On sale now!

A multi-volume chronology and reference guide set detailing three years of the Mexican Drug War between 2010 and 2012. Rantburg.com and borderlandbeat.com correspondent and author Chris Covert presents his first non-fiction work detailing the drug and gang related violence in Mexico. Chris gives us Mexican press dispatches of drug and gang war violence over three years, presented in a multi volume set intended to chronicle the death, violence and mayhem which has dominated Mexico for six years.

Click here for more information

On Sale Now!

The threat of civil war hangs over an isolated ficticious southeastern Oklahoma town.

Rantburg.com and Borderlandbeat.com correspondent and author Chris Covert presents Newtonville, his first, epic novel of love and betrayal set in the turbulent late 1960s. Click here to buy

Anatomy of a New SpamBot
2006-06-11
Posted by: badanov

We haven't had a nice Unix story in a while, so here goes.

Quote:

As always learning lessons is the most important part of handling incidents. Anti-virus doesn't do much for you when the malware is not detected obviously. So we should learn not to place all our trust in that channel for detecting malware. Robert detected this piece of malware through an IDS and correlation of logs. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. The blocking of the traditional sites using a hosts file is also a good thing to build monitoring for. If it gets used you know there's something going on and a second look wil be well spent effort.

We run Windows less and less as time goes by. When we were working for our family's company we did have a WinXP SP2 box, in which we ran the Windows Firewall, a silly piece of software which will block inbound connections but not the outbound ones.

The lesson here is simple: Spam is a terrible plague. And Win XP having incorporated raw Unix internet sockets into its kernal has help tremendously with the spread of spam. If you want to help stop spam and spambots, kill every outbound connection you don't need and those you do need constrict them to the specific sites you use.

On every FreeBSD box we use we use a default deny ruleset, which means nothing goes in or out, not even via the local loop ( lo0 ) without a specific rule permitting it. While that may not be feasible on Windows type firewalls it is still a good rule of thumb.

Watch those outbound connections.

If you have something to add, Fire Away!

Number of Comments so far: 0

Click here for a list of stories in the Unix and Computer category