dealing with w32/bagle

Just for information - may be useful for someone.

Task - we determined, that few infected machines was connected to one of our
offices few days ago.
They run one of this viruses, which generated a lot of scans and created
sugnificant traffic (but traffic was not
big enough to rais alarm on outgoing gateway). Activity was short.

Computers are not connected in the time of investigation.

IDS system and Cisco logs was not active in this office (few tricks with
Cisco ACL's and logs allows to detect many viruses instantly; good IDS
systems can do it as well).

- get all port statistics from switch (using SNMPGET and using simple
'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands
from shell file;
- remove all ports with traffic less than some threshold;
- calculate IN/OUT packets ratio for the rest of ports;
- find ports, where IN/OUT ratio (IN - to switch) > 6;
- in this ports, find ports with average packet size < 256 bytes;

It shows all ports with infected notebooks (even if notebook was connected
for a half of day).

PS. Of course, after this few additional monitoring tools was installed, and
we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it
allows to see a traffic in real time, and analiz historical charts,
including such things as packet size).

I love SCP/SSH, and so does everybody else around here, to the point where
we're slowly stamping out the last remnants of telnet and non-anonymous FTP.

I might want to send you a file, but you probably don't want to give me a
userid on the machine you'll receive it on, and I probably don't want to give
you a userid on my laptop.... Somewhat limits the options for the general

** Reply to message from JC Dill <> on Fri, 05 Mar
2004 00:11:48 -0800

yes, ultimately you end up falling back on http or some traditional form
of ftp, but for intermediate cases, i've had good luck using rssh in
chroot mode at customer sites where there is a need to provide
carefully constrained, secure access.