[Dshield] Re: Possible variant of Blaster/Nachi/Welchia? (more)

Steven D. Smith sds07 at health.state.ny.us
Fri Sep 26 18:08:31 GMT 2003


http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html

                                                                                                  
                                                                                                  
                                                                                                  
                                                                                                  
                                                                                                  
                                                                                                  
                                                                                                  
                                                                                                  
                                                                                                  
                                                                                                  
                                                                                                  
   Sobig.F obtains the UTC time through the NTP protocol, by contacting one of several possible   
   servers on port 123/udp (the NTP port).                                                        
                                                                                                  
   The worm starts the download attempt by sending a probe to port 8998/udp of the master server. 
   Then, the server replies with a URL, where the worm can download the file to execute.          
                                                                                                  
   Unlike W32.Sobig.E at mm, Sobig.F will not open the following ports to listen for incoming UDP    
   datagrams, as was previously reported.                                                         
         995/udp                                                                                  
         996/udp                                                                                  
         997/udp                                                                                  
         998/udp                                                                                  
         999/udp                                                                                  
                                                                                                  
                                                                                                  
   Network administrators should do the following:                                                
         Block outbound traffic on port 8998/udp.                                                 
         Monitor NTP requests (port 123/udp), as these could be coming from infected computers.   
         (The frequency of such checks for an infected computer should be once per hour.)         
                                                                                                  
                                                                                                  
                                                                                                  
                                                                                                  





                                                                                                                                  
                      Jeff Kell                                                                                                   
                      <jeff-kell at utc.ed        To:       Jeff Kell <jeff-kell at utc.edu>                                            
                      u>                       cc:       Incidents <incidents at securityfocus.com>, General DShield Discussion List 
                                                <list at dshield.org>                                                                
                      09/26/2003 11:40         Subject:  Re: Possible variant of Blaster/Nachi/Welchia? (more)                    
                      AM                                                                                                          
                                                                                                                                  
                                                                                                                                  




Jeff Kell wrote:
> I have seen some STRANGE traffic on our dorms this morning.  The dorms
> are all on a private network 172.18.0.0.  I have hosts (10 so far) that
> are doing this:
>
>    spoofed 172.x.x.x:123 UDP --> random 172.x.x.x:123
> same spoof 172.x.x.x ICMP --> another random 172.x.x.x
> same spoof 172.x.x.x ICMP --> another random 172.x.x.x

I just noticed the initial udp:123 destination is a valid NTP source,
usually time.windows.com:

> Sep 26 10:43:05.596 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp
172.165.225.160(123) -> 207.46.130.100(123), 1 packet
> Sep 26 10:58:50.491 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp
172.141.193.21(123) -> 207.46.130.100(123), 1 packet
> Sep 26 11:05:16.102 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp
172.152.89.157(123) -> 132.163.4.102(123), 1 packet
> Sep 26 11:05:56.831 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp
172.129.185.162(123) -> 207.46.130.100(123), 1 packet
> Sep 26 11:16:58.948 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp
172.128.177.27(123) -> 207.46.130.100(123), 1 packet
> Sep 26 11:25:08.162 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp
172.140.133.74(123) -> 207.46.130.100(123), 1 packet

The ICMP targets still appear to be random 172.x.x.x.

Jeff


---------------------------------------------------------------------------
----------------------------------------------------------------------------








More information about the list mailing list