Security Incidents mailing list archives
Re: Worm on 445/tcp?
From: "james" <jamesh () cybermesa com>
Date: Tue, 17 Dec 2002 13:54:45 -0700
Somewhat decompiled source here: http://www.unixwiz.net/iraqworm/iraqworm.cpp This looks ripe for a content matching rule: static const char *PasswordTable[] = { NullPassword, "admin", "root", "111", "123", "1234", "123456", "654321", "1", "!@#$", "asdf", "asdfgh", "!@#$%", "!@#$%^", "!@#$%^&", "!@#$%^&*", "server", ----- Original Message ----- From: "Joe Blatz" <sd_wireless () yahoo com> To: "Scott A.McIntyre" <scott () xs4all net>; <incidents () securityfocus com> Sent: Tuesday, December 17, 2002 12:50 PM Subject: Re: Worm on 445/tcp?
Anyone have packet captures or Snort rules? --- "Scott A.McIntyre" <scott () xs4all net> wrote:Over the past two weeks or so I've been noticing a steady rise in what appears to be worm related traffic to the new unified smb over tcp port (445) on Microsoft Win2k and newer operating systems. I haven't yet been able to properly identify what the culprit is; at first I thought a variation of OpaServ, and that hasn't been fully ruled out, but I'm not quite convinced of that either. Anyone have any clues that might help pin this down further? An infected machine seems to send the following: 1095 114.002629 src -> dst SMB Negotiate Protocol Request 1105 114.363458 src -> dst SMB Session Setup AndX Request 1106 114.774364 src -> dst SMB Session Setup AndX Request 1107 115.168792 src -> dst SMB Tree Connect AndX Request,Path: \\dst\IPC$ 1110 115.330792 src -> dst SMB NT Create AndX Request, Path: \samr 1112 115.652261 src -> dst DCERPC Bind: call_id: 1 UUID: SAMR 1136 117.759036 src -> dst SAMR Connect4 request 1137 118.299350 src -> dst SMB Close Request, FID: 0x4000 1142 119.004483 src -> dst SMB Logoff AndX Request 1150 119.375665 src -> dst SMB Tree Disconnect Request And another: 7.933416 src -> dst SMB Negotiate Protocol Request 10.958481 src -> dst SMB Session Setup AndX Request 13.654558 src -> dst SMB Tree Connect AndX Request, Path: \\dst\IPC$ 13.926353 src -> dst SMB NT Create AndX Request, Path: \samr 15.231252 src -> dst DCERPC Bind: call_id: 1 UUID: SAMR 17.149345 src -> dst SAMR Connect4 request 20.405997 src -> dst SAMR EnumDomains request 23.579240 src -> dst SAMR LookupDomain request 25.341903 src -> dst SAMR OpenDomain request 25.891947 src -> dst SAMR EnumDomainUsers request 26.597393 src -> dst SAMR Close request 29.615040 src -> dst SMB Close Request, FID: 0x4000 30.048894 src -> dst SMB Logoff AndX Request 32.738878 src -> dst SMB Tree Disconnect Request It appears as though there's a high degree of randomness to the destination IP addresses that are chosen by the worm as can be seen from this 1 second snapshot: 121.33.1.48 91.71.109.105 76.123.46.27 222.120.99.35 124.72.254.8 17.64.153.118 27.23.33.121 185.33.178.38 151.49.213.31 167.60.15.125 132.86.243.68 26.125.133.71 1.104.130.21 40.88.91.120 48.101.140.21 48.93.34.36 193.60.220.48 117.26.58.96 27.2.15.114 25.7.221.31 Note: the infected system's ip address is not within any of these network segments. I've noticed others reporting similar increase in traffic, but so far haven't seen a definitive acknowledgment of precisely what it is that's responsible. Any pointers gratefully accepted.----------------------------------------------------------
------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ----------------------------------------------------------
------------------
This list is provided by the SecurityFocus ARIS analyzer
service.
For more information on this free incident handling,
management
and tracking system please see:
http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Worm on 445/tcp? Scott A . McIntyre (Dec 17)
- Re: Worm on 445/tcp? Scott Fendley (Dec 17)
- Re: Worm on 445/tcp? Joe Blatz (Dec 17)
- Re: Worm on 445/tcp? james (Dec 17)
- Re: Worm on 445/tcp? Stephen J. Friedl (Dec 17)
- Re: Worm on 445/tcp? Ryan Yagatich (Dec 18)
- <Possible follow-ups>
- RE: Worm on 445/tcp? OBrien, Brennan (Dec 17)
- Re: Worm on 445/tcp? Tom . Gast (Dec 17)
- Re: Worm on 445/tcp? Stephen Friedl (Dec 18)
- Re: Worm on 445/tcp? Kyle Lai (Dec 20)