Security Incidents mailing list archives

Re: new scanner tool or blind luck?

From: Ken Armstrong <ken.armstrong3 () SYMPATICO CA>
Date: Wed, 13 Sep 2000 19:44:52 -0400

Hi,

I have seen exactly the same on a residential ADSL link.  This activity
has started in early september and is still continuing.  There has been
some recent discussion on some of the lists concerning a Trojan that was
discovered in August.  This Trojan infects notepad.exe and then
sequentially tries to use netbios to connect to other systems in the local
network.  I am wondering if this is what we are seeing?

Ken

On Wed, 13 Sep 2000, T. Esting wrote:

  Lately, we've been tracking some unusual NetBIOS scans that have caught
our attention and are interesting enough that we thought we'd share with the
group.  Around the last week of August, we started seeing scans exhibiting
the following signature behavior:

Sep 09 09:38:09 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2889 DSTIP
our.sub.net.1 DSTPRT 139 PROT TCP
Sep 09 09:38:09 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2889 DSTIP
our.sub.net.1 DSTPRT 139 PROT TCP
Sep 09 09:38:14 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2890 DSTIP
our.sub.net.2 DSTPRT 139 PROT TCP
Sep 09 09:38:14 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2889 DSTIP
our.sub.net.1 DSTPRT 139 PROT TCP
Sep 09 09:38:19 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2890 DSTIP
our.sub.net.2 DSTPRT 139 PROT TCP
Sep 09 09:38:19 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2891 DSTIP
our.sub.net.3 DSTPRT 139 PROT TCP
Sep 09 09:38:24 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2890 DSTIP
our.sub.net.2 DSTPRT 139 PROT TCP
Sep 09 09:38:24 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2891 DSTIP
our.sub.net.3 DSTPRT 139 PROT TCP
Sep 09 09:38:29 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2892 DSTIP
our.sub.net.4 DSTPRT 139 PROT TCP
Sep 09 09:38:29 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2889 DSTIP
our.sub.net.1 DSTPRT 139 PROT TCP
Sep 09 09:38:29 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2891 DSTIP
our.sub.net.3 DSTPRT 139 PROT TCP
Sep 09 09:38:29 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2892 DSTIP
our.sub.net.4 DSTPRT 139 PROT TCP
Sep 09 09:38:39 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2890 DSTIP
our.sub.net.2 DSTPRT 139 PROT TCP
Sep 09 09:38:39 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2892 DSTIP
our.sub.net.4 DSTPRT 139 PROT TCP
Sep 09 09:38:44 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2894 DSTIP
our.sub.net.6 DSTPRT 139 PROT TCP
Sep 09 09:38:44 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2891 DSTIP
our.sub.net.3 DSTPRT 139 PROT TCP
Sep 09 09:38:44 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2894 DSTIP
our.sub.net.6 DSTPRT 139 PROT TCP
Sep 09 09:38:49 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2895 DSTIP
our.sub.net.7 DSTPRT 139 PROT TCP
Sep 09 09:38:49 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2892 DSTIP
our.sub.net.4 DSTPRT 139 PROT TCP
Sep 09 09:38:54 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2894 DSTIP
our.sub.net.6 DSTPRT 139 PROT TCP
Sep 09 09:38:54 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2895 DSTIP
our.sub.net.7 DSTPRT 139 PROT TCP
Sep 09 09:38:54 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2896 DSTIP
our.sub.net.8 DSTPRT 139 PROT TCP
Sep 09 09:38:59 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2895 DSTIP
our.sub.net.7
[... continuing upwards through our.sub.net.254]

Although it seemed like just another NetBIOS scan at first, the curious way
the destination IPs incremented caught our eye, especially after the
attack(s) continued, at the rate of two or three scans a day.  We also noted
that the traffic was always sourced from different IPs but also always from
the same class B.  Furthermore, other.subnet and our.sub above are both in
the same class B (other.subnet=our.sub).  Within a few days, we also started
seeing the scan from the neighboring class B (other.subnet+1).  This
continued for weeks.  Then, we started seeing the same signature on a
different Internet-connected subnet of ours:

Sep 12 19:02:09 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3805 DSTIP
our.other.net.1 DSTPRT 139 PROT TCP
Sep 12 19:02:14 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3806 DSTIP
our.other.net.2 DSTPRT 139 PROT TCP
Sep 12 19:02:14 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3805 DSTIP
our.other.net.1 DSTPRT 139 PROT TCP
Sep 12 19:02:14 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3806 DSTIP
our.other.net.2 DSTPRT 139 PROT TCP
Sep 12 19:02:19 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3807 DSTIP
our.other.net.3 DSTPRT 139 PROT TCP
Sep 12 19:02:24 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3806 DSTIP
our.other.net.2 DSTPRT 139 PROT TCP
Sep 12 19:02:24 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3807 DSTIP
our.other.net.3 DSTPRT 139 PROT TCP
Sep 12 19:02:29 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3808 DSTIP
our.other.net.4 DSTPRT 139 PROT TCP
Sep 12 19:02:29 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3805 DSTIP
our.other.net.1 DSTPRT 139 PROT TCP
Sep 12 19:02:29 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3807 DSTIP
our.other.net.3 DSTPRT 139 PROT TCP
Sep 12 19:02:29 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3808 DSTIP
our.other.net.4 DSTPRT 139 PROT TCP
Sep 12 19:02:29 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3808 DSTIP
our.other.net.5 DSTPRT 139 PROT TCP
Sep 12 19:02:34 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3806 DSTIP
our.other.net.2 DSTPRT 139 PROT TCP
Sep 12 19:02:34 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3808 DSTIP
our.other.net.4 DSTPRT 139 PROT TCP
Sep 12 19:02:34 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3808 DSTIP
our.other.net.5 DSTPRT 139 PROT TCP
Sep 12 19:02:39 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3810 DSTIP
our.other.net.6 DSTPRT 139 PROT TCP
Sep 12 19:02:39 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3810 DSTIP
our.other.net.5 DSTPRT 139 PROT TCP
Sep 12 19:02:44 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3807 DSTIP
our.other.net.3 DSTPRT 139 PROT TCP
Sep 12 19:02:44 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3810 DSTIP
our.other.net.6 DSTPRT 139 PROT TCP
Sep 12 19:02:49 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3811 DSTIP
our.other.net.7 DSTPRT 139 PROT TCP
Sep 12 19:02:49 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3808 DSTIP
our.other.net.4 DSTPRT 139 PROT TCP
Sep 12 19:02:49 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3810 DSTIP
our.other.net.6 DSTPRT 139 PROT TCP
Sep 12 19:02:49 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3811 DSTIP
our.other.net.7 DSTPRT 139 PROT TCP
Sep 12 19:02:54 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3812 DSTIP
our.other.net.8 DSTPRT 139 PROT TCP
Sep 12 19:02:54 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3812 DSTIP
our.other.net.5 DSTPRT 139 PROT TCP
Sep 12 19:02:59 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3811 DSTIP
our.other.net.7 DSTPRT 139 PROT TCP
Sep 12 19:02:59 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3812 DSTIP
our.other.net.8 DSTPRT 139 PROT TCP
Sep 12 19:03:04 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3813 DSTIP
our.other.net.9 DSTPRT 139 PROT TCP
Sep 12 19:03:04 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3810 DSTIP
our.other.net.6 DSTPRT 139 PROT TCP
Sep 12 19:03:04 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3812 DSTIP
our.other.net.8 DSTPRT 139 PROT TCP
Sep 12 19:03:04 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3813 DSTIP
our.other.net.9 DSTPRT 139 PROT TCP
Sep 12 19:03:09 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3814 DSTIP
our.other.net.10 DSTPRT 139 PROT TCP
Sep 12 19:03:09 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3811 DSTIP
our.other.net.7 DSTPRT 139 PROT TCP
Sep 12 19:03:09 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3813 DSTIP
our.other.net.9 DSTPRT 139 PROT TCP
Sep 12 19:03:14 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3814 DSTIP
our.other.net.10 DSTPRT 139 PROT TCP
Sep 12 19:03:19 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3815 DSTIP
our.other.net.11 DSTPRT 139 PROT TCP
Sep 12 19:03:19 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3812 DSTIP
our.other.net.8 DSTPRT 139 PROT TCP
Sep 12 19:03:19 [ids-host]  SRCIP some.subnet.23.203 SRCPRT 3814 DSTIP
our.other.net.10
[... continuing upwards through our.sub.net.254]

Again, some.subnet and our.other turned out to be in neighboring class B
allocations (some.subnet = our.other+1).

  So.... has anyone else encountered this signature?  Nonetheless, does
anyone have any inkling whether this is a worm or trojan of some sort that
is scanning "nearby" subnets for NT hosts to potentially attack?  As
concerted as the scans have been, it almost seems unlikely that this is one
individual - how many times do you have to scan the same network before
you're convinced that nothing will answer?

  Thanks!

P.S.  The source port to destination IP mapping seems constant, so the
increment pattern for destination IPs may be a manifestation of the way the
socket code is written for this particular tool in conjunction with the way
concurrent connections overlap.





_______________________________________________________
Say Bye to Slow Internet!
http://www.home.com/xinbox/signup.html


--
Ken Armstrong           ken.armstrong3 () sympatico ca

Unix is user friendly - It is just particular about
who it chooses to make friends with.

Current thread:

new scanner tool or blind luck? T. Esting (Sep 13)
- Re: new scanner tool or blind luck? Thierry (Sep 13)
- Re: new scanner tool or blind luck? Ken Armstrong (Sep 14)
  - Re: new scanner tool or blind luck? Thomas Molina (Sep 14)
  - Re: new scanner tool or blind luck? Harlan S. Barney, Jr. (Sep 14)
    - Re: new scanner tool or blind luck? Josh Brandt (Sep 14)
- Re: new scanner tool or blind luck? George Bakos (Sep 14)
  - Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
    - Re: new scanner tool or blind luck? George Bakos (Sep 14)
    - Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- <Possible follow-ups>
- Re: new scanner tool or blind luck? T. Esting (Sep 14)