[Dshield] New tool making the rounds: MyDoom scanner

Bjorn Stromberg bjorn at thechemistrylab.com
Mon Feb 9 19:01:03 GMT 2004


I got some packets captured, I've attached them to this message. You can
analyze them at your leisure.

I've since opened up 3128 on one of my IP's to see if it will send any more
info. Hopefully someone with a honeypot can analyze what these people are
doing.

IP's so far using this tool or similar:
68.160.37.93
80.136.64.107
63.138.14.219
81.185.249.222
81.50.168.153
12.25.135.3

I'm with John Hardin on the Organized Crime connection. As for the comments
about the program being written by an american, I don't see how that
precludes it from being sponsored by russian organized crime. I can pay
anyone to write a program for me, the language it was written in has no
bearing on me.

Bjorn Stromberg
::this is not a sig::

----- Original Message ----- 
From: "Bjorn Stromberg" <bjorn at thechemistrylab.com>
To: <list at dshield.org>
Sent: Monday, February 09, 2004 9:38 AM
Subject: [Dshield] New tool making the rounds: MyDoom scanner


> Looks like there is a new tool making the rounds this weekend.
>
> I haven't got any packet captures but it looks like it's crawling IP
> Addresses and probing ports 3128 and 1080.
>
> I've got four instances of it sending SYN packets twice and one instance
of
> it sending in groups of three. I would guess these are spammers / crackers
> looking for new open proxies to do their nefarious deeds.
>
> I'll open up my packet logger and see if I can catch what they're saying.
>
> Relevant Logs Follow:
> 2004-02-09 12:29:04 81.50.168.153 aaa.bbb.ccc.194 Tcp 3133 3128 SYN
> 2004-02-09 12:29:06 81.50.168.153 aaa.bbb.ccc.194 Tcp 3133 3128 SYN
> 2004-02-09 12:29:12 81.50.168.153 aaa.bbb.ccc.194 Tcp 3769 1080 SYN
> 2004-02-09 12:29:15 81.50.168.153 aaa.bbb.ccc.194 Tcp 3769 1080 SYN
> 2004-02-09 12:29:28 81.50.168.153 aaa.bbb.ccc.195 Tcp 1273 3128 SYN
> 2004-02-09 12:29:31 81.50.168.153 aaa.bbb.ccc.195 Tcp 1273 3128 SYN
> 2004-02-09 12:29:35 81.50.168.153 aaa.bbb.ccc.195 Tcp 1785 1080 SYN
> 2004-02-09 12:29:38 81.50.168.153 aaa.bbb.ccc.195 Tcp 1785 1080 SYN
> 2004-02-09 12:29:50 81.50.168.153 aaa.bbb.ccc.196 Tcp 3062 3128 SYN
> 2004-02-09 12:29:53 81.50.168.153 aaa.bbb.ccc.196 Tcp 3062 3128 SYN
> 2004-02-09 12:29:59 81.50.168.153 aaa.bbb.ccc.196 Tcp 3723 1080 SYN
> 2004-02-09 12:30:01 81.50.168.153 aaa.bbb.ccc.196 Tcp 3723 1080 SYN
> 2004-02-09 12:30:16 81.50.168.153 aaa.bbb.ccc.197 Tcp 2130 3128 SYN
> 2004-02-09 12:30:18 81.50.168.153 aaa.bbb.ccc.197 Tcp 2130 3128 SYN
> 2004-02-09 12:30:24 81.50.168.153 aaa.bbb.ccc.197 Tcp 2837 1080 SYN
> 2004-02-09 12:30:27 81.50.168.153 aaa.bbb.ccc.197 Tcp 2837 1080 SYN
> 2004-02-09 12:30:40 81.50.168.153 aaa.bbb.ccc.198 Tcp 4323 3128 SYN
> 2004-02-09 12:30:42 81.50.168.153 aaa.bbb.ccc.198 Tcp 4323 3128 SYN
> 2004-02-09 12:30:46 81.50.168.153 aaa.bbb.ccc.198 Tcp 1112 1080 SYN
> 2004-02-09 12:30:50 81.50.168.153 aaa.bbb.ccc.198 Tcp 1112 1080 SYN
>
> Bjorn Stromberg
> ::this is not a sig::
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mydoomscan.txt
Url: http://www.dshield.org/pipermail/list/attachments/20040209/ed440a35/mydoomscan.txt


More information about the list mailing list