[Dshield] FW: [TSRadar] Blip: ICMP and Port TCP/135

Wayne Beckham wbeckham at yahoo.com
Mon Aug 18 14:44:30 GMT 2003

Trusecure has an alert out concerning the recent surge in ICMP probes.

- Wayne

-----Original Message-----
From: "Kennedy, David" <dkennedy at trusecure.com> 
Sent: Monday, August 18, 2003 7:37 AM
To: TSRadar at postal.trusecure.com
Subject: [TSRadar] Blip: ICMP and Port TCP/135


PROBLEM:     Apparent surge in ICMP probes, possibly in conjunction
with port TCP/135 probes.
PLATFORM:  Port TCP/135 traffic targeting Windows hosts w/DCOM
DAMAGE:    Unknown
SOLUTION:   Log and, if possible, alert on surges in either probes.
ASSESSMENT:   Undetermined for ICMP, Port TCP/135 is Red Hot due to
W32/Lovesan _______________________________________________________________

TruSecure is monitoring from multiple sources, including customers, a surge
in ICMP and TCP/135 traffic.  The "most benign" explanation is "destination
unreachable" messages from host trying to DOS "windowsupdate.com" due to
Lovesan infections, and Lovesan infected hosts scanning on TCP/135 as they
are powered-up on Monday morning.  

The "most malignant" explanation is there is a new RPC/DCOM worm out there
that scans with ICMP and attempts TCP/135 exploits after. 
Continued in the "worst case scenario" is the addition of NT4 w/DCOM host to
the infectable/infected population.

We do not have packet capture of either type of probe but if you see this
traffic increasing and can capture packet, please send us some samples.  We
do not know the TYPE/CODE combination(s) used for the ICMP traffic.  One
open source indicates 218/8 may be the source of much of the early ICMP

One document available on the Internet explaining some of the good vs bad
issues with ICMP is at: 

Version: PGP 7.0
Comment: Hacker=Cybercriminal The definition changed get over it.


David Kennedy CISSP Director of Research Services TruSecure Corp.
http://www.trusecure.com _______________________________________________
TSRadar mailing list
TSRadar at postal.trusecure.com

More information about the list mailing list