Re: Worm on 445/tcp?

From: Joe Blatz (sd_wireless@yahoo.com)
Date: 12/17/02

Next message: Stephen J. Friedl: "Re: Worm on 445/tcp?"

Previous message: Tom.Gast@walgreens.com: "Re: Worm on 445/tcp?"
In reply to: Scott A.McIntyre: "Worm on 445/tcp?"
Next in thread: james: "Re: Worm on 445/tcp?"
Reply: james: "Re: Worm on 445/tcp?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 17 Dec 2002 11:50:10 -0800 (PST)
From: Joe Blatz <sd_wireless@yahoo.com>
To: "Scott A.McIntyre" <scott@xs4all.net>, incidents@securityfocus.com

Anyone have packet captures or Snort rules?

--- "Scott A.McIntyre" <scott@xs4all.net> wrote:
> Over the past two weeks or so I've been noticing a
> steady rise in what
> appears to be worm related traffic to the new
> unified smb over tcp port
> (445) on Microsoft Win2k and newer operating
> systems.
>
> I haven't yet been able to properly identify what
> the culprit is; at
> first I thought a variation of OpaServ, and that
> hasn't been fully
> ruled out, but I'm not quite convinced of that
> either. Anyone have any
> clues that might help pin this down further?
>
> An infected machine seems to send the following:
>
> 1095 114.002629 src -> dst SMB Negotiate Protocol
> Request
> 1105 114.363458 src -> dst SMB Session Setup AndX
> Request
> 1106 114.774364 src -> dst SMB Session Setup AndX
> Request
> 1107 115.168792 src -> dst SMB Tree Connect AndX
> Request,Path:
> \\dst\IPC$
> 1110 115.330792 src -> dst SMB NT Create AndX
> Request, Path: \samr
> 1112 115.652261 src -> dst DCERPC Bind: call_id: 1
> UUID: SAMR
> 1136 117.759036 src -> dst SAMR Connect4 request
> 1137 118.299350 src -> dst SMB Close Request, FID:
> 0x4000
> 1142 119.004483 src -> dst SMB Logoff AndX Request
> 1150 119.375665 src -> dst SMB Tree Disconnect
> Request
>
> And another:
>
> 7.933416 src -> dst SMB Negotiate Protocol Request
> 10.958481 src -> dst SMB Session Setup AndX Request
> 13.654558 src -> dst SMB Tree Connect AndX Request,
> Path: \\dst\IPC$
> 13.926353 src -> dst SMB NT Create AndX Request,
> Path: \samr
> 15.231252 src -> dst DCERPC Bind: call_id: 1 UUID:
> SAMR
> 17.149345 src -> dst SAMR Connect4 request
> 20.405997 src -> dst SAMR EnumDomains request
> 23.579240 src -> dst SAMR LookupDomain request
> 25.341903 src -> dst SAMR OpenDomain request
> 25.891947 src -> dst SAMR EnumDomainUsers request
> 26.597393 src -> dst SAMR Close request
> 29.615040 src -> dst SMB Close Request, FID: 0x4000
> 30.048894 src -> dst SMB Logoff AndX Request
> 32.738878 src -> dst SMB Tree Disconnect Request
>
>
> It appears as though there's a high degree of
> randomness to the
> destination IP addresses that are chosen by the worm
> as can be seen
> from this 1 second snapshot:
>
>
> 121.33.1.48
> 91.71.109.105
> 76.123.46.27
> 222.120.99.35
> 124.72.254.8
> 17.64.153.118
> 27.23.33.121
> 185.33.178.38
> 151.49.213.31
> 167.60.15.125
> 132.86.243.68
> 26.125.133.71
> 1.104.130.21
> 40.88.91.120
> 48.101.140.21
> 48.93.34.36
> 193.60.220.48
> 117.26.58.96
> 27.2.15.114
> 25.7.221.31
>
>
> Note: the infected system's ip address is not within
> any of these
> network segments.
>
> I've noticed others reporting similar increase in
> traffic, but so far
> haven't seen a definitive acknowledgment of
> precisely what it is that's
> responsible.
>
> Any pointers gratefully accepted.
>
>
>
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management
> and tracking system please see:
> http://aris.securityfocus.com
>

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Stephen J. Friedl: "Re: Worm on 445/tcp?"
Previous message: Tom.Gast@walgreens.com: "Re: Worm on 445/tcp?"
In reply to: Scott A.McIntyre: "Worm on 445/tcp?"
Next in thread: james: "Re: Worm on 445/tcp?"
Reply: james: "Re: Worm on 445/tcp?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Worm on 445/tcp?
... Iraqi Oil worm. ... >1095 114.002629 src -> dst SMB Negotiate Protocol Request ...
(Incidents)
RE: Worm on 445/tcp?
... 1095 114.002629 src -> dst SMB Negotiate Protocol Request ... 1105 114.363458 src -> dst SMB Session Setup AndX Request ...
(Incidents)
Re: Worm on 445/tcp?
... Iraqi Oil worm. ... >1095 114.002629 src -> dst SMB Negotiate Protocol Request ...
(Incidents)
Worm on 445/tcp?
... 1095 114.002629 src -> dst SMB Negotiate Protocol Request ... 1105 114.363458 src -> dst SMB Session Setup AndX Request ...
(Incidents)
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
... Cross-Site Request Forgery, ... An attacker can create a page that includes requests to ... Using weak passwords the "Change Password" response is: ...
(Full-Disclosure)