Security Incidents mailing list archives
RE: RE: Worm attack on our network this morning -- anyone else see this?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 13 Dec 2006 14:56:31 -0800
What I've got so far is that the 7654 IRC connection is typical of the "SDBot" family of malware. The number of infections has stabilized -- only one new infected machine in the last three hours. That strongly suggests that machines with up to date patches and/or antivirus and/or non-blank passwords are probably immune, which argues against the 0day hypothesis. Dave
-----Original Message----- From: Olivier Meyer [mailto:roguefugu () gmail com] Sent: Wednesday, December 13, 2006 2:40 PM To: gillettdavid () fhda edu Subject: Re: RE: Worm attack on our network this morning -- anyone else see this? Did you identify the backdoor used? On 12/13/06, David Gillett <gillettdavid () fhda edu> wrote:I neglected to mention that the "phone home"destinations are allin the 86.x.x.x range. Dave-----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Wednesday, December 13, 2006 1:05 PM To: 'incidents () securityfocus com' Subject: Worm attack on our network this morning --anyone else seethis? Late Monday afternoon, I noticed that a machine was scanning random addresses across both campuses using port 135 (DCE). I blocked the port and tracked the machine to the supportarea, whereone of the techs was reformatting a laptop. Late Tuesday afternoon, I noticed similar traffic from another machine, and blocked that port. This morning, that second machine showed up somewhere else on campus, and similar traffic was flooding from 22 additional machines, 19 at the big campus and 3 at the other -- most appear to also be laptops. In addition to spreading via port 135, I've also seen: 1. At least one machine eventually started similarscanning on port445 (CIFS). 2. These machines all try to "phone home" to port 7654 ofa remotemachine. I've got that blocked now, but one succeeded andappearedto be talking IRC over that port, reporting a "successful file download" to/from an additional machine which (so far) doesn't appear to have been trying to spread the infection further. I've got the "phone home" traffic blocked, and theknown infectedmachines null-routed at the gateway, which *should* make it just about impossible for them to infect outside their own VLANs. The targets are all PCs, and most seem to be laptops. I'm thinking about this week's MS Office 0days, and maybeabout recentwireless driver vulnerabilities, but this *could* besomething olderthat walked in on a visiting laptop.... David Gillett------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July29-August 3 in Las Vegas.World renowned security experts reveal tomorrow's threatstoday. Freeof vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networkingopportunities with over 2,500 delegates from 40+ nations.http://www.blackhat.com-------------------------------------------------------------------------------- The information in this electronic mail (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above. Any review, use, disclosure, distribution or copying of this electronic mail is prohibited except by or on behalf of the intended recipient. If you have received this electronic mail in error, please notify me immediately by reply email and destroy all copies of this electronic mail. Thank you.
------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- RE: Worm attack on our network this morning -- anyone else see this? David Gillett (Dec 13)
- <Possible follow-ups>
- RE: RE: Worm attack on our network this morning -- anyone else see this? David Gillett (Dec 13)
- Re: RE: Worm attack on our network this morning -- anyone else see this? Jamie Riden (Dec 15)