Re: Worm on 445/tcp?

• Previous message: Stephen J. Friedl: "Re: Worm on 445/tcp?"
• In reply to: Joe Blatz: "Re: Worm on 445/tcp?"
• Next in thread: Stephen J. Friedl: "Re: Worm on 445/tcp?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "james" <jamesh@cybermesa.com>
To: <incidents@securityfocus.com>
Date: Tue, 17 Dec 2002 13:54:45 -0700

Somewhat decompiled source here:
http://www.unixwiz.net/iraqworm/iraqworm.cpp

This looks ripe for a content matching rule:

static const char *PasswordTable[] = {
        NullPassword,
        "admin",
        "root",
        "111",
        "123",
        "1234",
        "123456",
        "654321",
        "1",
        "!@#$",
        "asdf",
        "asdfgh",
        "!@#$%",
        "!@#$%^",
        "!@#$%^&",
        "!@#$%^&*",
        "server",

----- Original Message -----
From: "Joe Blatz" <sd_wireless@yahoo.com>
To: "Scott A.McIntyre" <scott@xs4all.net>;
<incidents@securityfocus.com>
Sent: Tuesday, December 17, 2002 12:50 PM
Subject: Re: Worm on 445/tcp?

> Anyone have packet captures or Snort rules?
>
> --- "Scott A.McIntyre" <scott@xs4all.net> wrote:
> > Over the past two weeks or so I've been noticing a
> > steady rise in what
> > appears to be worm related traffic to the new
> > unified smb over tcp port
> > (445) on Microsoft Win2k and newer operating
> > systems.
> >
> > I haven't yet been able to properly identify what
> > the culprit is; at
> > first I thought a variation of OpaServ, and that
> > hasn't been fully
> > ruled out, but I'm not quite convinced of that
> > either. Anyone have any
> > clues that might help pin this down further?
> >
> > An infected machine seems to send the following:
> >
> > 1095 114.002629 src -> dst SMB Negotiate Protocol
> > Request
> > 1105 114.363458 src -> dst SMB Session Setup AndX
> > Request
> > 1106 114.774364 src -> dst SMB Session Setup AndX
> > Request
> > 1107 115.168792 src -> dst SMB Tree Connect AndX
> > Request,Path:
> > \\dst\IPC$
> > 1110 115.330792 src -> dst SMB NT Create AndX
> > Request, Path: \samr
> > 1112 115.652261 src -> dst DCERPC Bind: call_id: 1
> > UUID: SAMR
> > 1136 117.759036 src -> dst SAMR Connect4 request
> > 1137 118.299350 src -> dst SMB Close Request, FID:
> > 0x4000
> > 1142 119.004483 src -> dst SMB Logoff AndX Request
> > 1150 119.375665 src -> dst SMB Tree Disconnect
> > Request
> >
> > And another:
> >
> > 7.933416 src -> dst SMB Negotiate Protocol Request
> > 10.958481 src -> dst SMB Session Setup AndX Request
> > 13.654558 src -> dst SMB Tree Connect AndX Request,
> > Path: \\dst\IPC$
> > 13.926353 src -> dst SMB NT Create AndX Request,
> > Path: \samr
> > 15.231252 src -> dst DCERPC Bind: call_id: 1 UUID:
> > SAMR
> > 17.149345 src -> dst SAMR Connect4 request
> > 20.405997 src -> dst SAMR EnumDomains request
> > 23.579240 src -> dst SAMR LookupDomain request
> > 25.341903 src -> dst SAMR OpenDomain request
> > 25.891947 src -> dst SAMR EnumDomainUsers request
> > 26.597393 src -> dst SAMR Close request
> > 29.615040 src -> dst SMB Close Request, FID: 0x4000
> > 30.048894 src -> dst SMB Logoff AndX Request
> > 32.738878 src -> dst SMB Tree Disconnect Request
> >
> >
> > It appears as though there's a high degree of
> > randomness to the
> > destination IP addresses that are chosen by the worm
> > as can be seen
> > from this 1 second snapshot:
> >
> >
> > 121.33.1.48
> > 91.71.109.105
> > 76.123.46.27
> > 222.120.99.35
> > 124.72.254.8
> > 17.64.153.118
> > 27.23.33.121
> > 185.33.178.38
> > 151.49.213.31
> > 167.60.15.125
> > 132.86.243.68
> > 26.125.133.71
> > 1.104.130.21
> > 40.88.91.120
> > 48.101.140.21
> > 48.93.34.36
> > 193.60.220.48
> > 117.26.58.96
> > 27.2.15.114
> > 25.7.221.31
> >
> >
> > Note: the infected system's ip address is not within
> > any of these
> > network segments.
> >
> > I've noticed others reporting similar increase in
> > traffic, but so far
> > haven't seen a definitive acknowledgment of
> > precisely what it is that's
> > responsible.
> >
> > Any pointers gratefully accepted.
> >
> >
> >
> >
> >
> ----------------------------------------------------------
------------------
> > This list is provided by the SecurityFocus ARIS
> > analyzer service.
> > For more information on this free incident handling,
> > management
> > and tracking system please see:
> > http://aris.securityfocus.com
> >
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
> ----------------------------------------------------------
------------------
> This list is provided by the SecurityFocus ARIS analyzer
service.
> For more information on this free incident handling,
management
> and tracking system please see:
http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Next message: Joao Gouveia: "IRC -> smtp worm?"
• Previous message: Stephen J. Friedl: "Re: Worm on 445/tcp?"
• In reply to: Joe Blatz: "Re: Worm on 445/tcp?"
• Next in thread: Stephen J. Friedl: "Re: Worm on 445/tcp?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]