RE: Increasing ICMP Echo Requests

From: Bruce Martins (BMartins_at_extend.COM)
Date: 08/19/03

  • Next message: Jeremiah Cornelius: "Re: DCOM worm with get.bat bot.rar"
    Date: Tue, 19 Aug 2003 15:43:29 -0400
    To: <logan@tntnetworx.net>
    
    

    Well this virus doesn't spread through e-mail so whether or not having
    AV software on a mail server would not really matter in this case as it
    exploits the same vulnerability that the original MSBLAST worm did, then
    patches it, the real problem is that some people aren't heading the
    warnings and patching their machines when a patch is released for a very
    serious vulnerability like this one, same thing happened with the SQL
    slammer worm, people had more then enough time to test and apply this
    patch but didn't but hey just my 2 cents

    Bruce Martins
    Systems Administrator
    EXTEND>>MEDIA
    190 Liberty Street
    Toronto, Ontario
    Canada
    M6K 3L5
    _______________________
    e:bmartins@extend.com
    t: (416) 535-4222 ext. 2307
    f: (416) 535-1201
    http://www.extend.com

    -----Original Message-----
    From: Logan Rogers-Follis - TNTNetworx.net [mailto:logan@tntnetworx.net]

    Sent: Tuesday, August 19, 2003 3:34 PM
    To: Bruce Martins
    Cc: Kevin Patz; incidents@securityfocus.com

    My company had this virus (an unprotected computer - now secured - let
    it in), and within 10 min. it had sent 6MB worth of ICMP out of our
    network and it was totally messing up our 1.5MB SDSL line and ruining
    our VPN. I used the Norton tool and fix them all, but I do know this
    thing is horrible (I just iwsh every company had a AV on there mail
    server - that would help stop some of this).

    Logan

    Bruce Martins wrote:

    >As I think this has already been posted here that it would seem that
    >this may be part of the new so called "good" worm if that in fact
    >really is one, which seems to patch the machine once infected and
    >removes any traces of the previous worm as well as itself on January 1,

    >2004, this does create a lot of traffic as it does search for other
    >vulnerable machines, is this a good or bad thing ? Did the writer of
    >this do it to help remove the infection and spread of the previous worm

    >or some other hidden agenda ?
    >
    >Mcafee link
    >http://us.mcafee.com/virusInfo/default.asp?id=nachi
    >
    >Symantec Link
    >http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.wor
    >m
    >.html
    >
    >
    >
    >Bruce Martins
    >Systems Administrator
    >EXTEND>>MEDIA
    >190 Liberty Street
    >Toronto, Ontario
    >Canada
    >M6K 3L5
    >_______________________
    >e:bmartins@extend.com
    >t: (416) 535-4222 ext. 2307
    >f: (416) 535-1201
    >http://www.extend.com
    >
    >
    >-----Original Message-----
    >From: Kevin Patz [mailto:jambo_cat@yahoo.com]
    >Sent: Monday, August 18, 2003 4:46 PM
    >To: incidents@securityfocus.com
    >
    >In-Reply-To: <3F411CBC.2020203@cedardoc.com>
    >
    >Upon reading of this, I enabled logging of ping
    >
    >requests on my firewall. So far I've only seen three
    >
    >with len=92:
    >
    >
    >
    >24.64.90.16 (Shaw Communcations)
    >
    >24.60.234.130 (Comcast, formerly attbi)
    >
    >24.61.246.103 (Comcast, formerly attbi)
    >
    >
    >
    >My IP is on Comcast, formerly attbi, on a 24.62 IP
    >
    >range. I also have some pings with len=60 but they
    >
    >look more like "normal" ICMP echo requests.
    >
    >
    >
    >
    >
    >>Ken,
    >>
    >>
    >
    >
    >
    >>We're seeing the same ICMP pattern.
    >>
    >>
    >
    >
    >
    >>Is this from the blaster? We are looking into
    >>
    >>
    >
    >filtering ICMP echo
    >
    >
    >
    >>request on our external routers.
    >>
    >>
    >
    >
    >
    >
    >
    >
    >>Here is a snip from our IDS,
    >>
    >>
    >
    >
    >
    >>[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
    >>
    >>
    >
    >
    >
    >>[Classification: Misc activity] [Priority: 3]
    >>
    >>
    >
    >
    >
    >>[Xref => http://www.whitehats.com/info/IDS154]
    >>
    >>
    >
    >
    >
    >>Event ID: 179333 Event Reference: 0
    >>
    >>
    >
    >
    >
    >>08/18/03-18:27:28.386411 65.83.120.72 -> xx.xx.xx.xx
    >>
    >>
    >
    >
    >
    >>ICMP TTL:118 TOS:0x0 ID:21399 IpLen:20 DgmLen:92
    >>
    >>
    >
    >
    >
    >>Type:8 Code:0 ID:2 Seq:61261 ECHO
    >>
    >>
    >
    >
    >
    >>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
    >>
    >>
    >
    >AA ................
    >
    >
    >
    >>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
    >>
    >>
    >
    >AA ................
    >
    >
    >
    >>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
    >>
    >>
    >
    >AA ................
    >
    >
    >
    >>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
    >>
    >>
    >
    >AA ................
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >>Thanks
    >>
    >>
    >
    >
    >
    >>Daniel Williams
    >>
    >>
    >
    >
    >
    >>Cedar Document Technologies
    >>
    >>
    >
    >
    >-----------------------------------------------------------------------
    >-
    >---
    >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Ensure Reliable Performance of Mission Critical Applications
    > - Precisely Define and Implement Network Security and Performance
    >Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live
    >Demo Visit us at:
    >http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    >-----------------------------------------------------------------------
    >-
    >----
    >
    >
    >-----------------------------------------------------------------------
    >---- Captus Networks - Integrated Intrusion Prevention and Traffic
    >Shaping
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Ensure Reliable Performance of Mission Critical Applications
    > - Precisely Define and Implement Network Security and Performance
    >Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live
    >Demo Visit us at:
    >http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    >-----------------------------------------------------------------------
    >-----
    >
    >
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------


  • Next message: Jeremiah Cornelius: "Re: DCOM worm with get.bat bot.rar"

    Relevant Pages

    • Re: Tool to remotely detect MBlaster infected machines?
      ... >> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... >> - Ensure Reliable Performance of Mission Critical Applications ... >> Precisely Define and Implement Network Security and Performance Policies ...
      (Focus-IDS)
    • RE: Increasing ICMP Echo Requests
      ... we are also seeing an increased number of ping ... - Instantly Stop DoS/DDoS Attacks, ... - Ensure Reliable Performance of Mission Critical Applications ... - Precisely Define and Implement Network Security and Performance Policies ...
      (Incidents)
    • RE: Tool to remotely detect MBlaster infected machines?
      ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ... > Precisely Define and Implement Network Security and Performance Policies ...
      (Focus-IDS)
    • Re: Increasing ICMP Echo Requests
      ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ... > - Precisely Define and Implement Network Security and Performance Policies ...
      (Incidents)
    • Re: document_all.pif
      ... That sounds like the Sobig worm. ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)