Blackworm hunbers [Was: Re: Martin Hannigan]
Well, let's hope we can watch the Super Bowl in peace -- I'm turning my pager & cell phone off anyways. :-) In any event, as Alex Eckelberry writes over on the Sunbelt Software blog, "...were now seeing infestations for the Blackworm worm (aka KamaSutra) getting close to 2 million. "Yesterday it was at close to 700k. "Of course, its possible that this URL has gotten out to the public, which would increase the count (simply hitting the website increments the count by one). However, to my knowledge, this URL is only known in the security community. "Remember that this worm has a very destructive payload. Even if you discount the number here, youre still looking at a significant number of people who will suffer potentially devastating data loss." I couldn't agree more. Cheers, - ferg ps. http://sunbeltblog.blogspot.com/2006/01/blackworm-worm-over-18-million.html -- Martin Hannigan <hannigan@world.std.com> wrote:
http://isc.sans.org/blackworm Further, our reports lead to a SANS ISC temporary URL's for each AS.
The last time SANS felt something was so serious they needed all of NANOG to dance, they came out and said so. That's their handlers diary. I read it. A lot of people read it. It's well balanced and usually on target. Just like that. It's not alarmist. It seems fairly certain that as long as Symantec et. al. do their thing, we will be able to watch the superbowl in peace. [snip] -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/
Well, let's hope we can watch the Super Bowl in peace -- I'm turning my pager & cell phone off anyways. :-)
I'm going for Steelers. You? I've got a couple of fresh Maine Lobsters and Union Oyster House chowdah to put up if you're interested in a wager. [ Removed my name from the subject. I like it in lights, but I've had enough for today! :-) ]
In any event, as Alex Eckelberry writes over on the Sunbelt Software blog, "...were now seeing infestations for the Blackworm worm (aka KamaSutra) getting close to 2 million.
"Yesterday it was at close to 700k.
"Of course, its possible that this URL has gotten out to the public, which would increase the count (simply hitting the website increments the count by one). However, to my knowledge, this URL is only known in the security community.
The URL is out all over the place.
"Remember that this worm has a very destructive payload. Even if you discount the number here, youre still looking at a significant number of people who will suffer potentially devastating data loss."
I couldn't agree more.
People without A/V? How sad can you feel? I don't want anyone to lose data, but I bet a bunch of people by A/V as a result. That's good. Check out this story where it was downplayed: http://www.eweek.com/article2/0,1895,1915070,00.asp
http://isc.sans.org/blackworm Further, our reports lead to a SANS ISC temporary URL's for each AS.
http://isc.sans.org/diary.php?storyid=1073 - but really, do you consider this to be a huge issue that we should prepare to be on call over? Sans, http://isc.sans.org/infocon.php and Symantec, http://www.symantec.com/index.htm , are both at their normal threat levels. The point I was trying to make before the thread went, East?, was that there is a perceived problem in the security community with approrpriate response. I'd tell you how I think that could have been avoided, but then my name would go up in the subject again. *cough full disclosure* Off the top of my head I think the security trust landscape today looks like this. I base this on participation, people I know participating, comments I hear at the NANOG water bubbler, etc. and they are nothing but personal opinions. SANS - Trusted, good reputation growing NSP-SEC - nuetral since it's a collective of people+groups skitter15 - untrusted, but trusted when info leaks. (too long to explain) PSIRT - trusted, borderline. US-CERT - trusted for NA matters, w/other certs UK-CERT - trusted for EU matters, w/other certs IL-CERT - no comment DA - untrusted TISF - untrusted, new, etc. CERTs at large - Nuetral, has to be case by case Carrier Security Groups - Trusted for matters of their own MSS - Neutral AV - Trusted Software Vendors - Neutral Hardware Vendors - Untrusted, case by case Force 10 - Trusted Juniper - Trusted Cisco - Nuetral, case by case Team-Cymru - Trusted case by case SecuriTeam - Untrusted, untested This isn't a popularity contest, so I'll leave individuals off of my list, but you can probably guess who in most cases including using some of the notes above. -M<
On Wednesday 25 Jan 2006 22:31, Fergie wrote:
"Of course, its possible that this URL has gotten out to the public, which would increase the count (simply hitting the website increments the count by one). However, to my knowledge, this URL is only known in the security community.
The SANS diary suggests that the requests from the worm itself are quite distinctive, so it should be possible to spot idle curiousity, search bots, and other interested parties from the worm itself. Of course it may be that the monitoring of the traffic isn't subtle enough to distinguish between these two types of traffic. Occurs to me that 700,000 Windows reinstalls in a day is probably about average given market share, and reliability of the OS, so 700,000 thousand extra is probably just a busy day. Might be a peak in demand for Windows updates afterwards. The talk of antivirus tools are misplaced, the correct tool to deal with something like this is a good back-up, but for too long people have sold PCs for end users without any backup service at all. My home desktop has a tape backup unit (and RAID 1). I just wish I could be so confident about every desktop we use at work. As Bill Hassell signature said.... "There are two types of computer users in the world...those that have lost data, and those that are going to." (blh, circa 1972)
participants (3)
-
Fergie
-
Martin Hannigan
-
Simon Waters