RE: [Nolug] Catching a worm?

From: Chris Jones <techmaster_at_gmail.com>
Date: Fri, 28 Mar 2008 16:14:45 -0500
Message-ID: <47ed5fc7.33a0260a.0e98.4934@mx.google.com>

That's pretty cool, I never thought of doing something like that. I'll have to try that.

-----Original Message-----
From: "Dennis Bourn" <dbourn@clkenergy.com>
To: nolug@nolug.org
Sent: 3/28/08 3:18 PM
Subject: Re: [Nolug] Catching a worm?

Chris Jones wrote:
> I was curious what you guys do when you encounter a client that has a
> network worm, but you don't know whose computer has the infection. I
> have a client who keeps getting calls from Cox, stating that there is
> a computer on their network that is sending out tons of spam. Two
> months ago at the meeting we were playing with Cain & Abel, which can
> do ARP poisoning. And although it's an amazingly powerful piece of
> software, it seems to unfortunately be useful for only black hat
> hacking (password stealing)... There's also Ethereal/Wireshark, but
> it seems to be useless on a switched network, unless you can find an
> old crappy hub to put it on, between the switch and the router. I
> honestly don't even know if we have a hub anywhere around here. There
> are some commercial products out there made for this, but they seem to
> start at around $2000. I was just wondering if anybody knew of
> anything good that was open source. ARP poisoning would be a nice
> feature, but I'm guessing that might only be a feature on the black
> hat tools. ;) There are some things like Nessus and Zenoss, but are
> those just for SNMP monitoring? They probably won't sniff for worm
> traffic. I might look into Untangle and see if it offers that
> ability...but I figured I'd see if you guys know of anything else?
> Thanks!
Oh yeah,.. p.s.
build a passive ethernet tap to place just before your gateway instead
of a hub.
http://www.snort.org/docs/tap/

Worm traffic is kind of a mute point. The control traffic is probably
encrypted or obscured in some way or another. Possibly in HTTP or DNS
traffic making it harder to spot during working hours. Just find which
box is sending the spam by watching SMTP traffic.
___________________
Nolug mailing list
nolug@nolug.org

___________________
Nolug mailing list
nolug@nolug.org
Received on 03/28/08

This archive was generated by hypermail 2.2.0 : 12/19/08 EST