OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity
From: Bryan Andersen (bryanVISI.COM)
Date: Wed Mar 29 2000 - 17:23:15 CST

The NETWORK.VBS worm seams like the best possibility yet.

I've been looking at my March packet header logs.

I searched them for packets from the IP#/16 networks that the
machines that scanned my net came from.

Of the 23 machines that scanned in March I don't have accesses
from any of the machines to any other ports. Two of the
scanning machines scanned me twice (poor quality random number
generator?). One scanned me with two different source ports
(137, and some high # incremented with each IP# at my end).

Of the searches on IP#/16 I get a few accesses to my web server
and some stuf that follows traceroute's pattern (from what
looks to be an admin machine for one of the ISPs I sent abuse
letters to). All the web server accesses were atleast 72 hours
before or after the scan.

Stephen Friedl wrote:
>
> > I too have seen this behavior. I block them at my firewall, but the
> > numbers have dramatically increased for port 137 scans that hit every
> > IP# in my micro net address range. Before Feb I'd see one a month at
> > most.
>
> This looks to me like the NETWORK.VBS worm. This propogates onto a
> machine, and then sits and tries to infect random class Cs by looking
> for shared C drives with no passwords. The scans are not terribly
> fast -- takes several minutes to scan the full class C -- and you can
> nearly always visit the machine and remove the virus yourself.
>
> > Mar 27 22:00:25 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
>
> $ nbtscan -f 204.210.104.156
> 204.210.104.156 FUN\ANDRE SHARING
> ANDRE <00> UNIQUE Workstation Service
> FUN <00> GROUP Domain Name
> ANDRE <03> UNIQUE Messenger Service<3>
> ANDRE <20> UNIQUE File Server Service
> FUN <1e> GROUP Browser Service Elections
> FUN <1d> UNIQUE Master Browser
> ..__MSBROWSE__.<01> GROUP Master Browser
> 00:80:c6:f8:ec:3c ETHER
>
> If you visit their C drive, you'll find NETWORK.VBS in the root dir,
> \WINDOWS, and in the startup folder. My practice of late has been to remove
> these files and drop an "INFECTED.TXT" text file on their desktop and in
> their startup folder to suggest that they stop sharing their drives, put
> on a password, or get a real firewall.
>
> > This is a set from two sites very nicely meshed (Are they
> > racing each other?):
> >
> > Mar 23 18:39:48 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00 ...
> > Mar 23 18:39:48 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00 ...
>
> This is almost certainly a dual-homed machine that sends a packet from
> each interface. The 200.200.200.1 address is probably a poorly-chosen
> "internal" network number. 

--
|  Bryan Andersen   |   bryanvisi.com   |   http://softail.visi.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |