[Dshield] Possible variant of Blaster/Nachi/Welchia?

Al Reust areust at comcast.net
Fri Sep 26 23:37:15 GMT 2003


Hi Jeff

You did not give other formation that could help in stemming the tide and 
isolating the specific machine. You stated that you had MAC Address. So 
depending on your environment those could help in an un-mapped network. You 
did not say whether all the Dorm Machines are forced to join the Domain. 
That gives the Domain Administrator Tools that he can use remotely (such as 
regedit to look at what would be in the Run portion of the Registry).. 
Remote Virus Scans the list goes on.

If they are in a switched (managed) environment shut those ports Off. If 
your switching includes VLans, create a new "Non Routed" VLan called "Jail" 
and them move those ports into a "non routed" VLan the users will soon 
Holler the "network is down" to the Help Desk and identify their location.. 
Then You have the machines.

You could also somewhat force the issue (as a Domain Administrator), if the 
machines are joined to a domain (normally time is updated during the login 
process) however a machine can/will fall out. You have two tools Net Time 
and W32tm. With "w32tm" I can create a list of servers to be queried (which 
is what you are seeing and the list is self regenerating). I believe, while 
I have not tried it I can use a %mylist% replacement that is being 
controlled buy something that regenerates the IP list of "target" machine 
and the query period is set to a very low value (see link to w32tm below).

With the  "Net Time" command I can tell a specific machine to set a 
specific SNTP source, which overwrites the current registry entry. If that 
is pointed at a know machine you should either see a change in behavior of 
the affected machines or the continued random broadcast. Depending on the 
nature of you network use either the UNC name or the IP Address.

net time \\clientmachine /setsntp:\\timemachine - with this you aim it at 
victim for monitoring.
net time \\clientmachine /querysntp -  should show you PDC/Time server

Then adjust and just hit the one machine you know that they have something 
bad but they are only beating up on the single machine. If they ignore the 
one machine and continue, you know they have something really bad.

w32tm can get a bit more complicated, the Microsoft link is
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/time_w32tm.asp

As You look at the you can see where I can set a list of "Servers"

This is a quick list of things that you may not have thought of.

Al

My after thought would be to setup DHCP so that each dorm had their own 
DHCP server and SCOPE. Then you could isolate Zones. Managed Switching to 
at least to the Dorm/Building Level, then you can shutdown an Offending Zone.

At 01:24 PM 9/26/2003 -0400, you wrote:
>Deb Hale wrote:
>
>>http://www.xsecurity.ws/books/Building-Internet-Firewalls/ch08_13.html
>>
>>According to this write up - port 123 is used for network time protocol.  It
>>shows a 123 to 123 as a Query or response between two servers.  My question
>>is, is your network syncing with the spoofed IP and if it is, why?
>
>The infected machines are trying to sync with a spoofed address, then they 
>start pinging randomly and slowly to random addresses within the same 
>first octet.  Here's a complete sample:
>
>>Sep 26 12:46:00.779 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp 
>>172.155.144.218(123) -> 207.46.130.100(123), 1 packet
>>Sep 26 12:46:39.160 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.132.114.112 (0/0), 1 packet
>>Sep 26 12:47:34.285 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.162.138.194 (0/0), 1 packet
>>Sep 26 12:47:44.345 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.156.165.167 (0/0), 1 packet
>>Sep 26 12:48:30.378 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.157.126.115 (0/0), 1 packet
>>Sep 26 12:48:37.930 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.157.98.253 (0/0), 1 packet
>>Sep 26 12:49:54.944 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.153.205.223 (0/0), 1 packet
>>Sep 26 12:51:40.262 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.203.128.195 (0/0), 1 packet
>>Sep 26 12:52:52.283 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.157.135.71 (0/0), 1 packet
>>Sep 26 12:53:43.748 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.158.89.195 (0/0), 1 packet
>>Sep 26 12:54:13.885 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.156.18.248 (0/0), 1 packet
>>Sep 26 12:55:12.830 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.158.109.44 (0/0), 1 packet
>>Sep 26 12:58:02.602 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.154.168.139 (0/0), 1 packet
>>Sep 26 12:58:12.202 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.157.29.197 (0/0), 1 packet
>>Sep 26 12:59:34.763 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.156.229.95 (0/0), 1 packet
>>Sep 26 13:01:39.062 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 
>>172.155.144.218 -> 172.153.42.62 (0/0), 1 packet
>
>MAC addresses removed for brevity, but they are the same incoming MAC and 
>interface, and the actual machine IP address was 172.18.113.112.
>
>All I've been able to do thus far is shut down ports.  I haven't gotten my 
>hands on an infected one yet for forensics, but we're up to a couple dozen 
>infected ones.  There are likely more on campus, but our routers are 
>configured for 'ip unicast reverse-path verify' and spoofed packets would 
>be dropped silently.  These came from a 3550 (which due to a bug does not 
>do uRPF) where we had to ACL the ingress to catch spoofs.
>
>Jeff
>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list