Re: Nimda Probes Stopped

[Stuart Staniford <stuart () silicondefense com>]

I guess the picture that's emerging is that the worm has stopped probing in
some parts of IP-space, but is still probing in others.  That suggests it
can't have a hard time-based turn off, but could have some other kind of
limit to how much it scans built in.  We've got several ways of seeing the
worm in different places, and the probe rate graphs do not appear
consistent (it's not like Code Red where there was roughly consistent
behaviour everywhere).

We're still far from understanding the worm code properly, but as far as we
can tell so far, it only seems to access the system time once (it puts it
into a registry variable).  It does seem to be keeping track of its own cpu
time usage for some reason.

Homer Wilson Smith wrote:
> > We're still seeing several probes per second into a /17, though the rate is
> > noisy.  The probe rate is not going up any more - suggesting some degree of
> > saturation.  Are you sure someone upstream of you didn't apply some filter?
>      What kind of filter?

I've heard reports of some ISPs disallowing inbound port 80 syns into some
portions of their address space.  I wanted to rule out some explanation
like that.

Stuart.

-- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuart () silicondefense com  http://www.silicondefense.com/
(707) 445-4355 x 16                           (707) 445-4222 (FAX)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com