Deloder worm scanning TCP 445

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Mon Mar 10 09:03:34 GMT 2003


The incidents.org mailing list has been reporting increased scanning for 
port 445 (SMB for Win2K) for a few days now, but we have seen a dramatic 
increase in its rate over the weekend on our 2 Class B networks. 
Incidents.org now attributes it to the Deloder worm, which looks like it 
spreads through Windows 2K computers with weak administrative passwords, 
which means it will have plenty of hosts to infect.

Incidents.org port 445 report showing the sharp increase in reported 
scans:

http://isc.incidents.org/port_details.html?port=445

UConn's IPAudit incoming scans graph, showing the increase from ~40K 
incoming hosts probed to ~80K+ over the weekend:

http://aster.uits.uconn.edu/~ipaudit/ReportLocalHost-image.html

A good first write-up (link gleaned from incidents.org) :

http://lists.netsys.com/pipermail/full-disclosure/2003-March/004472.html

Look at all of the passwords it tries! (data from benjurry at szcert.org) :

.data:0040A038                 dd offset aAdmin        ; "admin"
.data:0040A03C                 dd offset aAdmin_0      ; "Admin"
.data:0040A040                 dd offset aPassword     ; "password"
.data:0040A044                 dd offset aPassword_0   ; "Password"
.data:0040A048                 dd offset a1            ; "1"
.data:0040A04C                 dd offset a12           ; "12"
.data:0040A050                 dd offset a123          ; "123"
.data:0040A054                 dd offset a1234         ; "1234"
.data:0040A058                 dd offset a12345        ; "12345"
.data:0040A05C                 dd offset a123456       ; "123456"
.data:0040A060                 dd offset a1234567      ; "1234567"
.data:0040A064                 dd offset a12345678     ; "12345678"
.data:0040A068                 dd offset a123456789    ; "123456789"
.data:0040A06C                 dd offset a654321       ; "654321"
.data:0040A070                 dd offset a54321        ; "54321"
.data:0040A074                 dd offset a111          ; "111"
.data:0040A078                 dd offset a000000       ; "000000"
.data:0040A07C                 dd offset a00000000     ; "00000000"
.data:0040A080                 dd offset a11111111     ; "11111111"
.data:0040A084                 dd offset a88888888     ; "88888888"
.data:0040A088                 dd offset aPass         ; "pass"
.data:0040A08C                 dd offset aPasswd       ; "passwd"
.data:0040A090                 dd offset aDatabase     ; "database"
.data:0040A094                 dd offset aAbcd         ; "abcd"
.data:0040A098                 dd offset aAbc123       ; "abc123"
.data:0040A09C                 dd offset aOracle       ; "oracle"
.data:0040A0A0                 dd offset aSybase       ; "sybase"
.data:0040A0A4                 dd offset a123qwe       ; "123qwe"
.data:0040A0A8                 dd offset aServer       ; "server"
.data:0040A0AC                 dd offset aComputer     ; "computer"
.data:0040A0B0                 dd offset aInternet     ; "Internet"
.data:0040A0B4                 dd offset aSuper        ; "super"
.data:0040A0B8                 dd offset a123asd       ; "123asd"
.data:0040A0BC                 dd offset aIhavenopass  ; "ihavenopass"
.data:0040A0C0                 dd offset aGodblessyou  ; "godblessyou"
.data:0040A0C4                 dd offset aEnable       ; "enable"
.data:0040A0C8                 dd offset aXp           ; "xp"
.data:0040A0CC                 dd offset a2002         ; "2002"
.data:0040A0D0                 dd offset a2003         ; "2003"
.data:0040A0D4                 dd offset a2600         ; "2600"
.data:0040A0D8                 dd offset a0            ; "0"
.data:0040A0DC                 dd offset a110          ; "110"
.data:0040A0E0                 dd offset a111111       ; "111111"
.data:0040A0E4                 dd offset a121212       ; "121212"
.data:0040A0E8                 dd offset a123123       ; "123123"
.data:0040A0EC                 dd offset a1234qwer     ; "1234qwer"
.data:0040A0F0                 dd offset a123abc       ; "123abc"
.data:0040A0F4                 dd offset a007          ; "007"
.data:0040A0F8                 dd offset aAlpha        ; "alpha"
.data:0040A0FC                 dd offset aPatrick      ; "patrick"
.data:0040A100                 dd offset aPat          ; "pat"
.data:0040A104                 dd offset aAdministrator ; "administrator"
.data:0040A108                 dd offset aRoot         ; "root"
.data:0040A10C                 dd offset aSex          ; "sex"
.data:0040A110                 dd offset aGod          ; "god"
.data:0040A114                 dd offset aFoobar       ; "foobar"
.data:0040A118                 dd offset aA            ; "a"
.data:0040A11C                 dd offset aAaa          ; "aaa"
.data:0040A120                 dd offset aAbc          ; "abc"
.data:0040A124                 dd offset aTest         ; "test"
.data:0040A128                 dd offset aTest123      ; "test123"
.data:0040A12C                 dd offset aTemp         ; "temp"
.data:0040A130                 dd offset aTemp123      ; "temp123"
.data:0040A134                 dd offset aWin          ; "win"
.data:0040A138                 dd offset aPc           ; "pc"
.data:0040A13C                 dd offset aAsdf         ; "asdf"
.data:0040A140                 dd offset aSecret       ; "secret"
.data:0040A144                 dd offset aQwer         ; "qwer"
.data:0040A148                 dd offset aYxcv         ; "yxcv"
.data:0040A14C                 dd offset aZxcv         ; "zxcv"
.data:0040A150                 dd offset aHome         ; "home"
.data:0040A154                 dd offset aXxx          ; "xxx"
.data:0040A158                 dd offset aOwner        ; "owner"
.data:0040A15C                 dd offset aLogin        ; "login"
.data:0040A160                 dd offset aLogin_0      ; "Login"
.data:0040A164                 dd offset aPwd          ; "pwd"
.data:0040A168                 dd offset aPass         ; "pass"
.data:0040A16C                 dd offset aLove         ; "love"
.data:0040A170                 dd offset aMypc         ; "mypc"
.data:0040A174                 dd offset aMypc123      ; "mypc123"
.data:0040A178                 dd offset aAdmin123     ; "admin123"
.data:0040A17C                 dd offset aPw123        ; "pw123"
.data:0040A180                 dd offset aMypass       ; "mypass"
.data:0040A184                 dd offset aMypass123    ; "mypass123"

It looks like the major AV companies have defs available for some of its 
components, but there is not much other info available yet.

The incoming scans data has been a good indicator of larger-scale events 
in the past, and my guess is there are lots of weak Windows hosts to 
infect.  Reason #496 to block Windows Networking from your institution's 
Internet link.

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================



More information about the unisog mailing list