[Snort-users] Strange ICMP traffic. Perhaps a worm?

Jack McCarthy snort at ...10768...
Mon Dec 15 08:50:01 EST 2003


Here are some resources for you if it is in fact Welchia/Nachi/etc...

Virus Info
Symantec's name for the virus: W32.Welchia.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

McAfee's name for the virus: W32/Nachi.worm
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100559

Symantec's Virus Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

Microsoft's Patch
MS03-039 - Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
This patch (MS03-039) supersedes MS03-026.

Microsoft's KB 824146 Scanning Tool - How to Use the KB 824146 Scanning Tool to
Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146
(MS03-039) Security Patches Installed
http://support.microsoft.com/default.aspx?scid=kb;en-us;827363

How to Install Multiple Windows Updates or Hotfixes with Only One Reboot -
296861
http://support.microsoft.com/default.aspx?scid=KB;EN-US;296861&sd=tech


Good luck,
-Jack







--- CGhercoias at ...8619... wrote:
> This could be Welchia Virus or MSBLASTER.
> I would filter 69/UDP, 135/TCP, 137/UDP, 138/UDP and 445/TCP and UDP at
> border firewalls/routers and disable these rules there but enable them
> on the inside snort sensor to catch any malitious activity on the spot.
> 
> Here is the rule from snort to trigger on WELCHIA worm.
> alert icmp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000029; rev: 3;
> msg: "WELCHIA Virus scanning"; content:
> "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; depth: 32; itype: 8; reference:
> arachnids,154; classtype: misc-activity;)
> 
> and the signatures for MSBLASTER:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( sid: 1000024; rev: 4; msg:
> "W32/MSBLAST Worm over TFTP"; content: "|00 01 6D 73 62 6C 61 73 74 2E
> 65 78 65|"; offset: 0; depth: 2; reference:
> url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS
> T.A; classtype: trojan-activity; priority: 1;)
> alert udp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000025; rev: 5;
> msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65
> 78 65|"; offset: 0; depth: 2; reference:
> url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS
> T.A; classtype: trojan-activity; priority: 1;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000027; rev: 1;
> msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65
> 78 65|"; offset: 0; depth: 2; reference:
> url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS
> T.A; classtype: trojan-activity; priority: 1;)
> alert icmp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000028; rev: 1;
> msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65
> 78 65|"; offset: 0; depth: 2; reference:
> url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS
> T.A; classtype: trojan-activity; priority: 1;) 
> 
> Thank you, 
> ___________________________
> Catalin Ghercoias 
> WEB/Network Security Administrator 
> 
> Office Phone: +(518) 452-1242 Ext.7435 
> Fax: (518) 452-4768 
> website: http://www.fye.com 
> 
> The content of this communication is classified as Transworld
> Entertainment Confidential and Proprietary Information.The content of
> this communication is intended solely for the use of the individual or
> entity to whom it is addressed and others authorized to receive it. If
> you are not the intended recipient you are hereby notified that any
> disclosure, copying, distribution or taking any action in reliance on
> the contents of this information is strictly prohibited and may be
> unlawful. If you have received this communication in error, please
> notify us immediately by responding to this communication then delete it
> from your system.
> 
>  
> 
> 
> -----Original Message-----
> From: Harry M [mailto:harrym at ...10739...] 
> Sent: Thursday, December 11, 2003 6:01 PM
> To: snort-users
> Subject: [Snort-users] Strange ICMP traffic. Perhaps a worm?
> 
> 
> I'm getting lots of ICMP traffic that looks pretty odd to me. They are
> all
> ping packets with a fairly strange payload:
> 
> 000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
> 010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
> 020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
> 030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
> 
> What makes me think this is a worm is that all the traffic is coming
> from
> other customers of my ISP (NTL), and the source ip addresses increment
> very
> neatly - 80.4, 80.5, 80.6, 80.7 - which looks rather like it could be a
> set
> of machines infected by a worm that increments the subnet (2nd octect)
> it
> targets. Although this doesn't really tally with the apparent lack of
> any
> bytecode in the payload, I figured it could be an exploratory probe or
> somesuch. The rule it's triggering is ICMP PING CyberKit 2.2 Windows
> (http://www.snort.org/snort-db/sid.html?sid=483) but I find it highly
> unlikely that this is the actual cause, because of the number of
> different
> source addresses (>100).
> 
> Does anyone have any other ideas? Whatever it is, it's very strange. The
> thought does occur that my ISP could be doing something sneaky, to which
> I'd
> almost certainly object :)
> 
> I started getting traffic at  2003-12-11 20:18:33 GMT and have been
> getting
> it ever since.
> 
> Arta
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for
> IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys
> admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 





More information about the Snort-users mailing list