Snort mailing list archives
RE: Strange ICMP traffic. Perhaps a worm?
From: Jack McCarthy <snort () jackmccarthy com>
Date: Mon, 15 Dec 2003 08:49:09 -0800 (PST)
Here are some resources for you if it is in fact Welchia/Nachi/etc... Virus Info Symantec's name for the virus: W32.Welchia.Worm http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html McAfee's name for the virus: W32/Nachi.worm http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100559 Symantec's Virus Removal Tool http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html Microsoft's Patch MS03-039 - Buffer Overrun In RPCSS Service Could Allow Code Execution (824146) This patch (MS03-039) supersedes MS03-026. Microsoft's KB 824146 Scanning Tool - How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed http://support.microsoft.com/default.aspx?scid=kb;en-us;827363 How to Install Multiple Windows Updates or Hotfixes with Only One Reboot - 296861 http://support.microsoft.com/default.aspx?scid=KB;EN-US;296861&sd=tech Good luck, -Jack --- CGhercoias () TWEC COM wrote:
This could be Welchia Virus or MSBLASTER. I would filter 69/UDP, 135/TCP, 137/UDP, 138/UDP and 445/TCP and UDP at border firewalls/routers and disable these rules there but enable them on the inside snort sensor to catch any malitious activity on the spot. Here is the rule from snort to trigger on WELCHIA worm. alert icmp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000029; rev: 3; msg: "WELCHIA Virus scanning"; content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; depth: 32; itype: 8; reference: arachnids,154; classtype: misc-activity;) and the signatures for MSBLASTER: alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( sid: 1000024; rev: 4; msg: "W32/MSBLAST Worm over TFTP"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65 78 65|"; offset: 0; depth: 2; reference: url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS T.A; classtype: trojan-activity; priority: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000025; rev: 5; msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65 78 65|"; offset: 0; depth: 2; reference: url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS T.A; classtype: trojan-activity; priority: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000027; rev: 1; msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65 78 65|"; offset: 0; depth: 2; reference: url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS T.A; classtype: trojan-activity; priority: 1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000028; rev: 1; msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65 78 65|"; offset: 0; depth: 2; reference: url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS T.A; classtype: trojan-activity; priority: 1;) Thank you, ___________________________ Catalin Ghercoias WEB/Network Security Administrator Office Phone: +(518) 452-1242 Ext.7435 Fax: (518) 452-4768 website: http://www.fye.com The content of this communication is classified as Transworld Entertainment Confidential and Proprietary Information.The content of this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this communication then delete it from your system. -----Original Message----- From: Harry M [mailto:harrym () the-group org] Sent: Thursday, December 11, 2003 6:01 PM To: snort-users Subject: [Snort-users] Strange ICMP traffic. Perhaps a worm? I'm getting lots of ICMP traffic that looks pretty odd to me. They are all ping packets with a fairly strange payload: 000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ 010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ 020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ 030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ What makes me think this is a worm is that all the traffic is coming from other customers of my ISP (NTL), and the source ip addresses increment very neatly - 80.4, 80.5, 80.6, 80.7 - which looks rather like it could be a set of machines infected by a worm that increments the subnet (2nd octect) it targets. Although this doesn't really tally with the apparent lack of any bytecode in the payload, I figured it could be an exploratory probe or somesuch. The rule it's triggering is ICMP PING CyberKit 2.2 Windows (http://www.snort.org/snort-db/sid.html?sid=483) but I find it highly unlikely that this is the actual cause, because of the number of different source addresses (>100). Does anyone have any other ideas? Whatever it is, it's very strange. The thought does occur that my ISP could be doing something sneaky, to which I'd almost certainly object :) I started getting traffic at 2003-12-11 20:18:33 GMT and have been getting it ever since. Arta ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange ICMP traffic. Perhaps a worm? Harry M (Dec 15)
- Re: Strange ICMP traffic. Perhaps a worm? Shane Smith (Dec 15)
- <Possible follow-ups>
- RE: Strange ICMP traffic. Perhaps a worm? adam.w.hogan (Dec 15)
- Re: Strange ICMP traffic. Perhaps a worm? Jim Brown (Dec 16)
- RE: Strange ICMP traffic. Perhaps a worm? CGhercoias (Dec 15)
- RE: Strange ICMP traffic. Perhaps a worm? Jack McCarthy (Dec 15)