Incidents
RE: RE: Worm attack on our network this morning -- anyone else see this? Dec 13 2006 10:56PM
David Gillett (gillettdavid fhda edu) (1 replies)
What I've got so far is that the 7654 IRC connection is
typical of the "SDBot" family of malware.

The number of infections has stabilized -- only one new
infected machine in the last three hours. That strongly
suggests that machines with up to date patches and/or
antivirus and/or non-blank passwords are probably immune,
which argues against the 0day hypothesis.

Dave

> -----Original Message-----
> From: Olivier Meyer [mailto:roguefugu (at) gmail (dot) com [email concealed]]
> Sent: Wednesday, December 13, 2006 2:40 PM
> To: gillettdavid (at) fhda (dot) edu [email concealed]
> Subject: Re: RE: Worm attack on our network this morning --
> anyone else see this?
>
> Did you identify the backdoor used?
>
>
> On 12/13/06, David Gillett <gillettdavid (at) fhda (dot) edu [email concealed]> wrote:
> > I neglected to mention that the "phone home"
> destinations are all
> > in the 86.x.x.x range.
> >
> > Dave
> >
> >
> > > -----Original Message-----
> > > From: David Gillett [mailto:gillettdavid (at) fhda (dot) edu [email concealed]]
> > > Sent: Wednesday, December 13, 2006 1:05 PM
> > > To: 'incidents (at) securityfocus (dot) com [email concealed]'
> > > Subject: Worm attack on our network this morning --
> anyone else see
> > > this?
> > >
> > > Late Monday afternoon, I noticed that a machine was scanning
> > > random addresses across both campuses using port 135 (DCE). I
> > > blocked the port and tracked the machine to the support
> area, where
> > > one of the techs was reformatting a laptop.
> > > Late Tuesday afternoon, I noticed similar traffic from another
> > > machine, and blocked that port.
> > >
> > > This morning, that second machine showed up somewhere else on
> > > campus, and similar traffic was flooding from 22 additional
> > > machines, 19 at the big campus and 3 at the other
> > > -- most appear to also be laptops.
> > >
> > > In addition to spreading via port 135, I've also seen:
> > >
> > > 1. At least one machine eventually started similar
> scanning on port
> > > 445 (CIFS).
> > >
> > > 2. These machines all try to "phone home" to port 7654 of
> a remote
> > > machine. I've got that blocked now, but one succeeded and
> appeared
> > > to be talking IRC over that port, reporting a "successful file
> > > download" to/from an additional machine which (so far) doesn't
> > > appear to have been trying to spread the infection further.
> > >
> > > I've got the "phone home" traffic blocked, and the
> known infected
> > > machines null-routed at the gateway, which *should* make it just
> > > about impossible for them to infect outside their own VLANs.
> > >
> > > The targets are all PCs, and most seem to be laptops. I'm
> > > thinking about this week's MS Office 0days, and maybe
> about recent
> > > wireless driver vulnerabilities, but this *could* be
> something older
> > > that walked in on a visiting laptop....
> > >
> > > David Gillett
> > >
> > >
> >
> >
> >
> ----------------------------------------------------------------------
> > --------
> > This List Sponsored by: Black Hat
> >
> > Attend the Black Hat Briefings & Training USA, July
> 29-August 3 in Las Vegas.
> > World renowned security experts reveal tomorrow's threats
> today. Free
> > of vendor pitches, the Briefings are designed to be pragmatic
> > regardless of your security environment. Featuring 36 hands-on
> > training courses and 10 conference tracks, networking
> opportunities with over 2,500 delegates from 40+ nations.
> >
> > http://www.blackhat.com
> >
> ----------------------------------------------------------------------
> > --------
> >
> >
>
>
> --
> The information in this electronic mail (including attachments, if
> any) is privileged and confidential and is intended only for the
> recipient(s) listed above. Any review, use, disclosure,
> distribution or copying of this electronic mail is prohibited
> except by or on behalf of the intended recipient. If you have
> received this electronic mail in error, please notify me
> immediately by reply email and destroy all copies of this
> electronic mail. Thank you.
>

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]
Re: RE: Worm attack on our network this morning -- anyone else see this? Dec 15 2006 09:21PM
Jamie Riden (jamesr europe com)


 

Privacy Statement
Copyright 2010, SecurityFocus