Security Incidents mailing list archives
Re: Possible variant of Blaster/Nachi/Welchia? (more)
From: "Steven D. Smith" <sds07 () health state ny us>
Date: Fri, 26 Sep 2003 14:08:31 -0400
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f () mm html Sobig.F obtains the UTC time through the NTP protocol, by contacting one of several possible servers on port 123/udp (the NTP port). The worm starts the download attempt by sending a probe to port 8998/udp of the master server. Then, the server replies with a URL, where the worm can download the file to execute. Unlike W32.Sobig.E@mm, Sobig.F will not open the following ports to listen for incoming UDP datagrams, as was previously reported. 995/udp 996/udp 997/udp 998/udp 999/udp Network administrators should do the following: Block outbound traffic on port 8998/udp. Monitor NTP requests (port 123/udp), as these could be coming from infected computers. (The frequency of such checks for an infected computer should be once per hour.) Jeff Kell <jeff-kell () utc ed To: Jeff Kell <jeff-kell () utc edu> u> cc: Incidents <incidents () securityfocus com>, General DShield Discussion List <list () dshield org> 09/26/2003 11:40 Subject: Re: Possible variant of Blaster/Nachi/Welchia? (more) AM Jeff Kell wrote:
I have seen some STRANGE traffic on our dorms this morning. The dorms are all on a private network 172.18.0.0. I have hosts (10 so far) that are doing this: spoofed 172.x.x.x:123 UDP --> random 172.x.x.x:123 same spoof 172.x.x.x ICMP --> another random 172.x.x.x same spoof 172.x.x.x ICMP --> another random 172.x.x.x
I just noticed the initial udp:123 destination is a valid NTP source, usually time.windows.com:
Sep 26 10:43:05.596 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp
172.165.225.160(123) -> 207.46.130.100(123), 1 packet
Sep 26 10:58:50.491 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp
172.141.193.21(123) -> 207.46.130.100(123), 1 packet
Sep 26 11:05:16.102 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp
172.152.89.157(123) -> 132.163.4.102(123), 1 packet
Sep 26 11:05:56.831 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp
172.129.185.162(123) -> 207.46.130.100(123), 1 packet
Sep 26 11:16:58.948 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp
172.128.177.27(123) -> 207.46.130.100(123), 1 packet
Sep 26 11:25:08.162 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp
172.140.133.74(123) -> 207.46.130.100(123), 1 packet The ICMP targets still appear to be random 172.x.x.x. Jeff --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Possible variant of Blaster/Nachi/Welchia? (more) Steven D. Smith (Sep 26)
- Re: Possible variant of Blaster/Nachi/Welchia? (more) Jean-Luc Cavey (Sep 26)
- Re: Possible variant of Blaster/Nachi/Welchia? (more) Bob Barron (Sep 26)
- Re: Possible variant of Blaster/Nachi/Welchia? (more) Jeff Kell (Sep 28)
- RE: Possible variant of Blaster/Nachi/Welchia? (more) David Gillett (Sep 29)
- Re: Possible variant of Blaster/Nachi/Welchia? (more) Bob Barron (Sep 26)
- Re: Possible variant of Blaster/Nachi/Welchia? (more) Jean-Luc Cavey (Sep 26)
- <Possible follow-ups>
- RE: Possible variant of Blaster/Nachi/Welchia? (more) Bassett, Mark (Sep 26)
- Re: Possible variant of Blaster/Nachi/Welchia? (more) Joe Stewart (Sep 26)
- Re: Possible variant of Blaster/Nachi/Welchia? (more) Jean-Luc Cavey (Sep 26)
- Re: Possible variant of Blaster/Nachi/Welchia? (more) Joe Stewart (Sep 26)