Today's Highlights -
- Mydoom.s, yet another MyDoom variant
- Virus detection with Snort
- Switch Port Monitoring
- A New Twist to Phishing Reported
Mydoom.s, yet another MyDoom variant
Conrad Longmore brought to our attention there's yet another new mydoom variant.
The MyDoom variant "MyDoom.S" is being spread en masse this Monday. Suggested is that it might be spread using a bot network created by the previous variant of the MyDoom worm.
The attachment seems to be named "photos_arc.exe".
- update your favorite anti-virus package
- educate your users not to click on attachments
[by Swa Frantzen, standing in for George]
Mydoom.s detection with Snort
For those feeling brave, there are bleeding edge Snort rules availble to detect this latest variant at: http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable/WORM_MyDoom.S?rev=1.2&content-type=text/vnd.viewcvs-markup
Thanks to Matt Jonkman for submitting that.
Speaking of Snort, viruses (virii?), and bleeding edge - Will Metcalf has put together a ClamAV preprocessor module for Snort, to alert on network traffic containing code that fires a Clam virus signature:
Switch Port Monitoring
A couple of days ago, I advised someone to monitor switch port activity for indications of unusual activity. For example, seeing a higher than usual frames-per-second count from a host during the wee hours may indicate a host is scanning or serving files. An unusually high number heading to a host may indicate a sniffer, etc. Andy Cuff of Talisker has put together a nice list of config settings for popular switches to make this a little easier:
A New Twist to Phishing Reported
Dan Hubbard of Websense has reported a new trend in phishing:
We are starting to see more and more phishing sites which are not targeting specific financial institutes but are targeting general ecommerce. We have seen "fake" online banks, sporting good stores, and pharmacy's.
* no contact information
* no domain name
* many hosted in China or S Korea.
* no secure ordering process
* reported by thousands of spam engines
Report any phishing attempts you receive to:
--Alastor Moody, Harry Potter and the Goblet of Fire
Aug 17th 2004
|Thread locked Subscribe||
Aug 17th 2004
1 decade ago