RE: RE: Worm attack on our network this morning -- anyone else see this?

["David Gillett" <gillettdavid () fhda edu>]

  What I've got so far is that the 7654 IRC connection is
typical of the "SDBot" family of malware.

  The number of infections has stabilized -- only one new
infected machine in the last three hours.  That strongly
suggests that machines with up to date patches and/or 
antivirus and/or non-blank passwords are probably immune,
which argues against the 0day hypothesis.

Dave


> -----Original Message-----
> From: Olivier Meyer [mailto:roguefugu () gmail com] 
> Sent: Wednesday, December 13, 2006 2:40 PM
> To: gillettdavid () fhda edu
> Subject: Re: RE: Worm attack on our network this morning -- 
> anyone else see this?
>
> Did you identify the backdoor used?
>
>
> On 12/13/06, David Gillett <gillettdavid () fhda edu> wrote:
> >    I neglected to mention that the "phone home" 
> destinations are all 
> > in the 86.x.x.x range.
> >
> > Dave
> >
> >
> > > -----Original Message-----
> > > From: David Gillett [mailto:gillettdavid () fhda edu]
> > > Sent: Wednesday, December 13, 2006 1:05 PM
> > > To: 'incidents () securityfocus com'
> > > Subject: Worm attack on our network this morning -- 
> anyone else see 
> > > this?
> > >
> > >   Late Monday afternoon, I noticed that a machine was scanning 
> > > random addresses across both campuses using port 135 (DCE). I 
> > > blocked the port and tracked the machine to the support 
> area, where 
> > > one of the techs was reformatting a laptop.
> > >   Late Tuesday afternoon, I noticed similar traffic from another 
> > > machine, and blocked that port.
> > >
> > >   This morning, that second machine showed up somewhere else on 
> > > campus, and similar traffic was flooding from 22 additional 
> > > machines, 19 at the big campus and 3 at the other
> > > -- most appear to also be laptops.
> > >
> > >   In addition to spreading via port 135, I've also seen:
> > >
> > > 1. At least one machine eventually started similar 
> scanning on port 
> > > 445 (CIFS).
> > >
> > > 2. These machines all try to "phone home" to port 7654 of 
> a remote 
> > > machine. I've got that blocked now, but one succeeded and 
> appeared 
> > > to be talking IRC over that port, reporting a "successful file 
> > > download" to/from an additional machine which (so far) doesn't 
> > > appear to have been trying to spread the infection further.
> > >
> > >   I've got the "phone home" traffic blocked, and the 
> known infected 
> > > machines null-routed at the gateway, which *should* make it just 
> > > about impossible for them to infect outside their own VLANs.
> > >
> > >   The targets are all PCs, and most seem to be laptops.  I'm 
> > > thinking about this week's MS Office 0days, and maybe 
> about recent 
> > > wireless driver vulnerabilities, but this *could* be 
> something older 
> > > that walked in on a visiting laptop....
> > >
> > > David Gillett
> ----------------------------------------------------------------------
> > --------
> > This List Sponsored by: Black Hat
> >
> > Attend the Black Hat Briefings & Training USA, July 
> 29-August 3 in Las Vegas.
> > World renowned security experts reveal tomorrow's threats 
> today. Free 
> > of vendor pitches, the Briefings are designed to be pragmatic 
> > regardless of your security environment. Featuring 36 hands-on 
> > training courses and 10 conference tracks, networking 
> opportunities with over 2,500 delegates from 40+ nations.
> > http://www.blackhat.com
> ----------------------------------------------------------------------
> > --------
>
>
> --
> The information in this electronic mail (including attachments, if
> any) is privileged and confidential and is intended only for the
> recipient(s) listed above. Any review, use, disclosure, 
> distribution or copying of this electronic mail is prohibited 
> except by or on behalf of the intended recipient. If you have 
> received this electronic mail in error, please notify me 
> immediately by reply email and destroy all copies of this 
> electronic mail. Thank you.


------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. 
World renowned security experts reveal tomorrow's threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------