worm information
Hello, Over the last few days I've seen a number of hosts attempt to initiate TCP connections to the following ports in sequence. 80 139 445 6129 3127 1025 135 2745 ...repeat. At this moment I haven't seen a correlation between this activity and the port exploitation list on CERT. Any insight would be appreciated, thank you. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
Re: worm information
--On Saturday, April 10, 2004 8:35 AM -0700 Christopher J. Wolff [EMAIL PROTECTED] wrote: Hello, Over the last few days I've seen a number of hosts attempt to initiate TCP connections to the following ports in sequence. 80 139 445 6129 3127 1025 135 2745 ...repeat. There's a number of viruses/worms in the wild that are programmed to exploit various M$ vulnerabilities: 80 - IIS WebDAV (MS03-007)and any number of other IIS vulnerabilities 135 - DCOM RPC (MS03-026) 445 - RPC locator (MS03-001) and Workstation service (MS03-049) 139 - Unpassworded NetBIOS shares I'm not sure about the other ports, I *think* 1025 has something to do with MS RPC as well, but don't quote me on that. What you are probably seeing, at least in the cases involving the ports I listed above, is one of the many W32.Gaobot (Symantec)[1] variants. -J [1] http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm -- Jeff Workman | [EMAIL PROTECTED] | http://www.pimpworks.org
Re: worm information
On 04/4/10 at 1:53 PM -0400, Jeff Workman wrote the following : http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm File Not Found... 'l' missing from end of 'htm'. http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.html
Re: Anti-Spam Router -- opinions?
Has anyone had any experience with this device? Turntide.com. Looks like a traffic-shaping device designed specifically for cutting down spammers throughput to your inbound SMTP servers. My main concern is, how does it make the distinction between legitimate mass-mailings (e.g.: mailing lists such as this one), and spam? Interesting approach to killing spam though I must say. SMTP is only about 40% of the spam these days. The rest is via HTTP and DAV (I have seen an upsurge of Hotmail DAV spam since March 18) as per http://www.unicom.com/chrome/a/000267.html) so you would need a solution that handles all formats. I would like to draw your attention to a company called Pineapp (www.pineapp.com) that has a product called Antiflood. It handles SMTP and HTTP. For HTTP it analyzes the headers and doesn't allow more than n number of recepients. It allows the admin to set the maximum posts per time frame, has URL blocking time, maximum outgoing recipients, safe URLs not to be time-blocked, etc. It is not really a router but rather an inline transparent proxy box. It is geared for Cybercafes where much spam still originates. -Hank Note: I do not work for Pineapp.
Re: worm information
On Sat, Apr 10, 2004 at 11:19:19AM -0700, Darrell Greenwood said at one point in time: On 04/4/10 at 1:53 PM -0400, Jeff Workman wrote the following : http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm File Not Found... 'l' missing from end of 'htm'. http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.html this is correct. my organization has been infected with this and it is a particular nasty little bugger. we may have been 'patient 0' in terms of sending copies of the virus to symantec so they could write signatures for it. infected hosts flood the network with a tremendous amount of data and port opening. i at least manged to quarantine off all my vpn devices which seemed to be the entry point. -r
RE: worm information
Thank you for the input. The 'unique' feature of this infestation is that affected hosts don't transmit a lot of data...however they do open up thousands of flows in a very short time. Perhaps that's not unique but it certainly is annoying. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ravi pina Sent: Saturday, April 10, 2004 11:30 AM To: Darrell Greenwood Cc: 'nanog list' Subject: Re: worm information On Sat, Apr 10, 2004 at 11:19:19AM -0700, Darrell Greenwood said at one point in time: On 04/4/10 at 1:53 PM -0400, Jeff Workman wrote the following : http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm File Not Found... 'l' missing from end of 'htm'. http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.html this is correct. my organization has been infected with this and it is a particular nasty little bugger. we may have been 'patient 0' in terms of sending copies of the virus to symantec so they could write signatures for it. infected hosts flood the network with a tremendous amount of data and port opening. i at least manged to quarantine off all my vpn devices which seemed to be the entry point. -r
Re: worm information
hmm, honestly i can't vouch for the data rate personally. a co-worker said the counters on the VPN connections were grossly disproportionate for a short time sample. bottom line, it is indeed annoying. i know my server and desktop groups have been having a hell of a time disinfecting hosts. i know part of this was that symantec, at the time, said it may be a polymorphic strain. -r On Sat, Apr 10, 2004 at 11:37:15AM -0700, Christopher J. Wolff said at one point in time: Thank you for the input. The 'unique' feature of this infestation is that affected hosts don't transmit a lot of data...however they do open up thousands of flows in a very short time. Perhaps that's not unique but it certainly is annoying. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ravi pina Sent: Saturday, April 10, 2004 11:30 AM To: Darrell Greenwood Cc: 'nanog list' Subject: Re: worm information On Sat, Apr 10, 2004 at 11:19:19AM -0700, Darrell Greenwood said at one point in time: On 04/4/10 at 1:53 PM -0400, Jeff Workman wrote the following : http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm File Not Found... 'l' missing from end of 'htm'. http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.html this is correct. my organization has been infected with this and it is a particular nasty little bugger. we may have been 'patient 0' in terms of sending copies of the virus to symantec so they could write signatures for it. infected hosts flood the network with a tremendous amount of data and port opening. i at least manged to quarantine off all my vpn devices which seemed to be the entry point. -r --
RE: worm information
Ravi, One of the responses to this thread mentioned a 3COM switch. One of the infected sites has a 3COM superstack 1100. I'm not a 3COM fan but these switches have been up for years, literally. All it takes to make this switch reboot is a flow from one infected host. I'm going to try to move the web interface port away from 80. Thank you. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ravi pina Sent: Saturday, April 10, 2004 11:44 AM To: Christopher J. Wolff Cc: [EMAIL PROTECTED]; 'Darrell Greenwood'; 'nanog list' Subject: Re: worm information hmm, honestly i can't vouch for the data rate personally. a co-worker said the counters on the VPN connections were grossly disproportionate for a short time sample. bottom line, it is indeed annoying. i know my server and desktop groups have been having a hell of a time disinfecting hosts. i know part of this was that symantec, at the time, said it may be a polymorphic strain. -r
Re: Lazy network operators
On Sat, 10 Apr 2004 14:26:46 -0500 Chris Boyd [EMAIL PROTECTED] quoted: Any reports sent to this email address will not be read and will be automatically deleted. Based on experience, it is arguable that not so very much has changed. -- Richard Cox
Re: Lazy network operators
On 4/10/2004 2:26 PM, Chris Boyd wrote: NTL World no longer accepts abuse@ email. You have to go to a web form that requires javascript be enabled and enter all of the information for them. option [1] do their job for them so they can run a cheaper net, versus option [2] blacklist so that we both run cheaper nets -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Lazy network operators
On Sat, 10 Apr 2004, Chris Boyd wrote: Please note that we no longer accept any network abuse reports at this address. Any reports must be submitted by using the following web form: http://www.ntlworld.com/netreport Any reports sent to this email address will not be read and will be automatically deleted. I can guess their reasoning for this is they're tired of bogus complaints (from address on spam/virus was forged to look like it came from them) or complaints lacking the necessary detail to take any action...but the way they've implemented their forms is not going to win them any fans. You have to click through multiple layers of forms before you can actually put in any details. None of the reason options are SPAM. And on my first try, their site caused Mozilla to crash. Also, I doubt this was a decision made by the network operators, but rather by the abuse department or more likely, whoever oversees it, perhaps figuring that by having the web form CGI neatly categorize all complaints, they can get by with less staff (or clue) handling abuse. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Worm Triggers Attacks on File-Trading Services
Why do people have the irresitable urge to click on things? Click here to find out: http://www.washingtonpost.com/wp-dyn/articles/A349-2004Apr9.html The experts advised people not to click on strange attachments in e-mail, which can activate the worm, and to update their antivirus software frequently to ward off new threats.
Re: Worm Triggers Attacks on File-Trading Services
Sean Donelan wrote: Why do people have the irresitable urge to click on things? Then he wrote: Click here to find out: What is wrong with this picture? http://www.washingtonpost.com/wp-dyn/articles/A349-2004Apr9.html The experts advised people not to click on strange attachments in e-mail, which can activate the worm, and to update their antivirus software frequently to ward off new threats. -- Requiescas in pace o email
Re: Lazy network operators
Chris Boyd [10/04/04 14:26 -0500]: NTL World no longer accepts abuse@ email. You have to go to a web form that requires javascript be enabled and enter all of the information for them. I guess that they got tired of processing the the abuse@ mail load and just bit bucketed it. NTL peers at Linx, right? I'm sure somebody's mentioned http://www.linx.net/noncore/bcp/ube-bcp.html to them? srs
Re: Lazy network operators
Suresh writes: Chris Boyd writes: NTL World no longer accepts abuse@ email. You have to go to a web form that requires javascript be enabled and enter all of the information for them. I guess that they got tired of processing the the abuse@ mail load and just bit bucketed it. NTL peers at Linx, right? I'm sure somebody's mentioned http://www.linx.net/noncore/bcp/ube-bcp.html to them? None of the surrounding docs or linx membership agreement make compliance with linx BCPs mandatory. However, it is socially odorous at least. They're not the first ISP to do that, and won't be the last, but I don't do business with (and often, blackhole) those that do. -george william herbert [EMAIL PROTECTED]
Packet anonymity is the problem?
If you connect a dialup modem to the public switched telephone network, do you rely on Caller ID for security? Or do you configure passwords on the systems to prevent wardialers with blocked CLIDs from accessing your system? Have a generation of firewalls and security practices distracted us from the fundamental problem, insecure systems. http://www.ecommercetimes.com/perl/story/security/33344.html Gartner research vice president Richard Stiennon confirmed that packet anonymity is a serious issue for Internet security. [...] Because of the way TCP/IP works, it's an open network, Keromytis said. Other network technologies don't have that problem. They have other issues, but only IP is subject to this difficulty with abuse. [...] Bellovin compared the situation to bank robberies. [S]treets, highways and getaway cars don't cause bank robberies, nor will redesigning them solve the problem. The flaws are in the banks, he said. Similarly, most security problems are due to buggy code, and changing the network will not affect that.
Re: Lazy network operators
On Sun, 11 Apr 2004, Suresh Ramasubramanian wrote: NTL peers at Linx, right? I'm sure somebody's mentioned http://www.linx.net/noncore/bcp/ube-bcp.html to them? Should anonymous use of the Internet be eliminated so all forms of abuse can be tracked and dealt with? Exception An exception to sections (2) and (3) arises in the case of a system run to deliberately hide the source of email - often called an anon server. Anon servers are used to preserve anonymity where, for example, someone seeks help from a group supporting victims of abuse or wishes to express political views in a country that may punish dissent. ISPs or their customers MAY run anon servers where this is explicitly intended to be the function of the service being provided. They MUST NOT allow their standard service to provide anonymity by failing to comply with this BCP. However an anon server SHOULD NOT be capable of 'amplification' of email by expanding address lists and SHOULD have limiting mechanisms to ensure that the volume of email passing through the server cannot be unusually high without explicit system owner knowledge.
Re: Packet anonymity is the problem?
On Sat, 10 Apr 2004, Sean Donelan wrote: : Because of the way TCP/IP works, it's an open network, Keromytis : said. Other network technologies don't have that problem. They have : other issues, but only IP is subject to this difficulty with abuse. If networks properly filtered the source IP's of packets exiting or entering their networks to only the valid delegations for that network, this would be far less of a problem: we could at least get *some* accountability going. Of course, the still high number of bogon routes illustrate that very few folks (if any) really care. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Lazy network operators
On Sat, 10 Apr 2004, Sean Donelan wrote: Should anonymous use of the Internet be eliminated so all forms of abuse can be tracked and dealt with? As long as there are tier1's who allow abuse as long as the checks dont bounce, this will have zero effect. exodus for example had a hands off policy, dont do a single thing until law enforcement arrives with a search warrant. looks like yahoo has adopted a similar policy. -Dan
Re: Packet anonymity is the problem?
On Sat, 10 Apr 2004, Todd Vierling wrote: Of course, the still high number of bogon routes illustrate that very few folks (if any) really care. Worse; the registries make it trivial to steal registrations and assignments, but nigh impossible to get them back to the rightful owners. -Dan
Re: Packet anonymity is the problem?
: Because of the way TCP/IP works, it's an open network, Keromytis : said. Other network technologies don't have that problem. They have : other issues, but only IP is subject to this difficulty with abuse. If networks properly filtered the source IP's of packets exiting or entering their networks to only the valid delegations for that network, this would be far less of a problem: we could at least get *some* accountability going. Of course, the still high number of bogon routes illustrate that very few folks (if any) really care. in another thread tonight i see subjects like lazy network operators and at first glance, those are the people you're describing (who don't really care.) however, that's simple-minded. because of the way tcp/ip works... is a very good lead-in toward the actual cause of this apparent non-caring / laziness. because of the way ip works, and because of the way human nature works, many of the things that would have to be done to fix this problem have assymetric cost/benefit. if a network provider isn't lazy, then everyone except them will benefit from that non-laziness. human nature says that ain't happening. even though i try every day, it probably is too late to redesign human nature. the assymetric cost/benefit is an emergency property of fundamental design principles in tcp/ip, so it's no surprise that ipv6 didn't do much about this weakness. attempting to symmetrize cost/benefit without design changes in either human nature or the tcp/ip protocol suite has had mixed results. (i.e., MAPS.) so, the article sean quoted is all very entertaining, but says nothing new, which is sad, because i for one would really like to hear something new. -- Paul Vixie
Re: Lazy network operators
[EMAIL PROTECTED] (Sean Donelan) writes: Should anonymous use of the Internet be eliminated so all forms of abuse can be tracked and dealt with? of course not. however, anonymity should be brokered by trusted doubleblinds; nonbrokered/nontrusted anonymity without recourse by recipients is right out. -- Paul Vixie
Re: Lazy network operators
--On Saturday, April 10, 2004 8:30 PM -0700 Dan Hollis [EMAIL PROTECTED] wrote: exodus for example had a hands off policy, dont do a single thing until law enforcement arrives with a search warrant. While this might be a PITA for everybody, I don't see why everybody wants to chastise NSPs for this practice, especially NSPs that are/were telcos. Isn't this more or less the way telcos have dealt with abuse issues for decades? I used to work for a very small (~10k dialup customer) ISP, and at the time our abuse policy was if somebody complains, and you can find *something* in the logs, then lock the account. Then I went to work for a so-called Tier-1 and learned in short order that this policy does not scale, especially when abusive customers with DS3s are waving around fully loaded lawyers. -J -- Jeff Workman | [EMAIL PROTECTED] | http://www.pimpworks.org
Re: Lazy network operators
On Sat, 10 Apr 2004, Jeff Workman wrote: --On Saturday, April 10, 2004 8:30 PM -0700 Dan Hollis [EMAIL PROTECTED] wrote: exodus for example had a hands off policy, dont do a single thing until law enforcement arrives with a search warrant. While this might be a PITA for everybody, I don't see why everybody wants to chastise NSPs for this practice, especially NSPs that are/were telcos. Isn't this more or less the way telcos have dealt with abuse issues for decades? I used to work for a very small (~10k dialup customer) ISP, and at the time our abuse policy was if somebody complains, and you can find *something* in the logs, then lock the account. Then I went to work for a so-called Tier-1 and learned in short order that this policy does not scale, especially when abusive customers with DS3s are waving around fully loaded lawyers. The problem with your argument is very much an apples and oranges comparison. Having spend the first five years of my network career at a ma and pa that then got gobbled by Verio, and then the last five plus years at a startup Telco/ISP, I can tell you, you see very different issues. 1 Telcos don't have ISP style AUPs, basically unless it's illegal, you can do it on a phone without the carrier getting involved. 2 Telcos don't have the content variety that ISPs do. You can't (practically) bring down a Class 5 switch, the SS7 network, etc with the actions of one customer. 3 A single phoneset cannot be used to contact 50 million people in a matter of hours to sell them viagra or other stiffy pills. 4 A phoneset cannot be used to hijack or damage another phoneset on the PSTN. There's no such thing as a zombie telephone. PBXs might be hijackable, but not a home phone. 5 The other Telcos don't get pissed when you or your customers use/abuse their resources, they send bills. and the list goes on and one. While both the Telco and ISP are communications services, they are completely different beasts in the abuse department (as well as support, provisioning, billing, etc) If your well lawyered customers complains, wave the AUP at them, if your AUP doesn't allow you to disconnect customers who imperil your network and the Internet at large, rewrite it. Remember that getting cut off by your upstream is more painful than dealing with a PITA customer. Remember that the Internet started out as a community, and in our little neck of the woods (NSP network engineering/operations) it still is, and nobody likes a (BGP) neighbor who doesn't care about the others in his neighborhood. As an ISP/NSP/whatever acronym they think up next, your customers are your responsibility, and you, like a good bartender, need to be able to let your customers know when they're a nusance. -S -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Re: Lazy network operators
On Sat, Apr 10, 2004 at 11:45:20PM -0400, Jeff Workman wrote: I used to work for a very small (~10k dialup customer) ISP, and at the time our abuse policy was if somebody complains, and you can find *something* in the logs, then lock the account. Then I went to work for a so-called Tier-1 and learned in short order that this policy does not scale, especially when abusive customers with DS3s are waving around fully loaded lawyers. It does not scale, if you have people reading every single mail that comes in, with now pre-parsing, sorting, etc. It scales up to a point when you take steps to sort what is coming in, take active steps to block abusing leaving your network, and implement methods to detect it on your network before people complain. -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet:irc.mindspring.com (Earthlink user access only)
TTY phone fraud and abuse
On Sat, 10 Apr 2004, Scott Call wrote: While both the Telco and ISP are communications services, they are completely different beasts in the abuse department (as well as support, provisioning, billing, etc) http://www.dailystar.com/dailystar/dailystar/17393.php Overseas scam artists have hijacked a telephone relay system for deaf people and turned phone operators in Tucson and nationwide into full-time facilitators of fraud. Operators at Tucson's Communication Service for the Deaf call center used to spend their shifts helping hearing- and speech-impaired Americans make calls. But since January their workdays are dominated by Internet calls from Nigeria and elsewhere. The callers try to use stolen credit-card numbers to make big purchases of merchandise from American companies. The operators often suspect fraud, but they can't just hang up. Federal rules require them to make the calls and keep the contents strictly confidential. [...] Spokesmen for Sprint, ATT and Hamilton Telecommunications said the companies are aware of the fraudulent use of their services. But they said it's impossible to know what percentage of their Internet-relay calls are fraudulent, because the calls are confidential. They said they're working with the FCC to resolve the problem. We're watching it, we're monitoring it, but privacy is key, and no records are kept, said Roberto Cruz, a spokesman for ATT.
