Security Incidents mailing list archives

Re: Worm on 445/tcp?

From: Tom.Gast () walgreens com
Date: Tue, 17 Dec 2002 13:52:55 -0600

I don't believe Windows XP is going to be effected by this worm, due to 
the fact null is disabled by default.

- - Tom G.




Scott Fendley <scottf () uark edu>
12/17/2002 11:24 AM

 
        To:     "Scott A.McIntyre" <scott () xs4all net>, incidents () securityfocus com
        cc: 
        Subject:        Re: Worm on 445/tcp?




I think what you are seeing is the newest worm to come out called LIOTEN 
or 
Iraqi Oil worm.  It appears that it is only infecting windows 2k/XP 
servers 
via SMB connections.  There appears to be a lot of details amongst the 
following URLs which can do a better job describing this worm then I 
could.  --Scott


http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lioten.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LIOTEN.A
http://vil.mcafee.com/dispVirus.asp?virus_k=99897
http://www.mynetwatchman.com/kb/security/articles/iraqiworm/index.htm
http://www.unixwiz.net/iraqworm/

At 08:56 AM 12/17/2002 +0100, Scott A.McIntyre wrote:

Over the past two weeks or so I've been noticing a steady rise in what 
appears to be worm related traffic to the new unified smb over tcp port 
(445) on Microsoft Win2k and newer operating systems.

I haven't yet been able to properly identify what the culprit is; at

first

I thought a variation of OpaServ, and that hasn't been fully ruled out, 
but I'm not quite convinced of that either.  Anyone have any clues that 
might help pin this down further?

An infected machine seems to send the following:

1095 114.002629 src -> dst  SMB Negotiate Protocol Request
1105 114.363458 src -> dst  SMB Session Setup AndX Request
1106 114.774364 src -> dst  SMB Session Setup AndX Request
1107 115.168792 src -> dst  SMB Tree Connect AndX Request,Path:

\\dst\IPC$

1110 115.330792 src -> dst  SMB NT Create AndX Request, Path: \samr
1112 115.652261 src -> dst  DCERPC Bind: call_id: 1 UUID: SAMR
1136 117.759036 src -> dst  SAMR Connect4 request
1137 118.299350 src -> dst  SMB Close Request, FID: 0x4000
1142 119.004483 src -> dst  SMB Logoff AndX Request
1150 119.375665 src -> dst  SMB Tree Disconnect Request

And another:

7.933416 src -> dst SMB Negotiate Protocol Request
10.958481 src -> dst SMB Session Setup AndX Request
13.654558 src -> dst SMB Tree Connect AndX Request, Path: \\dst\IPC$
13.926353 src -> dst SMB NT Create AndX Request, Path: \samr
15.231252 src -> dst DCERPC Bind: call_id: 1 UUID: SAMR
17.149345 src -> dst SAMR Connect4 request
20.405997 src -> dst SAMR EnumDomains request
23.579240 src -> dst SAMR LookupDomain request
25.341903 src -> dst SAMR OpenDomain request
25.891947 src -> dst SAMR EnumDomainUsers request
26.597393 src -> dst SAMR Close request
29.615040 src -> dst SMB Close Request, FID: 0x4000
30.048894 src -> dst SMB Logoff AndX Request
32.738878 src -> dst SMB Tree Disconnect Request


It appears as though there's a high degree of randomness to the 
destination IP addresses that are chosen by the worm as can be seen from 
this 1 second snapshot:


    121.33.1.48
  91.71.109.105
   76.123.46.27
  222.120.99.35
   124.72.254.8
  17.64.153.118
   27.23.33.121
  185.33.178.38
  151.49.213.31
  167.60.15.125
  132.86.243.68
  26.125.133.71
   1.104.130.21
   40.88.91.120
  48.101.140.21
    48.93.34.36
  193.60.220.48
   117.26.58.96
    27.2.15.114
    25.7.221.31


Note: the infected system's ip address is not within any of these network

segments.

I've noticed others reporting similar increase in traffic, but so far 
haven't seen a definitive acknowledgment of precisely what it is that's 
responsible.

Any pointers gratefully accepted.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and 
tracking system please see: http://aris.securityfocus.com


---
Scott Fendley                           scottf () uark edu
Systems/Security Analyst                (479) 575-2022
University of Arkansas                  (479) 575-4753 fax



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Worm on 445/tcp? Scott A . McIntyre (Dec 17)
- Re: Worm on 445/tcp? Scott Fendley (Dec 17)
- Re: Worm on 445/tcp? Joe Blatz (Dec 17)
  - Re: Worm on 445/tcp? james (Dec 17)
- Re: Worm on 445/tcp? Stephen J. Friedl (Dec 17)
  - Re: Worm on 445/tcp? Ryan Yagatich (Dec 18)
- <Possible follow-ups>
- RE: Worm on 445/tcp? OBrien, Brennan (Dec 17)
- Re: Worm on 445/tcp? Tom . Gast (Dec 17)
- Re: Worm on 445/tcp? Stephen Friedl (Dec 18)
- Re: Worm on 445/tcp? Kyle Lai (Dec 20)