Re: NIMDA has a built in timer? No hits lately

[Sevo Stille <sevo () ip23 net>]

David Kennedy CISSP wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> I started getting hit @ 13:09:55 UTC this morning.  My sensor have
> not been touched since 19:15:10 UTC this afternoon.


Well, in the 212 netblock it is still going on, even though the rate has 
been  approximately halving every hour for the last two hours. The last 
hit so far was at 23:48:31 UTC. Originally, about 10% came from all over 
the /8 I'm in, but for the last hour, it has been all from my /16.


> Hypothesis:  It's exhausted the IP space that would touch my IP's 


Only possible if the scans expire after a period of time roughly 
matching a fast bandwidth - otherwise, I'd expect scans from boxes with 
ISDN connectivity to continue long after high-bandwith machines have 
finished. In any case, it seems to scan extremely fast, and  as I saw a 
decline on the sources outside my /16 rather than a growing number, 
/8-scanning seems to stop at some time before it can possibly be finished.

By the way: So far, I have only been hit by one single instance of the 
full Nimda pattern from outside 212/8 (and that machine may have had 
another interface in 212, its ISP has netblocks in 212) - the initial 
infection spreading across netblocks will probably have used a different 
pattern, or I'd have expected at least a few odd hits preceding todays 
outbreak.

> or
> it's turned itself off (if so will it turn itself on tomorrow ~1300
> UTC?)


Hardly by UTC, as it is still going on in the RIPE address space I'm in. 
It could act on local time, or, more likely, it might be time fused to 
stop after some period of activity.



Sevo


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com