The Hunt for RingZero (port 3128 scanning worm/trojan)

The SANS institute has been accepting reports of scanning activity on port
3128. It seems this is caused by a fairly sophisticated network virus.

On our lightly-loaded Squid (we don't enforce its use), recently about
30% of all access was denied (i.e. from offsite). No-one has asked
to subscribe to our cache, so it looks like this activity might
all be attributed to RingZero or other scanning activity.

One possibility, I suppose, is to move from 3128 to another port...

Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
http://andrew.triumf.ca/andrew

---------- Forwarded message ----------
Date: Sun, 14 Nov 1999 16:02:07 -0700 (MST)
From: The SANS Institute <sans@sans.org>
To: Andrew Daviel <advax@triumf.ca>
Subject: SANS First Tuesday Announcement for November Webcasts

This note announces the November "First Tuesday" web broadcast. It's
a bit late this month due to rewriting of the registration software to
eliminate the requirement to re-register each month.

Please send any comments -- particularly problems -- to <kolstad@delos.com>
so I can resolve them. This new registration system uses the new fancy
software that should ease accessing all of our resources.

SANS is offering two presentations this month:

  * The Hunt for RingZero

    If you have been following the SANS reports, then you already know
    that during late September 1999 a lot of scanning activity was
    detected on ports 80, 8080, 3128. The SANS community was instrumental
    in collecting and analyzing the Trojan software used to launch these
    scans. John Green, leader of the DOD Shadow intrusion detection team
    recounts the story of the hunt and analysis and will bring us up to
    date on the latest information and provide his analysis of the
    implications of this attack.

  * The CVE Project

    This is a second Webcast on another community effort, the Common
    Vulnerability and Exposures project. Led by Mitre's Steven Christey
    and David Mann who narrate the webcast, CVE brings together
    researchers, leading industry vendors and practitioners to develop
    a common language for describing vulnerabilities and consensus list
    of vulnerabilities and exposures. CVE is our best chance of having
    different vendor's intrusion detection and vulnerability scanners
    interoperate. Learn what CVE is and isn't, the challenges the project
    faces and how you can use what has been developed and get involved
    to make it even better.

Here is the information you need to listen to the November presentations:

        When: Any time from now through November 30.
        Duration: under one hour for each presentation
        Cost: Free
        URL: http:/www.sans.org/sansgate

Visit the SANS presentation gateway at http://www.sans.org/sansgate to
type in your previous UserName/Password (or be reminded of them if you
previously registered and remember either your UserName or e-mail address
used for registration). It is easy to register for a new UserName and
Password if you don't already have one.

Please send us feedback at <info@sans.org> about the presentations so
we can continue to improve.

                                                Rob Kolstad
                                                SANS Program Manager

Rob Kolstad The SANS Institute sans@sans.org 301-951-0102
----- Upcoming Events: ------------------------ Current Publications: ----
Netwk Security SFO 99 (San Francisco, 12/99) SANS Network Security Digest
                                                        The SANS NT Digest
Windows NT Security: Step-by-Step SANS Newsbites Summary
Incident Handling: Step-by-Step Intrusion Detection: Shadow Style
WindowsNT Power Tools: Consensus 1998 SANS Salary Survey
See http://www.sans.org for info and bookstore
Received on Thu Nov 18 1999 - 12:22:54 MST