Re: Is this distributed SubSeven?

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On Tue, 6 Mar 2001 19:02:26 -0600 (CST) Glenn Forbes Fleming Larratt
<glratt () io com> wrote:

> On Wed, 7 Mar 2001, Russell Fulton wrote:
>
> > Hmmm... are you in 24.0.0.0/8?  If so I would guess that what you are
>
>       No. We, like you,  are a /16 in Class B address space.

Hmmm.... then this is different. I'm not seeing anything like this
targeting 130.216/16 at the moment.  I am currently seeing a couple of
trojans in 24/8 scanning udp-137 but nothing else and certainly nothing
like what you are seeing.

What I have seen in the past is lots (dozens) of machines scanning us
for netbus. We had several incidents in two groups, each group lasted
about 10 days and were separated by several months. Each incident
consisted of several (up to 20) scans each targeting a single /24. The
rate would peak suddenly and then die off over a day or so.

The scans themselves were odd in that they always started at address 11
and stepped upward towards 254.  Probes appeared to be standard tcp
connections with about 3 second time outs (3 syn sent to each address
then a pause then next address tried).  It took 20 minutes to scan a
whole /24 and most scans stopped after probing 10 or 20 addresses.

I went to quite a lot of trouble (including posting to Incidents list)
trying to find out what was going on.  I reported all scans to ISP
(most were in Asia, particulary Korea but there was a sprinkling in
North America and Europe).  In particular I asked ISPs if they could
find out what caused the traffic - out of over 100 requests I received
only one reply but by the time the ISP had dealt with the incident
(about 10 days) the customer could not remember what they had been
doing at the time.  (I used AusCERT's automated response service to
send out the messages).

Another data point was that neighbouring class Bs were not targeted.

Since then I have heard of two other attacks of this nature directed
against two different networks (one in Australia and one in US).  Both
had exactly the same signature including the scans starting from 11 (i
assume this is a typo for 1).

My conclusion is that this is some form of trojan that targets specific
networks (or address ranges).  It is probably distributed via IRC or
ICQ and takes the form of a game.  People play with it for a while and
while the program is active it scans a random /24 within its target
/16.  Presumably is also send the results somewhere.

I.e. a distributed netbus scan.

I'd be interested to know if your data fits this pattern.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand