RE: Strange ICMP traffic. Perhaps a worm?

["adam.w.hogan" <adam.w.hogan () delphi com>]

A lot of those alerts indicates the Nachi/Welchia worm.

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

-----Original Message-----
From: Harry M [mailto:harrym () the-group org]
Sent: Thursday, December 11, 2003 6:01 PM
To: snort-users
Subject: [Snort-users] Strange ICMP traffic. Perhaps a worm?


I'm getting lots of ICMP traffic that looks pretty odd to me. They are all
ping packets with a fairly strange payload:

000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................

What makes me think this is a worm is that all the traffic is coming from
other customers of my ISP (NTL), and the source ip addresses increment very
neatly - 80.4, 80.5, 80.6, 80.7 - which looks rather like it could be a set
of machines infected by a worm that increments the subnet (2nd octect) it
targets. Although this doesn't really tally with the apparent lack of any
bytecode in the payload, I figured it could be an exploratory probe or
somesuch. The rule it's triggering is ICMP PING CyberKit 2.2 Windows
(http://www.snort.org/snort-db/sid.html?sid=483) but I find it highly
unlikely that this is the actual cause, because of the number of different
source addresses (>100).

Does anyone have any other ideas? Whatever it is, it's very strange. The
thought does occur that my ISP could be doing something sneaky, to which I'd
almost certainly object :)

I started getting traffic at  2003-12-11 20:18:33 GMT and have been getting
it ever since.

Arta



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

****************************************************************************************

Note: The information contained in this message may be privileged and confidential and thus protected from disclosure. 
If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by 
replying to the message and deleting it from your computer. Thank you.

****************************************************************************************


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users