I neglected to mention that the "phone home" destinations are all in the 86.x.x.x range.
Dave > -----Original Message----- > From: David Gillett [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 13, 2006 1:05 PM > To: '[email protected]' > Subject: Worm attack on our network this morning -- anyone > else see this? > > Late Monday afternoon, I noticed that a machine was > scanning random addresses across both campuses using port 135 > (DCE). I blocked the port and tracked the machine to the > support area, where one of the techs was reformatting a laptop. > Late Tuesday afternoon, I noticed similar traffic from > another machine, and blocked that port. > > This morning, that second machine showed up somewhere else > on campus, and similar traffic was flooding from 22 > additional machines, 19 at the big campus and 3 at the other > -- most appear to also be laptops. > > In addition to spreading via port 135, I've also seen: > > 1. At least one machine eventually started similar scanning > on port 445 (CIFS). > > 2. These machines all try to "phone home" to port 7654 of a > remote machine. I've got that blocked now, but one succeeded > and appeared to be talking IRC over that port, reporting a > "successful file download" to/from an additional machine > which (so far) doesn't appear to have been trying to spread > the infection further. > > I've got the "phone home" traffic blocked, and the known > infected machines null-routed at the gateway, which *should* > make it just about impossible for them to infect outside > their own VLANs. > > The targets are all PCs, and most seem to be laptops. I'm > thinking about this week's MS Office 0days, and maybe about > recent wireless driver vulnerabilities, but this *could* be > something older that walked in on a visiting laptop.... > > David Gillett > > ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
