Nimda mostly infects /8-locally.

• Previous message: Richard Bradford: "Superkay.com:888"
• In reply to: Jason Giglio: "Nimda Probes Stopped"
• Next in thread: Bryan Andersen: "Re: Nimda mostly infects /8-locally."
• Next in thread: Stuart Staniford: "Re: Nimda Probes Stopped"
• Reply: Bryan Andersen: "Re: Nimda mostly infects /8-locally."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 19 Sep 2001 02:09:31 +0200
From: Thomas Roessler <roessler@does-not-exist.org>
To: Jason Giglio <jgiglio@smythco.com>
Subject: Nimda mostly infects /8-locally.
Message-ID: <20010919020931.E32677@sobolev.does-not-exist.org>

It seems that Nimda has some strong locality properties
when spreading.

Evaluating logs on a server which listens on an obscene number of
virtual network interfaces with consecutive IP addresses, all in the
same /24, I'm seeing the following distribution of "classical"
netmasks (/n*8) with respect to the attacking hosts (unique IP
addresses encountered in the logs):

        /16 1
        /8 1127
        /0 242

I don't see any /24s, but that's because there are no vulnerable
hosts in that particular class C network.

This means, in particular, that the probability for Nimda to attack
a host in the same /8 portion of the IP address space is
approximately 5 times the probability to attack a host which is in
some entirely "distant" region of the network.

It also seems like there is no special handling of /16 networks in
the worm: Out of the 215 distinct /16 prefixes encountered (which
do, however, still share the same /8 prefix with the attacked host's
IP addresses), 36 make an appearance with only one unique IP address
in my logs. The /16 prefix of the attacked host just happens to be
one of these.

-- 
Thomas Roessler                        http://log.does-not-exist.org/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Previous message: Richard Bradford: "Superkay.com:888"
• In reply to: Jason Giglio: "Nimda Probes Stopped"
• Next in thread: Bryan Andersen: "Re: Nimda mostly infects /8-locally."
• Next in thread: Stuart Staniford: "Re: Nimda Probes Stopped"
• Reply: Bryan Andersen: "Re: Nimda mostly infects /8-locally."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Trace of 139 attack? ... Subject: Trace of 139 attack? ... The Administrator account can be locked out if too many ... deleting the logs he cannot do it. ... (Focus-Microsoft) [NEWS] IGMP Denial of Service Vulnerability ... We consider different scenarios in which such an attack can be launched. ... Host H1 and H2 are connected to a router R using a hub. ... soliciting for membership reports from the hosts in the network it is ... now R doesn't receive any membership reports for the group ... (Securiteam) Re: nimda tries to send mail after reboot ... nimda tries to send mail after reboot ... That particular host also was apparent in analyses of the QAZ trojan - ... > For more information on this free incident handling, management ... (Incidents) RE: Trace of 139 attack? ... Subject: Trace of 139 attack? ... > deleting the logs he cannot do it. ... > If this box of yours is a web server to the world, ... > use it as file server with NetBIOS shares 'n stuff. ... (Focus-Microsoft) Re: Target based IDS review and discussion in Information Security ... > 1) A URL attack is seen by the sensor affecting Windows IIS. ... > each and every step we took to investigate the attack (from IDS ... > impacted host to manually verify if the attack was successful or not. ... Automated forensics are useful and a nice step forward but if the ... (Focus-IDS)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint