Re: Something fishy is going on

To: debian-user@lists.debian.org
Subject: Re: Something fishy is going on
From: Rich Puhek <rpuhek@etnsystems.com>
Date: Thu, 23 Aug 2001 21:05:48 -0500
Message-id: <[🔎] 3B85B67C.3138DB7F@etnsystems.com>
References: <[🔎] Pine.LNX.4.33.0108231947080.20577-100000@westhost43.westhost.com>

Warning: New Distributed Denial of Service attack on the loose!

Synopsis: In a dastardly clever (yet simple) scheme, a new DDOS is
attaching Linux newsgroups at an increasing rate. Artfully designed to
capitalize on user paranoia following the massive hype surounding the
"Code Red" family of worms, this program simply startles the user by
having a fish swim across their desktop at some unpredictable time. Upon
receiving this signal, the PC user will respond in one of three modes,
depending on the time of day:

Sleep mode: If the victim is infected late at night, the user will
attribute the apparition to too much caffeene and not enough sleep.
Result: user sleeps indefinately.

Propagation mode: If the user is infected during the workday, the user
will attempt to reproduce the phenomanon, possibly on neighboring
systems.

Attack mode: If inected during the late afternoon or evening, the user
will transfer a SMTP message to a mailing list. The result is to trigger
a small transfer of data on said list as other clients attempt to handle
the data.

Although the attack mode is of low traffic, we anticipate that the
cumulative result of many thousands of clients will eventually bring the
Internet to a halt.

The client behavior after the attack is currently unresearched. A group
is studying the possibilty of constructing a fishbowl, so that more
detailed analysis may be conducted.

Suggested Snort rules:
alert tcp any any -> $HOME_NET 25 (msg:"Wanda Infection detected!";
content:"fish";)
alert tcp any any -> $HOME_NET 25 (msg:"Wanda DDOS response detected!";
content:"Gnome Easter Egg";)

Remedy:
Applying procmail rules to filter the initiating email may help limit
the response to the email probe message. Unfortunately, this will not be
effective unless adopted on a wide scale.

</funny>

--Rich

burningclown@westhost43.westhost.com wrote:
> 
> Jeez, this has popped up on the list A LOT lately ... check the
> archives.
> 
> It's an apparently harmless Gnome "Easter Egg." Poor Wanda has come in
> for a lot of paranoia the last month or so! :)
> 
> Glenn Becker
> 

-- 

_________________________________________________________

Rich Puhek               
ETN Systems Inc.         
_________________________________________________________

Reply to:

References:
- Re: Something fishy is going on
  - From: <burningclown@westhost43.westhost.com>

Prev by Date: Re: Replacing kerneld with kmod?
Next by Date: Anti-Debian Discruimination (was: DEB vs RPM)
Previous by thread: Re: Something fishy is going on
Next by thread: Re: Something fishy is going on
Index(es):
- Date
- Thread