Re: symantec targetting worm

[Mike Iglesias <iglesias () UCI EDU>]

robin wrote:
> Some subnets here are having a bit of trouble with a worm that
> in particular seems to be going for tcp port 2967 which we would guess
> is aiming for the SAVCE managed client port. In some cases the worm or
> worms also goes for tcp port 139,445 and/or 5900.
>
> Anyone seeing this and have some advice? Have worms been id'd other than
> these at other edu's?

We've been seeing the SAVCE worm for about a week now.  Most of the attacks
have come from other .edu sites.

The worm we have seen sends several packets to port 2967, with lots of ASCII
characters as padding.  The third packet contains binary data at the
begining, which is probably the nasty payload.  We've see two different
versions of this payload, but the first 8 bytes appear to be the same in
both of them.  The bytes are (in hex) eb060d101e506d6d, so if you have an
IDS you can write a signature to find that pattern near the begining of the
data portion of the packet.

One variant of the worm opens port 8555 as a communications channel for the
attackers to get cmd.exe access to the system.  If you find a system with
both ports 2967 and 8555 open, it's infected and should be removed from your
network.

Some variants try to connect to a command&control system using port 21881 as
the destination port.  We've seen some of this as well, to a system in
Taiwan (140.131.142.236).  That system was not responding on that port the
last time I checked.


--
Mike Iglesias                          Email:       iglesias () uci edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069