[unisog] New Worm?

Ray Strubinger ray.strubinger at oit.gatech.edu
Fri Feb 1 21:49:20 GMT 2008


Here are a few things that you could use to locate the source of the 
activity...

Do you have a way to determine if there are new binaries on the system? 
    MAC time analysis may be helpful here.

There are a couple of free tools, fport and aports that will show the 
processes binding to ports or on newer systems, netstat -naob will give 
you similar information.  That might help you determine what application 
is talking on the network.  If the application isn't constantly bound to 
the port, the a tool like autoruns which scans the registry might be 
helpful in showing unusual applications that are starting on boot.

Port scan the system (nmap or something similar) just to see if there 
are any unexpected open ports.  Netstat (or other tools you run from the 
local system) may not give you an accurate representation of the ports 
that are open.

If you find any binaries that are unexpected, feel free to contact me.

-Ray

Bob Henry wrote:
>  We are spotting a growing list of machines sweeping several subnets
> like this:
> 
> First, try a Ping:
> if get a response, try 2 times
> if no response, try 4 times
> 
> Next, send an NBSTAT -a packet, full of <00>  (or AA)
> if no response, try 3 times
> 
> All windows boxes, none show viruses when scanned with our Symantec
> Enterprise AV, no rootkits according to rootkit revealer and sophos.  8
> out of 50 (or so) show up in our Facetime logs trying to phone home, so
> they have adware on them.
> 
> Has anyone seen anything like this and what was your response?
> 
>   
> 
> 
> 
> Robert Henry, CISSP, GCIH
> Information Security Officer
> Office of Information Technology
> Boise State University
> 208-426-5701
> bhenry at boisestate.edu
> http://boisestate.edu/oit/iso
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog


-- 
Ray Strubinger
Information Security Program Manager

Georgia Institute of Technology
OIT Information Security
258 Fourth St, Rich 222
Atlanta, Georgia 30332-0700
Phone:404-385-0334/Fax:404-385-2331


More information about the unisog mailing list