Slashdot Mirror
Day in the Life of the Internet Storm Center
An anonymous reader writes "Network World Fusion has an
article about the Internet Storm Center's inner workings.
The writer follows the ISC during the day of the MyDoom-O outbreak (the one that hit Google et al.).
The article talks about running W2K in
vmware on top of SuSe Linux. A practice very common in malware analysis to isolate yourself from various ill effects of the malware. Other open
source software receiving a mention in the article is everybodies favorite packet analyzer Ethereal."
Windows 98 has largely been ignored by the virus writers for the past two years... The worms this year that took down my school districts entire network of w2k machines didnt harm the windows 98 machines at all!
Nothing on that link tells you how the product works.
The closest I read was "Deep Freeze instantly protects and preserves original computer configurations" which reads to me that it's kind of like Ghost, except it keeps an image local on the HDD?
If so, I'd shy away from phrases like "Completely invulnerable to hacking".
XP's system restore feature gives you the same functionalities, if it's used properly (of course, it never is). I'm in the habit of making a save point before I do anything that could potentially bork my machine (testing some new driver tweak, etc), and have rolled back successfully on more than one occasion.
I don't need no instructions to know how to rock!!!!
only if you are crazy enough to run wine with elevated privilages.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
From the article:
"It's amazing how these virus writers get such small code," Ullrich says. "They should be working for some of the commercial code vendors."
Why not: s/should/could
And for the conspiracy-minded: s/working for/commanded by
Really twisted addon to the latter: s/code vendors/anti-virus vendors
Another episode in "preaching to the converted".
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
True.
However, if anyone out there is running a honeypot as a hobby or are new to setting them up, some good advice on a more secure Windows configuration can be found here. Specifically, it details how to cripple DCOM using a hex editor and reconfiguring other networking services. Good advice, even if you don't use their product. Be careful, you may lose some desktop functionality.
See, I have this co-worker who constantly fucks up his machines. He's supposed to be a programmer/analyst/tech support guy just like me (small company, you wear a lot of hats), but everytime something comes up, I have to handle it because his computer is broken.
"I can't build a working EXE, my Visual Studio is screwed up!" "I can't dial into that customer, because my modem isnt working" "I can't VPN in because my computer crashes when I fire up the Cisco client".
He's incompetent, but I'm dubious he's this incompetent. I traded him the machine in my office when I got a new one, everything worked perfectly. A week later, his VPN and Visual Studio are broken. I really dont have the time to keep rebuilding his machine for him. Of course, he claims he doesn't know how to reinstall Office or VStudio, etc..
I think he does it so he won't have to do actual work. I end up doing everything because he always has an excuse. When he's on site, his laptop is broken, so he has to phone in all the code changes he wants, I have to do it, cut an EXE and email it out. Of course, it's double bonus for him. Anything he fucks up on site, he can just blame me for, since I'm actually doing the work remotely.
It's pissing me off, and it makes our company look like a bunch of morons. My archetypal PHB thinks he's just the cats ass because he comes in "early" every morning (he shows up at 8:45 to drink coffee and read the paper, we open at 9. Sheesh).
Anyhow, this sounds like a decent product. I'm downloading the evaluation version now. I'll reinstall his machine one last time, ghost it, install this. Next time I hear "I can't dial in because my modem is screwed up", I'll reboot his box and it'll be fixed.
I don't need no instructions to know how to rock!!!!
From the article...
Like previous versions of MyDoom, this one too seems to be listening on certain ports for commands. Ullrich pings each port, but the virus does not react.
That's a neat trick.
I guess they mean "ping" as in "connected to a TCP or UDP port in some manner", and not the usual "send ICMP ECHO_REQUEST", which I don't believe has anything to do with "ports".
Ah, journalism.
What were the skies like when you were young?
It's pretty good. I couldn't get around it in Windows after they blocked real mode programs. Before that I had to crack the BIOS password and then boot Knoppix, then delete key files. And sometimes the fucker still came back.
So from my independent analysis, I'd say DeepFreeze is good. I haven't done any code-tracing, though, so I don't know if some buffer overflow would ruin the whole thing. It wouldn't surprise me, though.
Closed source is what it is.
My other car is first.
Just to add to what the others have said, my father also runs a school computer lab, and I fix things for him when I come home to visit every couple months. He is a drafting teacher close to retirement and knows CAD software inside and out but less so when it comes to administrating the network etc, although he is still picking things up. Oh and the school district's computer people are incompetent.
We use DeepFreeze in the lab and it works very well. I have yet to find or hear about any way for the student to mess up the machine as long as it boots off of the drive that DeepFreeze is installed on. Hanging out in script kiddy channels I heard a lot of people asking how to hack DF, but no one had any answers, other than boot disk. So if you disable booting from CDROM and floppy in the BIOS and use a BIOS password, then short of opening the case or figuring out your password, there is really no way that the user can mess things up.
-jackson