

    The virus, described as the fastest spreading ever on the internet, appeared to be contained by Monday, but experts were expecting a new version that could be more damaging.
    Security specialists said the Sobig.F virus, which was sent to millions of computers worldwide, is programmed to deactivate on September 10, leading to speculation that new version could appear sometime around September 11.
    About how some users Reacted Here
    With computer users under siege from a variety of "worms," Internet buffs are rushing to Microsoft's anti-virus site to search for ways to combat the problem.

    Traffic to Microsoft TechNet from surfers logging on at home skyrocketed more than 1,100 percent during the week ending Aug. 17, Internet audience measurement service Nielsen/NetRatings said Monday.

    And Here for a report on the Symantec Norton 2004 effort

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    I have a simple view on what should be done.

    These virii have caused damage to millions of people with infected computers - Some of which will have resulted in deaths, which in my view is murder.

    Someone out there knows who the jackass writing this is.

    Start a global publicity campaign, it must be cheaper than cleaning up the damage from yet another attack and offer a serious reward for this @$$hole. - What's Osama & Saddam worth these days? This has caused huge global financial impact so lets make it worthwhile financially hand the moron over.

    Drop the dime, call the cops and get the guy behind bars, problem solved.
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    I do wonder what would have happened if the "Blaster" worm had had a less benign payload.

    AFAIK, "Blaster" caused minor problems on a few machines, but no major data loss.

    Replace this with something like the payload of "Chernobyl" (which destroyed HD contents and in some cases trashed the bios) - and you could have economic chaos. I doubt however that many deaths would result.

    As the Bush administration are much more interested in wealth than wellbeing - economic chaos worries them much more than deaths.

    It's only a matter of time before someone does something like this.

    However, remotely exploitable sploits in M$ client-only software are quite rare - AFAIK there have only been two or three ever - and the RPC one was by far the most widespread.

    Imagine what would have happened if blaster had wiped the hard disc of every infected machine this weekend...

    Slarty

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Steve: I'm not sure it's quite that simple... But I agree with the sentiment.

    I went ahead and installed a pre-mail server, (forwarder), and implemented the free version of MailSecurity so that my mail will be prescanned by a virus checker from a different company, (I chose BitDefender), that is updated hourly. The mail is then forwarded to the normal mailservers that are scanned by Norton updated every 4 hours. In addition the MailSecurity blocks the common content that carried such little "beauties" quite nicely. With luck the virii will stay out since collecting personal email from web based, or any other "based", locations is a) prohibited by policy that could result in termination, (read: "will" if I have my say), and b) blocked by Surfcontrol and the firewall as best I can. My IDS system alerts me when attempts are made to visit such places and they get an Messanger message telling them to cut it out or I will inform administration and their supervisor and that I will pay them a visit that they won't like.....

    My firewall is set to only allow in the necessary and only to the required servers which are set to auto-update themselves daily regardless of the fact that it might down the server, I'd rather have no service than one with a hole in it. Each public server has mirrored boot drives and I make and break the mirror periodically so that if the server dumps we reboot from the unpatched mirror if absolutely necessary.

    Am I saying that I am "bulletproof"? Nope.... but I do get a warm fuzzy feeling when we go untouched as we have the last two weeks while there are horror stories all over about the damage that is being done......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    1,499
    It's kind of a shocker but we just blocked .pif .wsh .vbs .com and .exe files from being opened through the m$ outlook security doobrie on active directory and all the machines can't run exes from mails. sobig.f came in and hit loads of the machines but it couldn't be run so it was never spread internally.

  6. #6
    How about using messagelabs to filter your mail - it costs bucks but solves any worries..well worth the outlay imho..........

  7. #7
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Originally posted here by slarty
    I doubt however that many deaths would result.
    Okay - not directly I grant you, since it's unlikely a nuclear power station is going to melt down as a result (although recent news is worrying).

    However if it costs a large hospital 10K to clean up then that's 10K not spent on patient care, or a police force not spending money on preventing crime etc. etc. The long term cosnequences could easily be some deaths.

    As the Bush administration are much more interested in wealth than wellbeing - economic chaos worries them much more than deaths.
    For sure & it's simple cost benefit- This virus costs, in the us alone say $500M - a Reward of $50M to cpature the perp, prosecute & give 10 years in the electric chair - Bingo simple cost/ben case!

    Imagine what would have happened if blaster had wiped the hard disc of every infected machine this weekend...
    Hehe - there would have been a lot less traffic on my IDS!

    Steve

    Originally posted here by mark_boyle2002
    It's kind of a shocker but we just blocked .pif .wsh .vbs .com and .exe files from being opened through the m$ outlook security doobrie on active directory and all the machines can't run exes from mails. sobig.f came in and hit loads of the machines but it couldn't be run so it was never spread internally.
    I'd have to check with my mail server admin, but we were already blocking most, if not all, of those already.

    We did a quick check with out mail server Av app provider & found out we were covered.

    What about the future.

    Mailserver AV updates every hour.
    Interneral AV upate daily (all machines) - Mobile users have an update forced upon them as soon as they connect to the internal netowrk.

    Steve

    <edit> must learn to write english!</edit>
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I am beginning to wonder if our ISPs are taking this as seriously as they might? I had hundreds if not thousands of port 135 hits, all from what I imagine to be my ISPs subnet. I tried three different ISPs, and the same thing was happening.

    I am now getting "pinged" the hell out of from the same sources.............other addresses in my ISP's range. Which I take to be the Anti msblast virus?

    I know absolutely zero about that side of things, but can't they (ISPs) do anything to stop it? It must be wasting an awful lot of bandwidth?

    Apart from keeping our AV, Firewalls, Botkillers and trojan seekers up to date and running them regularly, I don't see what else us mere mortals can do.....except try to educate people around us to do the same and delete dodgy e-mails?

    There is a tool:

    Please visit http://www.internals.com for updates.
    Notice:
    At this time, MailControl can only detect emails sent through SMTP. If your email client is configured to work with Microsoft Exchange Server, MailControl will not intercept emails sent from your computer.

    Which acts as a sort of e-mail firewall, and blocks attempts to send stuff out. Unfortunately it does not seem to be at "industrial strengh" yet, as it only works with SMTP. If the next one has spoof e-mails in its repertoire, this may help private users (it's free!) and slow it down a bit.

    What really frustrates me is that none of my boxes has been infected, but from the number of hits I have been getting, there must be an awful lot of infected boxes out there......why?....

    I think that if we can find the answer to my last question and address that, we will have our answer?

    Just my £0.02 worth

    cheers

  9. #9
    Senior Member
    Join Date
    Aug 2001
    Posts
    485
    What is interesting to me is that Sobig has been well written from a technical point of view, something that hasn't been the case in the past with other viruses. I think it is likely to be a group of people, rather than an individual who is responsible for this.

    Some of the techniques it was using were very different. Exploiting an MS loophole - easy.
    Payload - much more sophisticated, done by connecting to previously compromised PCs to get a new web address to download the payload from. To connect to these previously infected PCs required an authentication code, and to boot some of the code had very strong encryption.

    This doesn't look like your average hacker to me!

    MS is in a bit of a no win situation here, as when it releases a patch, a lot of corporate users will, with good reason, want to test it first. A lot of home & some small corporate users won't even be aware there is a problem, as they never patch their systems anyway.

    EDIT: I should have added the point that if you are running a large internal network that has solid protection at the point you connect to the net, this is not good enough.
    All it takes is one person to use an infected CD/floppy etc., which will then spread like wildfire throughout your network to unpatched PCs.

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    On the point of blocking the outbound mail produced by these virii if you host your own mailserver within your firewall this is really rather simple and I don't know why more admins have not done it.........

    There is one mailserver in your domain, (ok, maybe several), and the _only_ machines that should be sending or receiving SMTP are those servers. So..... let's be smart and block all inbound and outbound SMTP connections to/from all machines in the private network except the mail servers.

    Since almost all new virii carry their own SMTP server to hide the fact that they sent mail from your mail client and ISP they transmit SMTP direct.... Well, they can't if their initial SYN is blocked by the firewall..... Thus the virus has been thwarted in it's attempt to propogate past the perimeter. Now..... If you think a bit deeper, if the firewall blocks an outbound SMTP it is one of two things.... A user trying to send/receive mail from a server other than yours which should be taboo and gets a swift slap upside the head, or, it's a virus. So we can tell the firewall to alert us through the messenger service whenever it blocks an outbound SMTP attempt. We can then wander on down and take the machine offline until it is cleaned and the user has been slapped for clicking on an attachment........
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •