I manage a number of networks and routinely review the penetration attempts
from external sources. It has become apparent that there is a significant
number of personal computer systems 'out there' that have been compromised
by a virus or worm and are now attempting to compromise other systems,
including those under my control.
This observation has been triggered by an order of magnitude increase in
netbios probes in the past month. presumably from a new variation on a
netbios worm or virus.
The fact that a large number of external systems have been compromised is
interesting, and also that these systems are trying to exploit mine is also
interesting. However, the most interesting thing about this rash of virus
driven exploits is that it make the compromised machines many times more
visible than they might otherwise have been.
My logic is that if I have had an exploit attempt against me, then the
exploiter is vulnerable. A simple log and a script can then do their worst,
from simply planting a new worm/virus, through to destroying the attacking
machine.
The risk is simple. An attacking worm or virus, even though benign, can
trigger a much worse outcome for the attacker from a counter-measure hosted
on an attacked system.
I expect that there will shortly be three classes of counter-measures
created to exploit any highly visible worm/virus.
1. A sterilising counter-measure that destroys the infection on the
attacking machine
2. A benign counter-measure that infects an attacking machine with a
different virus/worm and lets it carry on
3. A destructive counter-measure that simply destroys the machine that is
attacking
A secondary, but perhaps more interesting outcome is that infected machines
advertise themselves with great vigour. This means that if your machine is
infected with one of the current worms then you not only have the problem of
unwanted software running on your system, but you have a bright beacon
flashing over your computer saying 'come here and read all my information,
because I have no security running'. From an estimation of damage that
could be caused, financially or otherwise, I expect that the advertising
will be far more damaging than any trivial loss of computer or service
Jeremy ["Jeremy" via risks-digest Volume 21, Issue 09]
0:00
#
G!
