Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Strange ICMP traffic. Perhaps a worm?

From: Jack McCarthy <snort () jackmccarthy com>
Date: Mon, 15 Dec 2003 08:49:09 -0800 (PST)
Here are some resources for you if it is in fact Welchia/Nachi/etc...

Virus Info
Symantec's name for the virus: W32.Welchia.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

McAfee's name for the virus: W32/Nachi.worm
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100559

Symantec's Virus Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

Microsoft's Patch
MS03-039 - Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
This patch (MS03-039) supersedes MS03-026.

Microsoft's KB 824146 Scanning Tool - How to Use the KB 824146 Scanning Tool to
Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146
(MS03-039) Security Patches Installed
http://support.microsoft.com/default.aspx?scid=kb;en-us;827363

How to Install Multiple Windows Updates or Hotfixes with Only One Reboot -
296861
http://support.microsoft.com/default.aspx?scid=KB;EN-US;296861&sd=tech


Good luck,
-Jack







--- CGhercoias () TWEC COM wrote:

This could be Welchia Virus or MSBLASTER.
I would filter 69/UDP, 135/TCP, 137/UDP, 138/UDP and 445/TCP and UDP at
border firewalls/routers and disable these rules there but enable them
on the inside snort sensor to catch any malitious activity on the spot.

Here is the rule from snort to trigger on WELCHIA worm.
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000029; rev: 3;
msg: "WELCHIA Virus scanning"; content:
"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; depth: 32; itype: 8; reference:
arachnids,154; classtype: misc-activity;)

and the signatures for MSBLASTER:

alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( sid: 1000024; rev: 4; msg:
"W32/MSBLAST Worm over TFTP"; content: "|00 01 6D 73 62 6C 61 73 74 2E
65 78 65|"; offset: 0; depth: 2; reference:
url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS
T.A; classtype: trojan-activity; priority: 1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000025; rev: 5;
msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65
78 65|"; offset: 0; depth: 2; reference:
url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS
T.A; classtype: trojan-activity; priority: 1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000027; rev: 1;
msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65
78 65|"; offset: 0; depth: 2; reference:
url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS
T.A; classtype: trojan-activity; priority: 1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000028; rev: 1;
msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65
78 65|"; offset: 0; depth: 2; reference:
url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS
T.A; classtype: trojan-activity; priority: 1;) 

Thank you, 
___________________________
Catalin Ghercoias 
WEB/Network Security Administrator 

Office Phone: +(518) 452-1242 Ext.7435 
Fax: (518) 452-4768 
website: http://www.fye.com 

The content of this communication is classified as Transworld
Entertainment Confidential and Proprietary Information.The content of
this communication is intended solely for the use of the individual or
entity to whom it is addressed and others authorized to receive it. If
you are not the intended recipient you are hereby notified that any
disclosure, copying, distribution or taking any action in reliance on
the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please
notify us immediately by responding to this communication then delete it
from your system.

 


-----Original Message-----
From: Harry M [mailto:harrym () the-group org] 
Sent: Thursday, December 11, 2003 6:01 PM
To: snort-users
Subject: [Snort-users] Strange ICMP traffic. Perhaps a worm?


I'm getting lots of ICMP traffic that looks pretty odd to me. They are
all
ping packets with a fairly strange payload:

000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................

What makes me think this is a worm is that all the traffic is coming
from
other customers of my ISP (NTL), and the source ip addresses increment
very
neatly - 80.4, 80.5, 80.6, 80.7 - which looks rather like it could be a
set
of machines infected by a worm that increments the subnet (2nd octect)
it
targets. Although this doesn't really tally with the apparent lack of
any
bytecode in the payload, I figured it could be an exploratory probe or
somesuch. The rule it's triggering is ICMP PING CyberKit 2.2 Windows
(http://www.snort.org/snort-db/sid.html?sid=483) but I find it highly
unlikely that this is the actual cause, because of the number of
different
source addresses (>100).

Does anyone have any other ideas? Whatever it is, it's very strange. The
thought does occur that my ISP could be doing something sneaky, to which
I'd
almost certainly object :)

I started getting traffic at  2003-12-11 20:18:33 GMT and have been
getting
it ever since.

Arta



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: