Home page logo
/

nanog logo nanog mailing list archives

Re: Blackworm hunbers
From: Martin Hannigan <hannigan () world std com>
Date: Wed, 25 Jan 2006 19:26:05 -0500 (EST)


Well, let's hope we can watch the Super Bowl in peace -- I'm
turning my pager & cell phone off anyways. :-)

I'm going for Steelers. You? I've got a couple of fresh 
Maine Lobsters and Union Oyster House chowdah to put up 
if you're interested in a wager.

[ Removed my name from the subject. I like it in lights, but
  I've had enough for today! :-) ] 

In any event, as Alex Eckelberry writes over on the Sunbelt
Software blog, "...we’re now seeing infestations for the
Blackworm worm (aka KamaSutra) getting close to 2 million.

"Yesterday it was at close to 700k. 

"Of course, it’s possible that this URL has gotten out to
the public, which would increase the count (simply hitting
the website increments the count by one).  However, to my
knowledge, this URL is only known in the security community.

The URL is out all over the place.

"Remember that this worm has a very destructive payload. Even
if you discount the number here, you’re still looking at a
significant number of people who will suffer potentially
devastating data loss."

I couldn't agree more.

People without A/V? How sad can you feel? I don't want anyone
to lose data, but I bet a bunch of people by A/V as a result.
That's good.

Check out this story where it was downplayed:

http://www.eweek.com/article2/0,1895,1915070,00.asp

http://isc.sans.org/blackworm
Further, our reports lead to a SANS ISC temporary URL's for each AS.

http://isc.sans.org/diary.php?storyid=1073 - but really, do you
consider this to be a huge issue that we should prepare to be on
call over? 

Sans, http://isc.sans.org/infocon.php and Symantec, http://www.symantec.com/index.htm  , are both at their normal 
threat levels.

The point I was trying to make before the thread went, East?, was 
that there is a perceived problem in the security community with 
approrpriate response. I'd tell you how I think that could have
been avoided, but then my name would go up in the subject again.
*cough full disclosure* 

Off the top of my head I think the security trust landscape
today looks like this. I base this on participation, people
I know participating, comments I hear at the NANOG water bubbler,
etc. and they are nothing but personal opinions.

SANS - Trusted, good reputation growing
NSP-SEC - nuetral since it's a collective of people+groups
skitter15 - untrusted, but trusted when info leaks. (too long to explain)
PSIRT - trusted, borderline. 
US-CERT - trusted for NA matters, w/other certs
UK-CERT - trusted for EU matters, w/other certs
IL-CERT - no comment
DA - untrusted
TISF - untrusted, new, etc.
CERTs at large - Nuetral, has to be case by case
Carrier Security Groups - Trusted for matters of their own
MSS - Neutral
AV - Trusted
Software Vendors - Neutral
Hardware Vendors - Untrusted, case by case 
        Force 10 - Trusted
        Juniper - Trusted
        Cisco - Nuetral, case by case
Team-Cymru - Trusted case by case
SecuriTeam - Untrusted, untested

This isn't a popularity contest, so I'll leave individuals
off of my list, but you can probably guess who in most cases
including using some of the notes above.

-M<


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]