obelicks
04-09-03, 01:18 PM
OPEN-SOURCE SOLUTION TO DETECT MENACING WORMS IN LARGE NETWORKS (http://www.extol.com.my/news/warning/other/blaster_detection.htm)
(Subang Jaya, September 3rd 2003) Extol has been receiving numerous reports that there are network congestion problems due to the msblaster worm released in August. Our contacts do not have widespread infection, but as long as one computer on the network is infected, the worm will cause heavy traffic while trying to propagate to infect the network. Msblaster causes heavy traffic on the network because it will only cease its activity once it infects the entire network, causing the RPC failure, which prohibits access to the Internet and application servers. However, msblaster tries to infect machines which cannot be infected either because they have been patched or because they are not running on Windows 2000 and Windows XP operating systems, thus the heavy traffic is caused by the repeated attempts at infecting other machines on the network.
Msblaster is easy to detect with an updated anti-virus, however it represents a lot of time to detect which computer is infected for customers who have large networks. Extol's research & Development manager, Mark Vyner, has compiled and written a tool based on Snort (free IDS tool) and open-BSD. The tool can run from any computer connected to the network and it will automatically detect which IP addresses are infected by the Msblaster worm. This tool can also detect variants of Blaster like Nachi (aka Welchia), the Sobig family of worms and most Trojans.
The Blaster detection CD has been dispatched to our customers and contacts this morning, Extol will also distribute the CD at their booth at the E-Security Expo and Forum at the Mines this week. The program, which is 151MB, can be downloaded from our website:
http://www.extol.com.my/support/updates/Dload_files/FreeSBIE.ISO
NISER and Meling Mudin, founder and administrator of My-Snort have agreed to assist us by offering alternate download sites at:
http://www.mycert.org.my/other_resources/wormhandling.html
http://my-snort.org/modules.php?name=News&file=article&sid=158
The program is digitally signed, the MD5 hash is e24ddb47d6c0ade80c79b53bbe88735b. It is highly recommended that users who download the program verify the integrity of the download with this key.
Numerous organisations are using this solution to detect and identify the worms in large enterprise networks. The tool identifies the IP addresses of infected host using an open-source IDS tool. Network administrators can then locate the infected host though a dhcp list or their own IP list. One major bank has successfully reduced their virus related network congestion to normal level using our solution.
The tool is simple of use; thus system administrators do not need any experience with IDS Snort or Unix to operate it. Here are the instructions:
1. Make a CD out of the iso image.
2. Boot a standard PC with the tool.
3. Login as 'root' (no password required)
4. Type 'tail -f /home/alert"
It will then display (if any) alerts on the screen if the worms are present on the network. However, in a switch network, system administrators are required to mirror the ports. Instructions to do so should be obtained with the relevant switch vendors.
This tool is free, very user-friendly and effective for network administrators to locate worms.
(Subang Jaya, September 3rd 2003) Extol has been receiving numerous reports that there are network congestion problems due to the msblaster worm released in August. Our contacts do not have widespread infection, but as long as one computer on the network is infected, the worm will cause heavy traffic while trying to propagate to infect the network. Msblaster causes heavy traffic on the network because it will only cease its activity once it infects the entire network, causing the RPC failure, which prohibits access to the Internet and application servers. However, msblaster tries to infect machines which cannot be infected either because they have been patched or because they are not running on Windows 2000 and Windows XP operating systems, thus the heavy traffic is caused by the repeated attempts at infecting other machines on the network.
Msblaster is easy to detect with an updated anti-virus, however it represents a lot of time to detect which computer is infected for customers who have large networks. Extol's research & Development manager, Mark Vyner, has compiled and written a tool based on Snort (free IDS tool) and open-BSD. The tool can run from any computer connected to the network and it will automatically detect which IP addresses are infected by the Msblaster worm. This tool can also detect variants of Blaster like Nachi (aka Welchia), the Sobig family of worms and most Trojans.
The Blaster detection CD has been dispatched to our customers and contacts this morning, Extol will also distribute the CD at their booth at the E-Security Expo and Forum at the Mines this week. The program, which is 151MB, can be downloaded from our website:
http://www.extol.com.my/support/updates/Dload_files/FreeSBIE.ISO
NISER and Meling Mudin, founder and administrator of My-Snort have agreed to assist us by offering alternate download sites at:
http://www.mycert.org.my/other_resources/wormhandling.html
http://my-snort.org/modules.php?name=News&file=article&sid=158
The program is digitally signed, the MD5 hash is e24ddb47d6c0ade80c79b53bbe88735b. It is highly recommended that users who download the program verify the integrity of the download with this key.
Numerous organisations are using this solution to detect and identify the worms in large enterprise networks. The tool identifies the IP addresses of infected host using an open-source IDS tool. Network administrators can then locate the infected host though a dhcp list or their own IP list. One major bank has successfully reduced their virus related network congestion to normal level using our solution.
The tool is simple of use; thus system administrators do not need any experience with IDS Snort or Unix to operate it. Here are the instructions:
1. Make a CD out of the iso image.
2. Boot a standard PC with the tool.
3. Login as 'root' (no password required)
4. Type 'tail -f /home/alert"
It will then display (if any) alerts on the screen if the worms are present on the network. However, in a switch network, system administrators are required to mirror the ports. Instructions to do so should be obtained with the relevant switch vendors.
This tool is free, very user-friendly and effective for network administrators to locate worms.