Tracking Worms with StealthWatch
 |
POSTED BY Chris Smithee on 11.18.2011 0 comments |
While worms seem to be less prevalent than they were in the past, we do still see them appear now and then. Over the past few months we’ve seen Morto over RDP 3389/tcp and Duqu over SMB 445/tcp rear their heads.
Luckily we can use flow data to identify these types of hosts within the network. With Morto, we can simply look for scanning over the RDP port. Ideally you’ll have some Dark IP subnets/ranges within your network making this a little easier if you don’t currently use Lancope’s StealthWatch. Finding incomplete sessions to these IP ranges becomes a red flag. For Morto, we can use the same types of mechanisms over the SMB port, but understand that this won’t identify all of the potential Morto propagation, as the worm also used mail clients to redistribute.
If you’re using StealthWatch, chances are you’ve already seen some posts within our communities portal pertaining to identification of these events. StealthWatch creates Concern Index (CI) points for the scanning activity even if it isn’t moving through the Dark IP space (as seen below).
There is even a worm tracker that can be used to follow propagation through the network.
For more information on how to configure reporting for these types of events within StealthWatch, please check our community forums or speak with your local Systems Engineer.
TweetTAGS stealthwatch, netflow, security, worm
Post a Comment
Join the conversation. Post a comment using the form below.