Anyone have packet captures or Snort rules? --- "Scott A.McIntyre" <scottat_private> wrote: > Over the past two weeks or so I've been noticing a > steady rise in what > appears to be worm related traffic to the new > unified smb over tcp port > (445) on Microsoft Win2k and newer operating > systems. > > I haven't yet been able to properly identify what > the culprit is; at > first I thought a variation of OpaServ, and that > hasn't been fully > ruled out, but I'm not quite convinced of that > either. Anyone have any > clues that might help pin this down further? > > An infected machine seems to send the following: > > 1095 114.002629 src -> dst SMB Negotiate Protocol > Request > 1105 114.363458 src -> dst SMB Session Setup AndX > Request > 1106 114.774364 src -> dst SMB Session Setup AndX > Request > 1107 115.168792 src -> dst SMB Tree Connect AndX > Request,Path: > \\dst\IPC$ > 1110 115.330792 src -> dst SMB NT Create AndX > Request, Path: \samr > 1112 115.652261 src -> dst DCERPC Bind: call_id: 1 > UUID: SAMR > 1136 117.759036 src -> dst SAMR Connect4 request > 1137 118.299350 src -> dst SMB Close Request, FID: > 0x4000 > 1142 119.004483 src -> dst SMB Logoff AndX Request > 1150 119.375665 src -> dst SMB Tree Disconnect > Request > > And another: > > 7.933416 src -> dst SMB Negotiate Protocol Request > 10.958481 src -> dst SMB Session Setup AndX Request > 13.654558 src -> dst SMB Tree Connect AndX Request, > Path: \\dst\IPC$ > 13.926353 src -> dst SMB NT Create AndX Request, > Path: \samr > 15.231252 src -> dst DCERPC Bind: call_id: 1 UUID: > SAMR > 17.149345 src -> dst SAMR Connect4 request > 20.405997 src -> dst SAMR EnumDomains request > 23.579240 src -> dst SAMR LookupDomain request > 25.341903 src -> dst SAMR OpenDomain request > 25.891947 src -> dst SAMR EnumDomainUsers request > 26.597393 src -> dst SAMR Close request > 29.615040 src -> dst SMB Close Request, FID: 0x4000 > 30.048894 src -> dst SMB Logoff AndX Request > 32.738878 src -> dst SMB Tree Disconnect Request > > > It appears as though there's a high degree of > randomness to the > destination IP addresses that are chosen by the worm > as can be seen > from this 1 second snapshot: > > > 121.33.1.48 > 91.71.109.105 > 76.123.46.27 > 222.120.99.35 > 124.72.254.8 > 17.64.153.118 > 27.23.33.121 > 185.33.178.38 > 151.49.213.31 > 167.60.15.125 > 132.86.243.68 > 26.125.133.71 > 1.104.130.21 > 40.88.91.120 > 48.101.140.21 > 48.93.34.36 > 193.60.220.48 > 117.26.58.96 > 27.2.15.114 > 25.7.221.31 > > > Note: the infected system's ip address is not within > any of these > network segments. > > I've noticed others reporting similar increase in > traffic, but so far > haven't seen a definitive acknowledgment of > precisely what it is that's > responsible. > > Any pointers gratefully accepted. > > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:18:51 PST