My Doom Worm

Guy Fraser guy at incentre.net
Tue Jan 4 18:27:25 UTC 2005


Just another good reason to use Linux.

As a network administrator I have setup Cisco NetFlows on 
our core routers and check for anomalous traffic from 
time to time. I have found a couple customers with 
SMTP engine type viruses. I have set up ingress and egress 
filters on most of our routers, and filter a few ports used 
by specific worms. We also block ports 139 and 445 to all but 
a couple customers who insist on using windows sharing 
without a VPN {Yikes}. 

The most common worms use TCP ports 139 or 445 to locate 
Windows machines, then proceed to abuse them. Another 
side effect of SMTP engine worms is DNS load. Infected 
machine make tons of DNS MX queries while attempting to 
spew it's payload. Using awk, sort and uniq it is possible 
to discover the worms by analysing the DNS logs.

On Sun, 2005-02-01 at 07:21 +0000, Robert Slade wrote:
> Hiya,
> 
> Someone using IP address 66.59.107.18 (emmdsl.static.pa.net) is sending
> out the Worm.Mydoom.M: As I only use this address for the fedora list
> there is a good change they are also a member.
> 
> Rob 
> 
-- 
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787




More information about the users mailing list