RE: link between MP3 sites and Cyberkit pings ?

["Williams Jon" <WilliamsJonathan () JohnDeere com>]

Word of caution, not all CyberKit ping alerts out there are Welchia infections.  Or, at least, not Welchia v1.

I'm seeing a variety of traffic patterns across the various networks I watch:

1) Classic Welchia scanning (i.e. for A.B.C.D, pick A.B, scan sequentially C.D from 0.0 through 255.255) in large 
volume (i.e. 20,000 destinations in 5 minutes).  Simultaneous infections select random starting A.B ranges.
2) Hosts pinging pairs of addresses (either 204.71.200.33/204.71.200.34 or 64.58.77.85/66.218.71.63), alternating back 
and forth between the two, one ping every 3-5 seconds.
3) Welchia-type scanning, but modified so that the scanning is randomized.  If the destination hosts for a single 
source are sorted, though, it reveals that it selected, for example, 10.1.18.45, 10.2.97.34, 10.3.55.78, etc.  These 
are also in the large volume, 20,000-25,0000 destinations in 5 minutes, no duplicates.
4) Welchia-type scanning, but instead of one ping per destination, two pings per destination, large volume.
5) Two seperate hosts, scanning with Classic Welchia method, but scanning subnets close to each other (i.e. 10.66.x.y 
and 10.68.x.y).

Since I don't do research, I don't really know what this means, but if what I've read about Welchia is accurate, then 
only one of the above types of traffic above is coming from Welchia-infected machines.  What's the rest from?

Jon

-----Original Message-----
From: Erek Adams [mailto:erek () snort org]
Sent: Friday, August 22, 2003 12:13 PM
To: Jean Michel BARBET
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] link between MP3 sites and Cyberkit pings ?


On Thu, 21 Aug 2003, Jean Michel BARBET wrote:

> My sensor is also alerting on CyberKit Pings since August, 15th.
> There are two cases :
>
> a) one external IP pings several hosts on our LAN (kind of ICPM scan).
>
> b) 2 specific hosts on our LAN are the target of more than 50% of the
>     Cyberkit ping traffic.
>
> I do not understand b). The only clue is that both host have been
> used to connect to MP3 sites.
>
> => any similar experience ? explanation ?

Only about a billion of them...

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml

It's been all over the list the last few days...  :)  List archives are
wonderful things [0].

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://marc.theaimsgroup.com/?l=snort-users&w=2&r=1&s=cyberkit&q=b


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users