Educause Security Discussion mailing list archives
Information Sharing on Current Issues
From: Ken Shaurette <Ken.Shaurette () OMNITECHCORP COM>
Date: Wed, 20 Aug 2003 07:46:09 -0500
For those that might be interested, I'm forwarding this from an InfraGard listserve. It seems to provide some good information for those fighting the worm fires. Ken M. Shaurette, CISSP, CISA, CISM Omni Tech Corporation, www.omnitechcorp.com (262) 523-3300 x486 -----Original Message----- Subject: Re: [PRESIDENTS-INFRAGARD] lots of stuff (fwd)
-----Original Message----- ---------- Forwarded message ---------- Date: Tue, 19 Aug 2003 14:12:27 +0000 (GMT) From: daniel uriah clemens
<daniel_clemens () autism birmingham-infragard org>
To: packet-ninjas () birmingham-infragard org Subject: lots of stuff
For those of you needing information on the current issues flying around the net here are a few things:
1. MSBLASTER I have been getting *some* feedback that windows98 boxes are being exploited via rpc exploitation. Personally I couldn't remember
windows98
being listed in the advisories but it would make sense, but i thought
I
would mention it since a few people had told me about it. (i am still waiting on logs to validate these events so for now its hearsay) /*humor If you have been under a rock this week there is a worm, and its
bad...
(real bad beavis) */ 2. MSBLASTER.D(there are too many names for this Nachi worm) Traffic from sans indicates the following characteristics of a host scanning your computer to see if it is alive before your host is possibly exploited assuming it is vulnerable. Sans has stated that this is the only thing it looks like, but I have
been
seeing a few probes looking exactly like this from asia (202/7) that
also
have the ip reserved bit set. So I don't really know if this is the same type of activity but a
variant
or not, but it is something to note upon. <snip from sans> : Sample Packet (target IP obfuscated) 0x0000 4500 005c 2dc8 0000 7901 66a6 4349 919e
E..\-...y.f.CI..
0x0010 xxxx xxxx 0800 3318 0200 6d92 aaaa aaaa
......3...m.....
0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
................
0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
................
0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
................
0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............ Snort identifies these packets as "ICMP PING CyberKit 2.2 Windows". 3. Sobig.F Sobig.F is spreading and started yesterday (i believe). Basically it appears to have allot more functionality built into it
where
it will query directly other dns servers and it makes use of the ntp protocol. So things to watch for on your firewalls exiting your network. A. dns/udp traffic originating from your internal network other than from your dns servers. B. outgoing traffic to smtp servers other than your dmz mail servers from your desktop clients. C. Ntp traffic outgoing to the internet. I personally haven't sifted through any of these packets to look to
see if
anything is being tunneled through the udp packets to remote hosts or
have
I found out if it only goes to a few dns servers. I haven't even gotten a copy of the virus yet nor am I the best
reverse
engineer. Hopefully Joe can hook us up this time. In general looking for these characteristics on your network should
help
you pinpoint infection points in your network.
-Daniel Uriah Clemens Esse quam videra (to be, rather than to appear) -Moments of Sorrow are Moments of Sobriety http://www.birmingham-infragard.org | 2053284200 fingerprint: EDF0 6566 2A4A 220E 5760 EA1F 0424 6DF6 F662 F5BD ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Information Sharing on Current Issues Ken Shaurette (Aug 20)