Security Incidents mailing list archives
Re: Is this distributed SubSeven?
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Wed, 7 Mar 2001 14:39:30 +1300
On Tue, 6 Mar 2001 19:02:26 -0600 (CST) Glenn Forbes Fleming Larratt <glratt () io com> wrote:
On Wed, 7 Mar 2001, Russell Fulton wrote:Hmmm... are you in 24.0.0.0/8? If so I would guess that what you areNo. We, like you, are a /16 in Class B address space.
Hmmm.... then this is different. I'm not seeing anything like this targeting 130.216/16 at the moment. I am currently seeing a couple of trojans in 24/8 scanning udp-137 but nothing else and certainly nothing like what you are seeing. What I have seen in the past is lots (dozens) of machines scanning us for netbus. We had several incidents in two groups, each group lasted about 10 days and were separated by several months. Each incident consisted of several (up to 20) scans each targeting a single /24. The rate would peak suddenly and then die off over a day or so. The scans themselves were odd in that they always started at address 11 and stepped upward towards 254. Probes appeared to be standard tcp connections with about 3 second time outs (3 syn sent to each address then a pause then next address tried). It took 20 minutes to scan a whole /24 and most scans stopped after probing 10 or 20 addresses. I went to quite a lot of trouble (including posting to Incidents list) trying to find out what was going on. I reported all scans to ISP (most were in Asia, particulary Korea but there was a sprinkling in North America and Europe). In particular I asked ISPs if they could find out what caused the traffic - out of over 100 requests I received only one reply but by the time the ISP had dealt with the incident (about 10 days) the customer could not remember what they had been doing at the time. (I used AusCERT's automated response service to send out the messages). Another data point was that neighbouring class Bs were not targeted. Since then I have heard of two other attacks of this nature directed against two different networks (one in Australia and one in US). Both had exactly the same signature including the scans starting from 11 (i assume this is a typo for 1). My conclusion is that this is some form of trojan that targets specific networks (or address ranges). It is probably distributed via IRC or ICQ and takes the form of a game. People play with it for a while and while the program is active it scans a random /24 within its target /16. Presumably is also send the results somewhere. I.e. a distributed netbus scan. I'd be interested to know if your data fits this pattern. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- Is this distributed SubSeven? Glenn Forbes Fleming Larratt (Mar 06)
- Re: Is this distributed SubSeven? Russell Fulton (Mar 06)
- Re: Is this distributed SubSeven? Glenn Forbes Fleming Larratt (Mar 07)
- Re: Is this distributed SubSeven? Russell Fulton (Mar 07)
- Re: Is this distributed SubSeven? Glenn Forbes Fleming Larratt (Mar 07)
- Re: Is this distributed SubSeven? Russell Fulton (Mar 06)