Somewhat decompiled source here: http://www.unixwiz.net/iraqworm/iraqworm.cpp This looks ripe for a content matching rule: static const char *PasswordTable[] = { NullPassword, "admin", "root", "111", "123", "1234", "123456", "654321", "1", "!@#$", "asdf", "asdfgh", "!@#$%", "!@#$%^", "!@#$%^&", "!@#$%^&*", "server", ----- Original Message ----- From: "Joe Blatz" <sd_wirelessat_private> To: "Scott A.McIntyre" <scottat_private>; <incidentsat_private> Sent: Tuesday, December 17, 2002 12:50 PM Subject: Re: Worm on 445/tcp? > Anyone have packet captures or Snort rules? > > --- "Scott A.McIntyre" <scottat_private> wrote: > > Over the past two weeks or so I've been noticing a > > steady rise in what > > appears to be worm related traffic to the new > > unified smb over tcp port > > (445) on Microsoft Win2k and newer operating > > systems. > > > > I haven't yet been able to properly identify what > > the culprit is; at > > first I thought a variation of OpaServ, and that > > hasn't been fully > > ruled out, but I'm not quite convinced of that > > either. Anyone have any > > clues that might help pin this down further? > > > > An infected machine seems to send the following: > > > > 1095 114.002629 src -> dst SMB Negotiate Protocol > > Request > > 1105 114.363458 src -> dst SMB Session Setup AndX > > Request > > 1106 114.774364 src -> dst SMB Session Setup AndX > > Request > > 1107 115.168792 src -> dst SMB Tree Connect AndX > > Request,Path: > > \\dst\IPC$ > > 1110 115.330792 src -> dst SMB NT Create AndX > > Request, Path: \samr > > 1112 115.652261 src -> dst DCERPC Bind: call_id: 1 > > UUID: SAMR > > 1136 117.759036 src -> dst SAMR Connect4 request > > 1137 118.299350 src -> dst SMB Close Request, FID: > > 0x4000 > > 1142 119.004483 src -> dst SMB Logoff AndX Request > > 1150 119.375665 src -> dst SMB Tree Disconnect > > Request > > > > And another: > > > > 7.933416 src -> dst SMB Negotiate Protocol Request > > 10.958481 src -> dst SMB Session Setup AndX Request > > 13.654558 src -> dst SMB Tree Connect AndX Request, > > Path: \\dst\IPC$ > > 13.926353 src -> dst SMB NT Create AndX Request, > > Path: \samr > > 15.231252 src -> dst DCERPC Bind: call_id: 1 UUID: > > SAMR > > 17.149345 src -> dst SAMR Connect4 request > > 20.405997 src -> dst SAMR EnumDomains request > > 23.579240 src -> dst SAMR LookupDomain request > > 25.341903 src -> dst SAMR OpenDomain request > > 25.891947 src -> dst SAMR EnumDomainUsers request > > 26.597393 src -> dst SAMR Close request > > 29.615040 src -> dst SMB Close Request, FID: 0x4000 > > 30.048894 src -> dst SMB Logoff AndX Request > > 32.738878 src -> dst SMB Tree Disconnect Request > > > > > > It appears as though there's a high degree of > > randomness to the > > destination IP addresses that are chosen by the worm > > as can be seen > > from this 1 second snapshot: > > > > > > 121.33.1.48 > > 91.71.109.105 > > 76.123.46.27 > > 222.120.99.35 > > 124.72.254.8 > > 17.64.153.118 > > 27.23.33.121 > > 185.33.178.38 > > 151.49.213.31 > > 167.60.15.125 > > 132.86.243.68 > > 26.125.133.71 > > 1.104.130.21 > > 40.88.91.120 > > 48.101.140.21 > > 48.93.34.36 > > 193.60.220.48 > > 117.26.58.96 > > 27.2.15.114 > > 25.7.221.31 > > > > > > Note: the infected system's ip address is not within > > any of these > > network segments. > > > > I've noticed others reporting similar increase in > > traffic, but so far > > haven't seen a definitive acknowledgment of > > precisely what it is that's > > responsible. > > > > Any pointers gratefully accepted. > > > > > > > > > > > ---------------------------------------------------------- ------------------ > > This list is provided by the SecurityFocus ARIS > > analyzer service. > > For more information on this free incident handling, > > management > > and tracking system please see: > > http://aris.securityfocus.com > > > > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > > ---------------------------------------------------------- ------------------ > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:17:19 PST