Sobig.f detection inconsistencies

Joshua Thomas thomasj4+unisog at oak.cats.ohiou.edu
Fri Aug 22 21:45:08 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Until recently we have been identifying the IP’s for SoBig.f infected hosts 
by checking the source IP’s in MailScanner logs as well as logging outbound 
TCP/25 traffic.

After 19:00 UTC, we also began seeing IP’s attempting to make outbound 
UDP/8998 connections:

(Obfuscated Source IP, EDT time)

22 Aug 03 15:05:19    udp  xxx.xxx.xxx.xxx.1033   ->    218.147.164.29.8998 
TIM
22 Aug 03 15:07:49    udp  xxx.xxx.xxx.xxx.1033   ->      24.202.91.43.8998 
TIM
22 Aug 03 15:08:02    udp  xxx.xxx.xxx.xxx.1445   ->    24.210.182.156.8998 
TIM
22 Aug 03 15:08:07    udp  xxx.xxx.xxx.xxx.3836   ->      61.38.187.59.8998 
TIM
22 Aug 03 15:08:08    udp  xxx.xxx.xxx.xxx.3103   ->      68.50.208.96.8998 
TIM

To my surprise, none of the source IP’s of UDP/8998 attempts appeared in 
the list of hosts that I believed to be infected with SoBig.f at the time 
based on MailScanner and SMTP logs.

I suppose the UDP/8998 connections could not be the work of the worm at 
all, but instead curious people trying to see if the twenty “master 
servers” were available, but I doubt it.

I also can’t explain why machines I suspected to be infected were not seen 
in the UDP/8998 list.

As for our defense against the worm, we are filtering inbound UDP traffic 
on port 995-999 and 8998 per 
http://isc.sans.org/diary.html?date=2003-08-22, but not outbound.

Anyone else seeing similar traffic?

Thanks,
Joshua Thomas
Security Analyst
Communication Network Services
Ohio University
Athens, Ohio 45701
security at ohio.edu
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v2.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBP0aO51B2SET9UlmpEQImNACdF7gdFLggzMljvco3CkG75YkGmk4AoItK
O2U1QRTIi1NZj1K2lpr6rias
=gcSk
-----END PGP SIGNATURE-----



More information about the unisog mailing list