OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Scott A.McIntyre (scott_at_xs4all.net)
Date: Tue Dec 17 2002 - 01:56:02 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Over the past two weeks or so I've been noticing a steady rise in what
    appears to be worm related traffic to the new unified smb over tcp port
    (445) on Microsoft Win2k and newer operating systems.

    I haven't yet been able to properly identify what the culprit is; at
    first I thought a variation of OpaServ, and that hasn't been fully
    ruled out, but I'm not quite convinced of that either. Anyone have any
    clues that might help pin this down further?

    An infected machine seems to send the following:

    1095 114.002629 src -> dst SMB Negotiate Protocol Request
    1105 114.363458 src -> dst SMB Session Setup AndX Request
    1106 114.774364 src -> dst SMB Session Setup AndX Request
    1107 115.168792 src -> dst SMB Tree Connect AndX Request,Path:
    \\dst\IPC$
    1110 115.330792 src -> dst SMB NT Create AndX Request, Path: \samr
    1112 115.652261 src -> dst DCERPC Bind: call_id: 1 UUID: SAMR
    1136 117.759036 src -> dst SAMR Connect4 request
    1137 118.299350 src -> dst SMB Close Request, FID: 0x4000
    1142 119.004483 src -> dst SMB Logoff AndX Request
    1150 119.375665 src -> dst SMB Tree Disconnect Request

    And another:

    7.933416 src -> dst SMB Negotiate Protocol Request
    10.958481 src -> dst SMB Session Setup AndX Request
    13.654558 src -> dst SMB Tree Connect AndX Request, Path: \\dst\IPC$
    13.926353 src -> dst SMB NT Create AndX Request, Path: \samr
    15.231252 src -> dst DCERPC Bind: call_id: 1 UUID: SAMR
    17.149345 src -> dst SAMR Connect4 request
    20.405997 src -> dst SAMR EnumDomains request
    23.579240 src -> dst SAMR LookupDomain request
    25.341903 src -> dst SAMR OpenDomain request
    25.891947 src -> dst SAMR EnumDomainUsers request
    26.597393 src -> dst SAMR Close request
    29.615040 src -> dst SMB Close Request, FID: 0x4000
    30.048894 src -> dst SMB Logoff AndX Request
    32.738878 src -> dst SMB Tree Disconnect Request

    It appears as though there's a high degree of randomness to the
    destination IP addresses that are chosen by the worm as can be seen
    from this 1 second snapshot:

         121.33.1.48
       91.71.109.105
        76.123.46.27
       222.120.99.35
        124.72.254.8
       17.64.153.118
        27.23.33.121
       185.33.178.38
       151.49.213.31
       167.60.15.125
       132.86.243.68
       26.125.133.71
        1.104.130.21
        40.88.91.120
       48.101.140.21
         48.93.34.36
       193.60.220.48
        117.26.58.96
         27.2.15.114
         25.7.221.31

    Note: the infected system's ip address is not within any of these
    network segments.

    I've noticed others reporting similar increase in traffic, but so far
    haven't seen a definitive acknowledgment of precisely what it is that's
    responsible.

    Any pointers gratefully accepted.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com