[Dshield] New variant of Blaster?

José Faial, CISSP jcfaial at terra.com.br
Fri Jun 18 13:43:57 GMT 2004


SG,

  The "E" variant of Blaster will attempt a SYN Flood against kimble.org, however this address resolves to 127.0.0.1 so, the infected hots will attempt to DoS itself. The infected host will always spoof the source address used in the DoS. About 50% of times, the spoofed address belongs to the same Class B of infected host but some times it may be purely random addresses. The spoofed source address will be turned into the destination address after the host gets the SYN to 127.0.0.1. See:

 Spoofed SRC IP:(Range) -> SYN -> 127.0.0.1:80 (you´ll not be able to detect those packets in the network). Range is between 1000-2000
 
suposing there is no http server listening you see...

127.0.0.1:80 -> RST/ACK -> Spoofed SRC IP:Port (this is problably what you are seeing)

To detect the infected host, try the following:

  - First and easily, if your DNS server provides logs of client's queries, search for hosts trying to resolve kimble.org, those are your infected hosts. 
  - Place anti-spoofing filters at your gateways to isolate traffic to a single VLAN. Watch your routers access-list hit count to detect if you are getting any match.
  - Look for TCP port 135 scans  (the infected hosts will also try to infect other hosts while doing the DoS)
 - Sniff the traffic at VLANs of hosts scanning port 135 if you have detected any. You'll problably see loopback traffic at this segment and get the source MAC of 127.0.0.1

hope that helps,

jf


> -----Original Message-----
> From: Security Guy [mailto:securityguy at dslextreme.com] 
> Sent: Wednesday, June 16, 2004 6:00 PM
> To: list at dshield.org
> Subject: [Dshield] New variant of Blaster?
> 
> We're getting a lot of what looks like Blaster (spoofs 127.0.0.1, attack
> port is always 80, random high number victim port) but it's not setting
> off
> the Blaster signatures already loaded into the IDS. The problem is that
> our
> lame IDS doesn't give us a MAC address - just the loopback adaptor
> address.
> 
> Any suggestions?
> 
> - SG
> 
> _______________________________________________
> list mailing list
> list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list


More information about the list mailing list