Honeypots mailing list archives
Re: track worm virus on NT/W2K machines
From: Andrew.Patrick () kemperservices com
Date: Fri, 22 Aug 2003 10:27:02 -0500
Any good packet sniffer can do it. tcpdump, windump, ethereal, etc....
I've had particularly good luck using the "NetworkActiv" program from
www.NetworkActiV.com over the past few days. You can very easily set up
filters on packet type, size, content, whatever you want....
For Blaster, look for tcp packets exactly 48 bytes in size and directed at
dest port 135
For Welchia/Nachi, look for icmp echo requests exactly 92 bytes in size
You might get a few false positives, but you will know these worms when you
see them. Every infected host spews 20+ packets per second on a LAN.
Andy Patrick, GCIA, CCNA
Sr. Info. Security Analyst
x3621
Valdis.Kletnieks () vt edu on
To: Mohd Adam Baharun <adamxx7 () streamyx com>
cc: honeypots () securityfocus com
From: Valdis.Kletnieks () vt edu
Date: 08/22/2003 08:43 AM
Subject: Re: track worm virus on NT/W2K machines
On Thu, 01 Jan 1998 00:12:12 +0800, Mohd Adam Baharun
<adamxx7 () streamyx com> said:
I would like some suggestion on what software to use / be good if its
free,
so that I can install on one of my NT or W2K servers to track down worms like the current WELCHIA, BLASTER and DUMARU. My organization networks
are
currently badly hit by these worms. Please help.
For Welchia/Nachi, all you need to do is look for ICMP PING traffic. Even 'tcpdump -i ethX icmp' should be enough to get you started. Blaster you'll probably need Snort or similar, because you can't just look for port 135 traffic, you need a more detailed signature. I *think* both tcpdump and Snort are available for Windows platforms, but I would suggest that you get yourself a *NON* Windows box for this sort of thing, for a *VERY* good reason: If you're trying to examine an unknown meltdown that's affecting Windows boxes, the *LAST* thing you want is to hook up a Windows-based monitor and have it get compromised as well, probably before you know it..... Software diversity is a Good Thing. (See attached file: att70e7d.dat) DISCLAIMER: This communication, along with any documents, files or attachments, is intended only for the use of the addressee and may contain legally privileged and confidential information. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of any information contained in or attached to this communication is strictly prohibited. If you have received this message in error, please notify the sender immediately and destroy the original communication and its attachments without reading, printing or saving in any manner. This communication does not form any contractual obligation on behalf of the sender or, the sender's employer, or the employer's parent company, affiliates or subsidiaries.
Attachment:
att70e7d.dat
Description:
Current thread:
- track worm virus on NT/W2K machines Mohd Adam Baharun (Aug 22)
- Re: track worm virus on NT/W2K machines Valdis . Kletnieks (Aug 22)
- RE: track worm virus on NT/W2K machines Luis Miguel Silva (Aug 22)
- Re: track worm virus on NT/W2K machines oudot (Aug 22)
- Re: track worm virus on NT/W2K machines oudot (Aug 23)
- RE: track worm virus on NT/W2K machines Luis Miguel Silva (Aug 22)
- <Possible follow-ups>
- Re: track worm virus on NT/W2K machines Andrew . Patrick (Aug 22)
- Re: track worm virus on NT/W2K machines Jack Whitsitt (jofny) (Aug 22)
- Re: track worm virus on NT/W2K machines Steve Alameda (Aug 22)
- MODERATOR: Re: track worm virus on NT/W2K machines Lance Spitzner (Aug 22)
- Re: track worm virus on NT/W2K machines Valdis . Kletnieks (Aug 22)