[Dshield] New tool making the rounds: MyDoom scanner

Bjorn Stromberg bjorn at thechemistrylab.com
Mon Feb 9 20:30:31 GMT 2004


I'm not convinced that all this traffic is from the parasitic worm Deadhat.A
Either their diagnosis isn't accurate or this is something different.

Sources, targets and records for port 3127 are climbing through the roof.
Sources for 1080 and 3128 are remaining small while targets and records
climb. The data doesn't coincide at all.

identical:
http://isc.sans.org/port_details.html?port=1080
http://isc.sans.org/port_details.html?port=3128

compare to:
http://isc.sans.org/port_details.html?port=3127

Also, it doesn't make much sense for a worm to scan for port 1080 in order
to propagate as that's merely a proxy port and not a vector of infection. It
does makes sense to scan for all ports from 3127-3198.

If all this traffic is indeed coming from deadhat then I must be missing
something, no hits on port 3127 here. I'll try probing port 2766 on the
machines that were scanning my block but I don't expect to find anything.

Two things I can think of, my ISP could be blocking port 3127 or people are
trying to use MyDoom's Port Forwarding capabilities.

Bjorn Stromberg
::this is not a sig::

----- Original Message ----- 
From: "Ken Eichman" <keichman at cas.org>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Monday, February 09, 2004 11:45 AM
Subject: Re: [Dshield] New tool making the rounds: MyDoom scanner


> > From: "Bjorn Stromberg" <bjorn at thechemistrylab.com>
> > Looks like there is a new tool making the rounds this weekend.
> >
> > I haven't got any packet captures but it looks like it's crawling IP
> > Addresses and probing ports 3128 and 1080.
> > I've got four instances of it sending SYN packets twice and one instance
of
> > it sending in groups of three. I would guess these are spammers /
crackers
> > looking for new open proxies to do their nefarious deeds.
> > I'll open up my packet logger and see if I can catch what they're
saying.
>
> Bjorn,
> I've been told by the SANS incident handler that this is the DeadHat.A
worm.
> The packet captures are around 150k although according to Trend's website
> the worm itself is only 55k. I have a bunch of packet captures here if
anyone's
> interested. Ken
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list