Incidents
RE: Worm attack on our network this morning -- anyone else see this? Dec 13 2006 09:05PM
David Gillett (gillettdavid fhda edu)
I neglected to mention that the "phone home" destinations
are all in the 86.x.x.x range.

Dave

> -----Original Message-----
> From: David Gillett [mailto:gillettdavid (at) fhda (dot) edu [email concealed]]
> Sent: Wednesday, December 13, 2006 1:05 PM
> To: 'incidents (at) securityfocus (dot) com [email concealed]'
> Subject: Worm attack on our network this morning -- anyone
> else see this?
>
> Late Monday afternoon, I noticed that a machine was
> scanning random addresses across both campuses using port 135
> (DCE). I blocked the port and tracked the machine to the
> support area, where one of the techs was reformatting a laptop.
> Late Tuesday afternoon, I noticed similar traffic from
> another machine, and blocked that port.
>
> This morning, that second machine showed up somewhere else
> on campus, and similar traffic was flooding from 22
> additional machines, 19 at the big campus and 3 at the other
> -- most appear to also be laptops.
>
> In addition to spreading via port 135, I've also seen:
>
> 1. At least one machine eventually started similar scanning
> on port 445 (CIFS).
>
> 2. These machines all try to "phone home" to port 7654 of a
> remote machine. I've got that blocked now, but one succeeded
> and appeared to be talking IRC over that port, reporting a
> "successful file download" to/from an additional machine
> which (so far) doesn't appear to have been trying to spread
> the infection further.
>
> I've got the "phone home" traffic blocked, and the known
> infected machines null-routed at the gateway, which *should*
> make it just about impossible for them to infect outside
> their own VLANs.
>
> The targets are all PCs, and most seem to be laptops. I'm
> thinking about this week's MS Office 0days, and maybe about
> recent wireless driver vulnerabilities, but this *could* be
> something older that walked in on a visiting laptop....
>
> David Gillett
>
>

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus