Re: Tracking down random ICMP

[Frank Knobbe <frank () knobbe us>]

On Mon, 2007-01-22 at 09:19 -0400, Craig Chamberlain wrote:
> Seem to be seeing more random bursts of ICMP traffic - sometimes
> unidirectional - with remote destinations that are mostly inexplicable.
> Wondering if it's a covert control channel of some sort - if so I can
> see why they chose ICMP - often allowed through firewalls and it is
> seems to be hard to determine the originating process in Windows.

The Allaple worm has been making its rounds on the Internet as of late.
It scans seemingly random IP addresses first with a customized ICMP Echo
in order to find targets that it could spread to. The payload of the
customized ping looks almost normal, except for the leading capital B
before the "abcdef..." payload.

We got Snort sigs for that at www.bleedingthreads.net

Those Allaple Pings are currently on the top of the list of scan packets
on our radar, followed by VNC scans.

Also of notice is the recent uptick in POP3/FTP/IMAP brute force
attempts. Looks like some botnet got fat enough for the herder to switch
to engage the brute-o-matic.


Cheers,
Frank



-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part