RE: Increasing ICMP Echo Requests
From: Robinson, Sonja (SRobinson_at_HIPUSA.com)
Date: 08/18/03
- Previous message: Robinson, Sonja: "RE: Increasing ICMP Echo Requests"
- Maybe in reply to: Ken Eichman: "Increasing ICMP Echo Requests"
- Next in thread: Daniel Williams: "Re: Increasing ICMP Echo Requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: 'Ken Eichman' <keichman@cas.org>, incidents@securityfocus.com Date: Mon, 18 Aug 2003 15:09:07 -0400
Probably this....
========================
Virus Name Risk Assessment
W32/Nachi.worm Corporate User : Medium
Home User : Medium
Virus Information
Discovery Date: 08/18/2003
Origin: Unknown
Length: 10,240 bytes (UPXed)
Type: Virus
SubType: Internet Worm
Minimum DAT:
Release Date: 4286
08/18/2003
Minimum Engine: 4.1.60
Description Added: 08/18/2003
Description Modified: 08/18/2003 10:53 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This detection is for another virus that exploits the MS03-026
vulnerability.
It is not related to the W32/Lovsan.worm.d variant described here.
The virus is detected by the current Daily DATs as Exploit-DcomRpc virus
(with scanning of compressed files enabled).
Intentions of the worm
This worm tries spreads by exploiting a hole in Microsoft Windows. It
instructs a remote target system to download and execute the worm from the
infected host. Once running, the worm terminates and deletes the
W32/Lovsan.worm.a process and applies the Microsoft patch to prevent other
threats from infecting the system through the same hole. When the system
clock reaches Jan 1, 2004, the worm will delete itself upon execution.
Symptoms
large volumes of ICMP traffic in network
existence of the files and Windows services detailed above
Method Of Infection
This worm spreads by exploiting a vulnerability in Microsoft Windows. It
scans the local subnet (port 135) for target machines. It sends an ICMP ping
to potential victim machines, and upon a reply, sends the exploit data. A
remote shell is created on the target system on TCP port 707. Victim
machines are instructed to download the worm via TFTP.
Irrespective of anti-virus detection, unless the system has been (MS03-026)
patched, it is susceptible to the buffer overflow attack from an infected
host machine. An infected machine will send packets across the local subnet
to the RPC service running on port 135. When these packets are received by
any unpatched system, it will create a buffer overflow and crash the RPC
service on that system. All this can occur without the worm actually being
on the machine.
By applying the MS03-026 patch to the machine, it will prevent the RPC
service from failing, in-turn solving these symptoms. It is very important
that the machine is rebooted after the patch has been installed.
Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office: 212-806-4125
Pager: 8884238615
-----Original Message-----
From: Ken Eichman [mailto:keichman@cas.org]
Sent: Monday, August 18, 2003 12:24 PM
To: incidents@securityfocus.com
Subject: Increasing ICMP Echo Requests
For the past 12 hours I've noticed a steady increase in the number of ICMP
Echo Requests (type 8 code 0) being directed against random source addresses
in my /16. During the past 15 hours we've been ping probed by 127,585 unique
source addresses, and hour-by-hour the number of sources is increasing:
Hour # Unique
Date GMT Src Addrs
----- ---- ---------
08/18 0000 80
08/18 0100 232
08/18 0200 905
08/18 0300 2727
08/18 0400 4686
08/18 0500 7378
08/18 0600 9930
08/18 0700 12214
08/18 0800 13993
08/18 0900 14196
08/18 1000 14097
08/18 1100 15756
08/18 1200 17776
08/18 1300 20352
08/18 1400 21298
I have not had time to do much analysis on this traffic, other than to
report it to DShield who is apparently getting similar reports from others.
Possibly related to this, we are also seeing an increased number of ping
sweeps, where one source IP incrementally pings our entire /16 range. Anyone
else seeing this or have any ideas?
Ken Eichman Senior Scientist
Chemical Abstracts Service IT Information Security
2540 Olentangy River Road 614-447-3600 ext. 3230
Columbus, OH 43210 keichman@cas.org
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
- Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us
at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------
**********************************************************************
CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments to it, may contain confidential information or protected health information subject to privacy regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This transmission is intended only for the use of the recipient(s) named above. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail and destroy the original transmission in its entirety without saving it in any manner.
**********************************************************************
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
- Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------
- Previous message: Robinson, Sonja: "RE: Increasing ICMP Echo Requests"
- Maybe in reply to: Ken Eichman: "Increasing ICMP Echo Requests"
- Next in thread: Daniel Williams: "Re: Increasing ICMP Echo Requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
