RE: Traffic To dark address space

["David Gillett" <gillettdavid () fhda edu>]

  I've been observing something since at least January that might
relate to this, and I've got some speculation about the junk
malware that's probably behind it.

  Traffic consists of groups of (usually) three SYN packets to an
address, frequently noticed because it's unpopulated, and bizarre
destination port number.  What I notice is that I often see such
inbounds from 1-3 additional sources within 24 hours for the same
destination address *and port number*.

  My theory, then, is that there's some bit of "junk malware" out
there that is randomly generating targets for itself.  ONE of the
issues the author hasn't grasped is how PNG (Pseudo-random Number 
Generator) algorithms work, so every time it generates destination
address X, the code consistently generates destination port number
Y, so every instance of infection that attempts to infect X does
so via port Y.  Of course the odds that Y will be a listening 
vulnerable port should be very very small, so this thing is spreading 
only VERY slowly.

David Gillett


> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Murda Mcloud
> Sent: Tuesday, May 22, 2007 10:20 PM
> To: 'Ken Swain'; security-basics () securityfocus com
> Subject: RE: Traffic To dark address space
>
>
> I have seen an increase in drops on our perimeter too-at 
> least 50% up from last month. The number of blocked addresses 
> is higher than I have ever seen it. Ports are weird but 
> whatever is doing it keeps knocking at the same door over and 
> over again:
> Different ports though:
> 45458 45459 45074
> 22081
> 2814 etc
>
> I don't know if it is related or not. How do you define dark 
> space? The way I've pictured it is IP ranges/addresses that 
> either come and go at very short notice and/or when they have 
> not been legitimately assigned.
> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Ken Swain
> Sent: Wednesday, May 23, 2007 6:49 AM
> To: security-basics () securityfocus com
> Subject: Traffic To dark address space
>
> Group,
>
> I am seeing tons of drops on my firewall and IPS correlated 
> threw my SIM to and from Dark Address space. Not all machines 
> on my network are doing this, but enough are that it is 
> becoming a massive amount do deal with.
>
> I have done a Virus scan and patch check on the boxes and 
> they all came up clean. All this traffic started with in the 
> past month and has steadily increased. The ports are 137, 
> 9100, 113, 67,27604 and 27605. It appears to hit a block of 
> dark address space and then move on to anouther only to come 
> back later.
>
> Any ideas?
>
> --Ken