Blackworm hunbers [Was: Re: Martin Hannigan]

Well, let's hope we can watch the Super Bowl in peace -- I'm
turning my pager & cell phone off anyways. :slight_smile:

In any event, as Alex Eckelberry writes over on the Sunbelt
Software blog, "...we�re now seeing infestations for the
Blackworm worm (aka KamaSutra) getting close to 2 million.

"Yesterday it was at close to 700k.

"Of course, it�s possible that this URL has gotten out to
the public, which would increase the count (simply hitting
the website increments the count by one). However, to my
knowledge, this URL is only known in the security community.

"Remember that this worm has a very destructive payload. Even
if you discount the number here, you�re still looking at a
significant number of people who will suffer potentially
devastating data loss."

I couldn't agree more.

Cheers,

- ferg

ps. http://sunbeltblog.blogspot.com/2006/01/blackworm-worm-over-18-million.html

http://isc.sans.org/blackworm
Further, our reports lead to a SANS ISC temporary URL's for each AS.

The last time SANS felt something was so serious they needed all
of NANOG to dance, they came out and said so. That's their handlers
diary. I read it. A lot of people read it. It's well balanced and
usually on target. Just like that. It's not alarmist. It seems
fairly certain that as long as Symantec et. al. do their thing, we
will be able to watch the superbowl in peace.

[snip]

The SANS diary suggests that the requests from the worm itself are quite
distinctive, so it should be possible to spot idle curiousity, search bots,
and other interested parties from the worm itself.

Of course it may be that the monitoring of the traffic isn't subtle enough to
distinguish between these two types of traffic.

Occurs to me that 700,000 Windows reinstalls in a day is probably about
average given market share, and reliability of the OS, so 700,000 thousand
extra is probably just a busy day. Might be a peak in demand for Windows
updates afterwards.

The talk of antivirus tools are misplaced, the correct tool to deal with
something like this is a good back-up, but for too long people have sold PCs
for end users without any backup service at all.

My home desktop has a tape backup unit (and RAID 1). I just wish I could be so
confident about every desktop we use at work.

As Bill Hassell signature said....

"There are two types of computer users in the
world...those that have lost data, and those
that are going to." (blh, circa 1972)