Information Sharing on Current Issues

[Ken Shaurette <Ken.Shaurette () OMNITECHCORP COM>]

For those that might be interested, I'm forwarding this from an
InfraGard listserve.  It seems to provide some good information for
those fighting the worm fires.

Ken M. Shaurette, CISSP, CISA, CISM
Omni Tech Corporation, www.omnitechcorp.com 
(262) 523-3300  x486


-----Original Message-----
Subject: Re: [PRESIDENTS-INFRAGARD] lots of stuff (fwd)

> -----Original Message-----
> ---------- Forwarded message ----------
> Date: Tue, 19 Aug 2003 14:12:27 +0000 (GMT)
> From: daniel uriah clemens
<daniel_clemens () autism birmingham-infragard org>
> To: packet-ninjas () birmingham-infragard org
> Subject: lots of stuff
For those of you needing information on the current issues flying
around the net here are a few things:
> 1. MSBLASTER
> I have been getting *some* feedback that windows98 boxes are being
> exploited via rpc exploitation. Personally I couldn't remember
windows98
> being listed in the advisories but it would make sense, but i thought
I
> would mention it since a few people had told me about it. (i am still
> waiting on logs to validate these events so for now its hearsay)
>
> /*humor
>
> If you have been under a rock this week there is a worm, and its
bad...
> (real bad beavis)
>
> */
>
> 2. MSBLASTER.D(there are too many names for this Nachi worm)
>
> Traffic from sans indicates the following characteristics of a
> host scanning your computer to see if it is alive before your host is
> possibly exploited assuming it is vulnerable.
>
> Sans has stated that this is the only thing it looks like, but I have
been
> seeing a few probes looking exactly like this from asia (202/7) that
also
> have the ip reserved bit set.
>
> So I don't really know if this is the same type of activity but a
variant
> or not, but it is something to note upon.
>
> <snip from sans> :
>         Sample Packet (target IP obfuscated)
>
> 0x0000   4500 005c 2dc8 0000 7901 66a6 4349 919e
E..\-...y.f.CI..
> 0x0010   xxxx xxxx 0800 3318 0200 6d92 aaaa aaaa
......3...m.....
> 0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
................
> 0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
................
> 0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
................
> 0x0050   aaaa aaaa aaaa aaaa aaaa aaaa                  ............
>
> Snort identifies these packets as "ICMP PING CyberKit 2.2 Windows".
>
>
>
> 3. Sobig.F
>
> Sobig.F is spreading and started yesterday (i believe).
> Basically it appears to have allot more functionality built into it
where
> it will query directly other dns servers and it makes use of the ntp
> protocol.
>
> So things to watch for on your firewalls exiting your network.
>         A. dns/udp traffic originating from your internal network
>         other than from your dns servers.
>         B. outgoing traffic to smtp servers other than your dmz mail
>         servers from your desktop clients.
>         C. Ntp traffic outgoing to the internet.
>
> I personally haven't sifted through any of these packets to look to
see if
> anything is being tunneled through the udp packets to remote hosts or
have
> I found out if it only goes to a few dns servers.
> I haven't even gotten a copy of the virus yet nor am I the best
reverse
> engineer. Hopefully Joe can hook us up this time.
>
> In general looking for these characteristics on your network should
help
> you pinpoint infection points in your network.

-Daniel Uriah Clemens

Esse quam videra
     (to be, rather than to appear)
                     -Moments of Sorrow are Moments of Sobriety
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.