Danny, From <http://www.cert.org/advisories/CA-2001-26.html>: The selection of potential target IP addresses follows these rough probabilities: 50% of the time, an address with the same first two octets will be chosen 25% of the time, an address with the same first octet will be chosen 25% of the time, a random address will be chosen So some netblocks will be more likely to see larger quantities of Nimda than others, based on how bad the infestation is among your "neighbors". However, due to the random scanning 25% of the time, everyone is targeted eventually. If you've made some network changes (new ISP, new IP range, etc.) or are monitoring a new segment, you may be seeing more Nimda traffic, and perhaps you're noticing patterns that went undetected before. There have been instances of scanners written specifically to emulate Nimda in an attempt to escape detection, based on the assumption that analysts have become used to seeing such traffic and disregard it. This was discovered because active fingerprinting of the sources showed a *nix based OS rather than Microsoft. Passive fingerprinting might help determine if this is genuine Nimda traffic, but we'd need full packet logs for that. The timestamps were in line with what you'd expect from Nimda. However, if the source is in the same /8 or /16 as the destination, I'd say it's likely Nimda. Jason Falciola Security Intelligence Analyst IBM Managed Security Services falciolaat_private Danny <dannyat_private> 07/29/2003 01:10 PM To: Jason Falciola/Sterling Forest/IBM@IBMUS cc: incidentsat_private Subject: Re: Anyone know this tool? hrm ok, I'm going to crawl back into my hole now :) I'm kind of confused as to why i haven't see any of these patterns before the last 2 days though, Oh well. Thanks guys. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 13:50:26 PDT