[Dshield] Suggestion to take the ISC Storm Alert to "Orange"

Kevin kkadow at gmail.com
Wed Aug 17 01:13:05 GMT 2005


On 8/15/05, womber <womber at gmail.com> wrote:
> How is this determining what IP ranges to scan?
> Just from what I have seen hitting my personal firewall on verizon
> dsl, is that most machines are verizon IP's, very few outside their
> range yet.
> I am wondering if the spread to different ranges is pretty slow due to
> the algorithm it is using?

I have similar questions, and would like to see an analysis of the most
common variants, or just the random number generators in each.

Also puzzling is that in the large private WAN network I support,
while there are quite a few IDS hits for Zobot C&C on TCP/8080
(confirmed as IRC protocol towards the IRC servers hardcoded in the worm),
none of these hosts are showing any TCP/445 scanning traffic towards
Internet destinations.  Perhaps these workstations are picking up an
earlier Zobot through another vector?


> My two cents is that this will not spread as quickly as blaster did,
> but will still do allot of damage in the long run.
> Gene

For MSBLAST, I put together (like so many other researchers) a trivial
"worm honeypot" with listeners on TCP/445, TCP/4444 and just enough
smarts to TFTP a copy of the worm from each attacking host (once per
each source), tracking the number of attackers and which variant they
have (based on both filename and MD5).

Something similar could be thrown together to collect MS05-039 worms,
with some extra effort required because of the range of FTP ports for
the different variants.


Kevin Kadow



More information about the list mailing list