Re: Worm on 445/tcp?

["james" <jamesh () cybermesa com>]

Somewhat decompiled source here:
http://www.unixwiz.net/iraqworm/iraqworm.cpp

This looks ripe for a content matching rule:

static const char *PasswordTable[] = {
        NullPassword,
        "admin",
        "root",
        "111",
        "123",
        "1234",
        "123456",
        "654321",
        "1",
        "!@#$",
        "asdf",
        "asdfgh",
        "!@#$%",
        "!@#$%^",
        "!@#$%^&",
        "!@#$%^&*",
        "server",


----- Original Message -----
From: "Joe Blatz" <sd_wireless () yahoo com>
To: "Scott A.McIntyre" <scott () xs4all net>;
<incidents () securityfocus com>
Sent: Tuesday, December 17, 2002 12:50 PM
Subject: Re: Worm on 445/tcp?


> Anyone have packet captures or Snort rules?
>
> --- "Scott A.McIntyre" <scott () xs4all net> wrote:
> > Over the past two weeks or so I've been noticing a
> > steady rise in what
> > appears to be worm related traffic to the new
> > unified smb over tcp port
> > (445) on Microsoft Win2k and newer operating
> > systems.
> >
> > I haven't yet been able to properly identify what
> > the culprit is; at
> > first I thought a variation of OpaServ, and that
> > hasn't been fully
> > ruled out, but I'm not quite convinced of that
> > either.  Anyone have any
> > clues that might help pin this down further?
> >
> > An infected machine seems to send the following:
> >
> > 1095 114.002629 src -> dst  SMB Negotiate Protocol
> > Request
> > 1105 114.363458 src -> dst  SMB Session Setup AndX
> > Request
> > 1106 114.774364 src -> dst  SMB Session Setup AndX
> > Request
> > 1107 115.168792 src -> dst  SMB Tree Connect AndX
> > Request,Path:
> > \\dst\IPC$
> > 1110 115.330792 src -> dst  SMB NT Create AndX
> > Request, Path: \samr
> > 1112 115.652261 src -> dst  DCERPC Bind: call_id: 1
> > UUID: SAMR
> > 1136 117.759036 src -> dst  SAMR Connect4 request
> > 1137 118.299350 src -> dst  SMB Close Request, FID:
> > 0x4000
> > 1142 119.004483 src -> dst  SMB Logoff AndX Request
> > 1150 119.375665 src -> dst  SMB Tree Disconnect
> > Request
> >
> > And another:
> >
> > 7.933416 src -> dst SMB Negotiate Protocol Request
> > 10.958481 src -> dst SMB Session Setup AndX Request
> > 13.654558 src -> dst SMB Tree Connect AndX Request,
> > Path: \\dst\IPC$
> > 13.926353 src -> dst SMB NT Create AndX Request,
> > Path: \samr
> > 15.231252 src -> dst DCERPC Bind: call_id: 1 UUID:
> > SAMR
> > 17.149345 src -> dst SAMR Connect4 request
> > 20.405997 src -> dst SAMR EnumDomains request
> > 23.579240 src -> dst SAMR LookupDomain request
> > 25.341903 src -> dst SAMR OpenDomain request
> > 25.891947 src -> dst SAMR EnumDomainUsers request
> > 26.597393 src -> dst SAMR Close request
> > 29.615040 src -> dst SMB Close Request, FID: 0x4000
> > 30.048894 src -> dst SMB Logoff AndX Request
> > 32.738878 src -> dst SMB Tree Disconnect Request
> >
> >
> > It appears as though there's a high degree of
> > randomness to the
> > destination IP addresses that are chosen by the worm
> > as can be seen
> > from this 1 second snapshot:
> >
> >
> >      121.33.1.48
> >    91.71.109.105
> >     76.123.46.27
> >    222.120.99.35
> >     124.72.254.8
> >    17.64.153.118
> >     27.23.33.121
> >    185.33.178.38
> >    151.49.213.31
> >    167.60.15.125
> >    132.86.243.68
> >    26.125.133.71
> >     1.104.130.21
> >     40.88.91.120
> >    48.101.140.21
> >      48.93.34.36
> >    193.60.220.48
> >     117.26.58.96
> >      27.2.15.114
> >      25.7.221.31
> >
> >
> > Note: the infected system's ip address is not within
> > any of these
> > network segments.
> >
> > I've noticed others reporting similar increase in
> > traffic, but so far
> > haven't seen a definitive acknowledgment of
> > precisely what it is that's
> > responsible.
> >
> > Any pointers gratefully accepted.
> ----------------------------------------------------------
------------------
> > This list is provided by the SecurityFocus ARIS
> > analyzer service.
> > For more information on this free incident handling,
> > management
> > and tracking system please see:
> > http://aris.securityfocus.com
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
> ----------------------------------------------------------
------------------
> This list is provided by the SecurityFocus ARIS analyzer
service.
> For more information on this free incident handling,
management
> and tracking system please see:
http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com