Re: Anyone know this tool?

From: Jason Falciola (falciola_at_us.ibm.com)
Date: 07/29/03

  • Next message: Jon Zobrist: "floods through our proxy" 
    To: Danny <danny@eboundary.com>
Date: Tue, 29 Jul 2003 14:24:22 -0400

    Danny,

    From <http://www.cert.org/advisories/CA-2001-26.html>:

    The selection of potential target IP addresses follows these rough
    probabilities:
    50% of the time, an address with the same first two octets will be chosen
    25% of the time, an address with the same first octet will be chosen
    25% of the time, a random address will be chosen

    So some netblocks will be more likely to see larger quantities of Nimda
    than others, based on how bad the infestation is among your "neighbors".
    However, due to the random scanning 25% of the time, everyone is targeted
    eventually.

    If you've made some network changes (new ISP, new IP range, etc.) or are
    monitoring a new segment, you may be seeing more Nimda traffic, and
    perhaps you're noticing patterns that went undetected before.

    There have been instances of scanners written specifically to emulate
    Nimda in an attempt to escape detection, based on the assumption that
    analysts have become used to seeing such traffic and disregard it. This
    was discovered because active fingerprinting of the sources showed a *nix
    based OS rather than Microsoft.

    Passive fingerprinting might help determine if this is genuine Nimda
    traffic, but we'd need full packet logs for that. The timestamps were in
    line with what you'd expect from Nimda.

    However, if the source is in the same /8 or /16 as the destination, I'd
    say it's likely Nimda.

    Jason Falciola
    Security Intelligence Analyst
    IBM Managed Security Services
    falciola@us.ibm.com

    Danny <danny@eboundary.com>
    07/29/2003 01:10 PM

     
            To: Jason Falciola/Sterling Forest/IBM@IBMUS
            cc: incidents@securityfocus.com
            Subject: Re: Anyone know this tool?

    hrm ok, I'm going to crawl back into my hole now :)

    I'm kind of confused as to why i haven't see any of these patterns
    before the last 2 days though, Oh well.

    Thanks guys.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Jon Zobrist: "floods through our proxy"