Re: [Clamav-users] Virus Distribution

2004-09-09 Thread Daniel J McDonald 
On Wed, 2004-09-08 at 15:52, Doug Hardie wrote:
> Those certainly could be it, but it is unusual compared with the other 
> viruses we see daily.  I wonder if there is more to this one than has 
> been foun yet.

I've noticed that Zafi.B is most often spread through backscatter.  So,
perhaps you are seeing spikes when an infected machine hits a
particularly poorly configured spam filter.

-- 
Daniel J McDonald <[EMAIL PROTECTED]>
Austin Energy



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Distribution

2004-09-08 Thread Doug Hardie 
Those certainly could be it, but it is unusual compared with the other 
viruses we see daily.  I wonder if there is more to this one than has 
been foun yet.

On Sep 8, 2004, at 12:40, Timo Schöler wrote:
Thus spake Doug Hardie sometime Today...
On Sep 8, 2004, at 12:16, Timo Schöler wrote:
Doug Hardie wrote:
I have a cron job that scans the clamd.log file every day and 
counts the specific virusus found.  While the numbers tend to vary 
a bit from day to day the relative ratios between the various 
viruses found tend to stay the same - except for Worm.Zafi.B.  One 
day it will find 1100 of them and the next day 8.  It is never 
consistent.  I am not seeing any significant number of viruses 
slipping through.  It seems to be some sort of distribution issue 
with that virus itself.  The others all seemed to come on strong at 
first and then die down to residual annoyances.  But not this one.  
It keeps coming back in volume periodically.  Any ideas what makes 
this one so different from the rest?
perhaps this may be interesting stuff for you:
http://www.cs.berkeley.edu/~nweaver/sapphire/
Thanks but I would expect from that that the worm activity would tend 
to die down to a relatively constant nuisance level.  However, its 
not doing that every couple days I get another flood of them.
there may be several reasons:
i) changing network behaviour (route flaps, etc.)
ii) changing effectiveness of virus filters et al.
iii) built-in automatisms in worm/virus itself
NB: it is not always best to spread a virus/worm at the highest 
available speed (depends on number of infected hosts, bandwidth 
available to the hosts, etc.).

i'm sure i missed another point i didn't think of now ;)
--
mit vorzueglichster Hochachtung/best regards,
Timo Schoeler
//macfinity -- finest IT services | Triftstrasse 39 | 13353 Berlin | 
Germany
Fon ++49 30 25 20 30 20 | Fax ++49 30 25 20 30 19
PGP data http://www.macfinity.net/~tis/contact/PGPPKB_timo.schoeler.txt



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Distribution

2004-09-08 Thread Timo Schöler 
Thus spake Doug Hardie sometime Today...
On Sep 8, 2004, at 12:16, Timo Schöler wrote:
Doug Hardie wrote:
I have a cron job that scans the clamd.log file every day and counts 
the specific virusus found.  While the numbers tend to vary a bit 
from day to day the relative ratios between the various viruses 
found tend to stay the same - except for Worm.Zafi.B.  One day it 
will find 1100 of them and the next day 8.  It is never consistent.  
I am not seeing any significant number of viruses slipping through.  
It seems to be some sort of distribution issue with that virus 
itself.  The others all seemed to come on strong at first and then 
die down to residual annoyances.  But not this one.  It keeps coming 
back in volume periodically.  Any ideas what makes this one so 
different from the rest?
perhaps this may be interesting stuff for you:
http://www.cs.berkeley.edu/~nweaver/sapphire/
Thanks but I would expect from that that the worm activity would tend 
to die down to a relatively constant nuisance level.  However, its not 
doing that every couple days I get another flood of them.
there may be several reasons:
i) changing network behaviour (route flaps, etc.)
ii) changing effectiveness of virus filters et al.
iii) built-in automatisms in worm/virus itself
NB: it is not always best to spread a virus/worm at the highest 
available speed (depends on number of infected hosts, bandwidth 
available to the hosts, etc.).

i'm sure i missed another point i didn't think of now ;)
--
mit vorzueglichster Hochachtung/best regards,
Timo Schoeler
//macfinity -- finest IT services | Triftstrasse 39 | 13353 Berlin | 
Germany
Fon ++49 30 25 20 30 20 | Fax ++49 30 25 20 30 19
PGP data http://www.macfinity.net/~tis/contact/PGPPKB_timo.schoeler.txt

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Distribution

2004-09-08 Thread Timo Schöler 
Doug Hardie wrote:
I have a cron job that scans the clamd.log file every day and counts 
the specific virusus found.  While the numbers tend to vary a bit from 
day to day the relative ratios between the various viruses found tend 
to stay the same - except for Worm.Zafi.B.  One day it will find 1100 
of them and the next day 8.  It is never consistent.  I am not seeing 
any significant number of viruses slipping through.  It seems to be 
some sort of distribution issue with that virus itself.  The others 
all seemed to come on strong at first and then die down to residual 
annoyances.  But not this one.  It keeps coming back in volume 
periodically.  Any ideas what makes this one so different from the 
rest?
perhaps this may be interesting stuff for you:
http://www.cs.berkeley.edu/~nweaver/sapphire/
HTH,
--
mit vorzueglichster Hochachtung/best regards,
Timo Schoeler
//macfinity -- finest IT services | Triftstrasse 39 | 13353 Berlin | 
Germany
Fon ++49 30 25 20 30 20 | Fax ++49 30 25 20 30 19
PGP data http://www.macfinity.net/~tis/contact/PGPPKB_timo.schoeler.txt


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Virus Distribution

2004-09-08 Thread Doug Hardie 
I have a cron job that scans the clamd.log file every day and counts 
the specific virusus found.  While the numbers tend to vary a bit from 
day to day the relative ratios between the various viruses found tend 
to stay the same - except for Worm.Zafi.B.  One day it will find 1100 
of them and the next day 8.  It is never consistent.  I am not seeing 
any significant number of viruses slipping through.  It seems to be 
some sort of distribution issue with that virus itself.  The others all 
seemed to come on strong at first and then die down to residual 
annoyances.  But not this one.  It keeps coming back in volume 
periodically.  Any ideas what makes this one so different from the 
rest?


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users