[Dshield] MAJOR Jump in Scans to 135/TCP

Eric Kedrosky ekk at nortel.com
Tue Mar 22 17:35:26 GMT 2005


It sounds to me like you have an infection of a Bot of some kind.  My guess
is probably a variant of SpoyBot/SDBot.

For a while most of the new variants that I saw were scanning 445/tcp and/or
1433/tcp (MS SQL server vulnerability).  However, recently I have been
seeing a lot of 135/tcp scanning associated with the latest variants.

If you can, figure out what the IP is of the BotNet controller (IRC Server)
and then block all traffic to that IP ... This is a good first step to stop
the infected systems from getting updates and also from getting scan
commands from the BotNet controller (aka: The dude in control of your
systems).  The last bit is probably why you are seeing the 10 minute
intervals ... IMHO ... 

Now, I am not to sure what the feeling on this list is around sharing virus
samples ... but if there are no complaints then if you get one send it my
way and I run it in my lab. I can determine where it is talking, what ports,
what it is doing, etc ... In very little time. 

Hope that helps,
Eric Kedrosky

Security Analyst
Nortel
ekk at nortel.com
ekk at avien.org



-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Jon R. Kibler
Sent: Monday, March 21, 2005 3:42 PM
To: list at lists.dshield.org
Subject: [Dshield] MAJOR Jump in Scans to 135/TCP


Greetings, 

During the past couple of hours, we have seen a MAJOR jump in the number of
scans against TCP/135. Has anyone else?

Over the past few days, scans to this port have averaged something less than
1/3rd of total scans. However, last hour (14:00 US/Eastern, GMT-0500), scans
to TCP/135 averaged just under 2/3rds of all scans, and thus far this hour
(15:00 - 15:20), the scans are up to just under 3/4ths of all scans. 

Also, the scan rate on a per-10-minute interval, has been consistently
increasing since about 14:20. If it continues to rise at the current rate of
increase, scans to TCP/135 will account for about 90% of all scans sometime
later today.

Anyone else seeing this?

Any idea what new is going on?

THANKS!
Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.




More information about the list mailing list