Full Disclosure mailing list archives
Re: More info on blocking the Bagle worm
From: Anders Henke <anders () schlund de>
Date: Fri, 23 Jan 2004 12:44:11 +0100
On Jan 20th 2004, Anders Henke wrote:
A few notes on the impact of beagle from an ISP's point of view - our company is hosting 10 out of the 35 sites listed at http://vil.nai.com/vil/content/v_100965.htm (we're hosting 3.5M of domains and also our largest competitor does host 9 beagle-sites, so don't wonder or misinterpret the "high" percentage).
A few more current informations: -the first mass of beagle requests against sites hosted here started on Sunday 18th around 12:35 (AM) local time from a couple of dsl-lines in Germany and Belgium, followed a few seconds later by other dialup-ips from Canada, the USA and eastern europe. A few stats for the last few days for HTTP-requests on /1.php using the useragent "beagle_beagle", summarized from 8 out of the 10 beagle-attacked sites hosted here; the remaining two sites are hosted on either customer-operated or non-unix-boxes, so gathering statistics for them is not too easyly automatable for me: Sun 18/Jan/2004: 4426 different IPs, 312079 hits Mon 19/Jan/2004: 151599 different IPs, 15282351 hits Tue 20/Jan/2004: 249976 different IPs, 25252216 hits Wed 21/Jan/2004: 271682 different IPs, 30467877 hits Thu 22/Jan/2004: 265435 different IPs, 30017118 hits The hitrate varies by daytime of affected IPs; as most IPs are located in Europe (as well as we are), the hitrate does follow the same graphs you usually see e.g. in access or bandwith usage.
From a non-representative glance at a few hundred IPs, almost
all infected hosts are dropping or rejecting incoming traffic to Port 6777. The sympoms of this are the same ones experienced with -personal as well as professional firewalls (dropping traffic, rejecting with tcp-reset or icmp-prohibited), -Cisco-Routers using ACLs ("no route to host"-symptom for certain tcp, but not e.g. icmp traffic), -a few requests are also made via (transparent?) proxies and contain X-Forwarded-For-HTTP-Headers, many also seem to be located behind NAT-gateways. Only about 2% of tested hosts are really accessible on port 6777. My interpretation of those numbers is that on the one hand, most users today seem to be at some level protected from network attacks (or their ISPs have timely implemented access rules against such abuse) as well as the slowly decreasing number for Thursday's hits gives the impression that people are keeping their virus scanners quite current. On the other hand the strong spread within the first 48 hours makes one ask the question why such "security-aware" users still do manually click on executables attached to a stranger's "Test"-mail without thinking. As the strong spread of massmailer-viruses, trojan horses or worms during the last few years, people should better know; maybe those people do believe to be protected from "evil packets" by firewalls and virus scanners ... Regards, Anders -- Schlund + Partner AG Security Brauerstrasse 48 v://49.721.91374.50 D-76135 Karlsruhe f://49.721.91374.225 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- More info on blocking the Bagle worm Gadi Evron (Jan 18)
- <Possible follow-ups>
- Re: More info on blocking the Bagle worm James Gray (Jan 19)
- Re: More info on blocking the Bagle worm Anders Henke (Jan 20)
- Re: More info on blocking the Bagle worm Anders Henke (Jan 23)