Wouldn't it be fun if it contained the WMF exploit in some form?
So, I'm planning on using swatch to monitor DNS requests for the known affected domains. What is everyone else planning to do?
-Wil
Wil Schultz wrote:
Wouldn't it be fun if it contained the WMF exploit in some form?
So, I'm planning on using swatch to monitor DNS requests for the known affected domains. What is everyone else planning to do?-Wil
All the popular domains known we have puched out a global rule to our customers to block those domains and we are blocking those domains on the aggregate circuits/routers as a secondary precaution. I plan to check a few times tomorrow to see if any of those domains that aren't registered yet actually show up and possibly use netflow also.
I'm sutting PCs down and going on vacation for a while. Seriously. 
TIA to those of you working to protect your customers and therefore other systems as well.
-Jim P.
FYI: I've set some traps on our DNS servers, dunno exactally what this means but I thought that I should share:
Jan 5 18:41:09 myServer named[24490]: client X.X.X.X#1192: query: arcor.de IN MX
Jan 5 18:45:48 myServer named[24490]: client X.X.X.X#1034: query: freenet.de IN MX
These are the only two logs I have at this point. And I don't recall any other Sober searching for an email server.
-Wil
Wil Schultz wrote:
Here is some more interesting information. I'm not positive this is Sober.Z related but it's walking like and talking like a duck.
First I see the below DNS requests, shortly after I see many SMTP packets hitting Hotmail, AOL, Yahoo.com, Yahoo.co.uk, Progegy, etc.... Looks like it's... Sending SPAM?!?!
This I didn't expect at all, here is a trace from one of the known infected users: