Security Incidents mailing list archives
FW: PPark (was: Win 95 Question)
From: viha () CRYPTLINK NET (Ville)
Date: Fri, 25 Feb 2000 15:20:04 +0200
Hello. I noticed some of our servers were mentioned in a posting concerning PrettyPark. Here is a bit of information that might be of interest to the list readers. ...Unless it is moderated out like the rest of my messages do seem to be. *groan*
From nanog (heavily clipped):
On Fri, 25 Feb 2000 Valdis.Kletnieks () vt edu wrote: [ ... lots of text deleted ... ]
If ISPs and users had clues, we wouldn't have as big a potential DDoS problem. Oh, and this just in:
Notably users.
I'm currently trying to deal with PPark (PrettyPark, a Windows
virus|trojan). It automatically spreads itself via e-mail and
keeps gaining more and more infections by the day. It is nasty.
It wouldn't be much of my cake, but the virus unfortunately has
been set to connect to one of the servers I administer to
receive attack-coordinates and all that (the server refuses
them right after they have been succesfully identified on
connect).
Doesn't sound quite nasty? It is - just to put people on the
scale, we have _ninety-thousand_ unique hosts rapidly
connecting to our server and practically bringing the server's
accessibility down to its knees.
If 90 000 of them opening a connection to server can do that, I
must wonder what is their practical efficiency if people were
to ever have control over them and use them for malicious
purposes.
Some weeks ago, I did a compilation of ISPs/TLDs involved. I,
however, stripped the hostnames out to protect the innocent and
to stop people from misusing that information.
Brief stats are available at
http://www.vip.fi/~viha/Stats/PPark_ISP.txt and
http://www.vip.fi/~viha/Stats/PPark_TLD.txt
These are Windows-hosts, not running any virus-detection by the
looks of it. Some quotes might include --
% cat PPark_ISP.txt | egrep -i "\\.(gov|mil|int)"|head -3
10 navy.mil
4 nih.gov
4 army.mil
% cat PPark_ISP.txt | head -3
4389 aol.com
4172 hinet.net
1732 com.sg
Oh, before you suggest routing them to null - be warned we have
tried a few things. We were quite lucky and most of the ways
we tried only showed us a quick way to a table overflow...
As for contacting antiviral-companies, the one we were in
contact with didn't show much but the compulsory 'I see.'
Valdis Kletnieks
--
IPv6 Solutions | Security Coordination
Ville(viha () cryptlink net, "Cryptlink Networking");
Current thread:
- FW: PPark (was: Win 95 Question) Ville (Feb 25)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Ville (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Ron Gula (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Russell Fulton (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 28)
- Re: FW: PPark (was: Win 95 Question) Ville (Feb 26)
- Re: FW: PPark (was: Win 95 Question) Brett Glass (Feb 26)
