[Snort-users] Strange ICMP traffic. Perhaps a worm?

CGhercoias at ...8619... CGhercoias at ...8619...
Mon Dec 15 08:08:13 EST 2003


This could be Welchia Virus or MSBLASTER.
I would filter 69/UDP, 135/TCP, 137/UDP, 138/UDP and 445/TCP and UDP at
border firewalls/routers and disable these rules there but enable them
on the inside snort sensor to catch any malitious activity on the spot.

Here is the rule from snort to trigger on WELCHIA worm.
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000029; rev: 3;
msg: "WELCHIA Virus scanning"; content:
"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; depth: 32; itype: 8; reference:
arachnids,154; classtype: misc-activity;)

and the signatures for MSBLASTER:

alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( sid: 1000024; rev: 4; msg:
"W32/MSBLAST Worm over TFTP"; content: "|00 01 6D 73 62 6C 61 73 74 2E
65 78 65|"; offset: 0; depth: 2; reference:
url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS
T.A; classtype: trojan-activity; priority: 1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000025; rev: 5;
msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65
78 65|"; offset: 0; depth: 2; reference:
url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS
T.A; classtype: trojan-activity; priority: 1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000027; rev: 1;
msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65
78 65|"; offset: 0; depth: 2; reference:
url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS
T.A; classtype: trojan-activity; priority: 1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000028; rev: 1;
msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65
78 65|"; offset: 0; depth: 2; reference:
url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS
T.A; classtype: trojan-activity; priority: 1;) 

Thank you, 
___________________________
Catalin Ghercoias 
WEB/Network Security Administrator 

Office Phone: +(518) 452-1242 Ext.7435 
Fax: (518) 452-4768 
website: http://www.fye.com 

The content of this communication is classified as Transworld
Entertainment Confidential and Proprietary Information.The content of
this communication is intended solely for the use of the individual or
entity to whom it is addressed and others authorized to receive it. If
you are not the intended recipient you are hereby notified that any
disclosure, copying, distribution or taking any action in reliance on
the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please
notify us immediately by responding to this communication then delete it
from your system.

 


-----Original Message-----
From: Harry M [mailto:harrym at ...10739...] 
Sent: Thursday, December 11, 2003 6:01 PM
To: snort-users
Subject: [Snort-users] Strange ICMP traffic. Perhaps a worm?


I'm getting lots of ICMP traffic that looks pretty odd to me. They are
all
ping packets with a fairly strange payload:

000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................

What makes me think this is a worm is that all the traffic is coming
from
other customers of my ISP (NTL), and the source ip addresses increment
very
neatly - 80.4, 80.5, 80.6, 80.7 - which looks rather like it could be a
set
of machines infected by a worm that increments the subnet (2nd octect)
it
targets. Although this doesn't really tally with the apparent lack of
any
bytecode in the payload, I figured it could be an exploratory probe or
somesuch. The rule it's triggering is ICMP PING CyberKit 2.2 Windows
(http://www.snort.org/snort-db/sid.html?sid=483) but I find it highly
unlikely that this is the actual cause, because of the number of
different
source addresses (>100).

Does anyone have any other ideas? Whatever it is, it's very strange. The
thought does occur that my ISP could be doing something sneaky, to which
I'd
almost certainly object :)

I started getting traffic at  2003-12-11 20:18:33 GMT and have been
getting
it ever since.

Arta



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list