[unisog] As the worm turns, Slapper variants begin using UDP ports 4156 and 1978 (instead of 2002)

Lawrence Baldwin baldwinL at mynetwatchman.com
Mon Sep 23 21:19:41 GMT 2002


FYI,

Firewalls in our sensor network logged a significant volume of udp/4156
probes today (7500+ unique source Ips) targetting a one specific IP within
our participant's network.  These probes were blocked due to pre-existing
firewall rules.

After further investigation, it was determined that the target host was
compromised with Slapper.B (tcp/80 and tcp/443 WERE allowed).

Conclusion:
Even unsuccessful udp/4156 probes from a high number of distinct source IPs
may be a strong indication that the *target* IP is compromised.

I'm in the process of emailing the owners of the 7500 hosts that were
attempting to communicate with the compromised host as they are likely
compromised as well...that list consisted of a high number of academic
institutions.

I have not seen any udp/1978 probes...yet.

Regards,

Lawrence Baldwin
http://www.mynetwatchman.com
The Internet Neighborhood Watch
Atlanta, GA
+1.678.624.0924

-----Original Message-----
From: H. Morrow Long [mailto:morrow.long at yale.edu]
Sent: Sunday, September 22, 2002 18:30
To: Rich Graves
Cc: unisog at sans.org; itsiso.staff at yale.edu;
information.security at med.yale.edu
Subject: Re: [unisog] As the worm turns, Slapper variants begin using
UDP ports 4156 and 1978 (instead of 2002)


Glad to be of any help.

However, the ones I saw at 1978 and 4156 did have the same UDP port for
both source and destination (just like the original Slapper which used
2002).

And "srcport == dstport" is also still the observed behaviour in the ISS
writeup on the new Slapper (Slapper.B) available now at :

  http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21184

Note that the new version has just a few slight differences from the
original:
	UDP port is 4156
	Sends email (IP #, Hostname and upstream infector) to aion at ukr.net
	Sets up secondary backdoor trojan port requiring password at TCP port
		1052 (there seems to be some confusion as some writeups say 1025).
	Different set of filenames in /tmp (httpd is worm bin, update is backdoor
		process and .unlock is the gzipped source file for worm & backdoor).
	Slapper.B also changes its process name to "httpd", so as to masquerade
		as a copy of the Apache web server.

Are you sure that the traffic you saw below is from a Slapper worm variant
(also, I'd sanitize any IP #s before sending 'em out, as the traffic below
may
be other legitimate, but private, traffic such as P2P or online gaming.).

Were there any of the other signs of Slapper on the Brandeis host?
Was it scanning Internet hosts, probing TCP ports 80 and 443?

H. Morrow Long






More information about the unisog mailing list