OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: RE: Worm attack on our network this morning -- anyone else see this?

From: David Gillett (gillettdavidfhda.edu)
Date: Wed Dec 13 2006 - 16:56:31 CST


  What I've got so far is that the 7654 IRC connection is
typical of the "SDBot" family of malware.

  The number of infections has stabilized -- only one new
infected machine in the last three hours. That strongly
suggests that machines with up to date patches and/or
antivirus and/or non-blank passwords are probably immune,
which argues against the 0day hypothesis.

Dave

> -----Original Message-----
> From: Olivier Meyer [mailto:roguefugugmail.com]
> Sent: Wednesday, December 13, 2006 2:40 PM
> To: gillettdavidfhda.edu
> Subject: Re: RE: Worm attack on our network this morning --
> anyone else see this?
>
> Did you identify the backdoor used?
>
>
> On 12/13/06, David Gillett <gillettdavidfhda.edu> wrote:
> > I neglected to mention that the "phone home"
> destinations are all
> > in the 86.x.x.x range.
> >
> > Dave
> >
> >
> > > -----Original Message-----
> > > From: David Gillett [mailto:gillettdavidfhda.edu]
> > > Sent: Wednesday, December 13, 2006 1:05 PM
> > > To: 'incidentssecurityfocus.com'
> > > Subject: Worm attack on our network this morning --
> anyone else see
> > > this?
> > >
> > > Late Monday afternoon, I noticed that a machine was scanning
> > > random addresses across both campuses using port 135 (DCE). I
> > > blocked the port and tracked the machine to the support
> area, where
> > > one of the techs was reformatting a laptop.
> > > Late Tuesday afternoon, I noticed similar traffic from another
> > > machine, and blocked that port.
> > >
> > > This morning, that second machine showed up somewhere else on
> > > campus, and similar traffic was flooding from 22 additional
> > > machines, 19 at the big campus and 3 at the other
> > > -- most appear to also be laptops.
> > >
> > > In addition to spreading via port 135, I've also seen:
> > >
> > > 1. At least one machine eventually started similar
> scanning on port
> > > 445 (CIFS).
> > >
> > > 2. These machines all try to "phone home" to port 7654 of
> a remote
> > > machine. I've got that blocked now, but one succeeded and
> appeared
> > > to be talking IRC over that port, reporting a "successful file
> > > download" to/from an additional machine which (so far) doesn't
> > > appear to have been trying to spread the infection further.
> > >
> > > I've got the "phone home" traffic blocked, and the
> known infected
> > > machines null-routed at the gateway, which *should* make it just
> > > about impossible for them to infect outside their own VLANs.
> > >
> > > The targets are all PCs, and most seem to be laptops. I'm
> > > thinking about this week's MS Office 0days, and maybe
> about recent
> > > wireless driver vulnerabilities, but this *could* be
> something older
> > > that walked in on a visiting laptop....
> > >
> > > David Gillett
> > >
> > >
> >
> >
> >
> ----------------------------------------------------------------------
> > --------
> > This List Sponsored by: Black Hat
> >
> > Attend the Black Hat Briefings & Training USA, July
> 29-August 3 in Las Vegas.
> > World renowned security experts reveal tomorrow's threats
> today. Free
> > of vendor pitches, the Briefings are designed to be pragmatic
> > regardless of your security environment. Featuring 36 hands-on
> > training courses and 10 conference tracks, networking
> opportunities with over 2,500 delegates from 40+ nations.
> >
> > http://www.blackhat.com
> >
> ----------------------------------------------------------------------
> > --------
> >
> >
>
>
> --
> The information in this electronic mail (including attachments, if
> any) is privileged and confidential and is intended only for the
> recipient(s) listed above. Any review, use, disclosure,
> distribution or copying of this electronic mail is prohibited
> except by or on behalf of the intended recipient. If you have
> received this electronic mail in error, please notify me
> immediately by reply email and destroy all copies of this
> electronic mail. Thank you.
>

------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------