Griffin > Tasks > Personal experiences of Internet crime > Worm
Griffin2
Follow Production
Share

The Griffin -team is looking for your ideas and comments.

Join and show your support for Griffin.

Join This Production
David Yacobus May 03, 2009 23:31 3 Thumb-ups
Flag this shot
Add to Favorites

Worm

Once, the network on my company got infected by a kind of worm that somehow transmitting and downloading something (likely virus or spyware) from the net. The only way we can be sure that it will not transmit confidential data is by unplugging the modem cable. Takes about two weeks before there are tutorials on how to remove it.

Jump to comment form

Comments

Thomas Shaddack October 26, 2009 11:56 Flag

Most worms I encountered were spamming. The mode of operation is usually laying dormant for a while, then send a burst of traffic, then laying dormant again. Very difficult to spot them all that way when watching in real-time. Looking for outgoing connections to port 25 at the firewall, and making a log, works more reliably. Blocking outgoing port 25 is the best but not always practical.

Another activity commonly encountered is scanning the networks. Watching for ARP traffic, machine querying for machines it should not be asking to contact, provides telltale clues here; as ARP queries are broadcasts, the monitoring can be done from any machine on the LAN.

You must login or register to comment