UDP port 4000 traffic: likely a new worm
Looks like there may be a worm going around hitting systems that run BlackIce. Common characteristics of the packets: Source port 4000 (but random target port) and the string "insert witty message here". details will be posted here: http://isc.sans.org/diary.html as I get them together. -- CTO SANS Internet Storm Center http://isc.sans.org phone: (617) 837 2807 [EMAIL PROTECTED] contact details: http://johannes.homepc.org/contact.htm signature.asc Description: This is a digitally signed message part
popupad spam wrapup.
Thanks everyone here on this list who helped track down this!
We just published a (hopefully more or less final) "Diary" on
this topic at http://isc.sans.org/diary.html (see below for text).
As it turns out, at least one particular version of the software
distributed by PopAdStop.com did include a Trojan component sending
out popup spam.
-
For over a week, we had been tracking an increase in port 1026-1031
UDP traffic. More detailed investigation revealed a component in this
traffic with the following characteristics:
(*) The payload consisted of two zero bytes
(*) A large number of sources participated in these scans
(*) the scans came from valid IPs, and the source port did not appear
to be crafted.
This is different from most popup spam sent to this port. Most popup
spam is sent by only a small number of sources. And usually uses a fixed
source port.
While popup spam in itself is not any more dangerous then e-mail
spam, and more of an annoyance, the large number of sources hinted to
the fact that it is likely sent from unsuspecting exploited systems
("Zombies").
The connection with popup spam was made later, by allowing a honeypot
to respond to the two byte probe. The result was an ad sent by the
probing host.
PACKET DUMP (IP Addresses are obfuscated)
11:57:11.361783 IP w.x.y.z.1974 > a.b.c.d.1030: udp 2
0x 4500 001e c33d 6a11 8094 wwxx yyzz[EMAIL PROTECTED]
0x0010 aabb ccdd 07b6 0406 000a e720
0x0020 ..
11:57:11.363913 IP 129.170.248.252.1030 > w.x.y.z.1974: udp 84
0x 4500 0070 0169 8011 2c17 aabb ccddE..p.i,.
0x0010 wwxx yyzz 0406 07b6 005c aa23 0406 [EMAIL PROTECTED]
0x0020 1000
0x0030
0x0040
0x0050 52f7 c93f R..?
0x0060 0400 0800 001c
11:57:11.477413 IP w.x.y.z.1975 > 129.170.248.252.1026: udp 519
0x 4500 0223 c350 6a11 7e7c wwxx yyzzE..#.P..j.~|[EMAIL PROTECTED]
0x0010 aabb ccdd 07b7 0402 020f 43b2 0400 0800..C.
0x0020 1000
0x0030 f891 7b5a 00ff d011 a9b2 00c0..{Z
0x0040 4fb6 e6fc 82f5 b0ec e32c 41ec 173c 5a07O,A..http://www.neweststuff.com/versinfo.dat .
Recent version of the application do not show any further outbound
traffic.
However, earlier version of the application did start to send the
typical two zero bytes and popup spam. We have been made available
the following trace from an infected system:
1. connection to popadstop.com, port 80 (http)
e.f.g.h 066.225.219.162 6 1485 80 88472 4249 17:27:21.5791
e.f.g.h 066.225.219.162 6 1486 80 15401 1203 17:27:27.9025
e.f.g.h 066.225.219.162 6 1489 80 4802 1159 17:28:16.9154
e.f.g.h 066.225.219.162 6 1490 80 1331056 25025 17:28:41.2205
e.f.g.h 066.225.219.162 6 1491 80 824 408 17:29:20.3522
2. connection to neweststuff.com, port 80 (http)
e.f.g.h 216.058.174.211 6 1492 80 746 410 17:29:20.4347
(snip one min)
3. scanning for port 1026-1030
e.f.g.h x.x.x.x 17 1528 1026 0 44 17:30:20.0967
e.f.g.h x.x.x.x 17 1529 1030 0 44 17:30:20.0979
e.f.g.h y.y.y.y 17 1528 1026 0 44 17:30:20.1787
e.f.g.h y.y.y.y 17 1529 1030 0 44 17:30:20.1790
Summary
---
An earlier version of the software distributed by
PopAdStuff did actively scan and send popup spam
from unsuspecting user's system.
--
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 786 1563
fax: (617) 786 1550 [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed message part
port 1026-1031 traffic
Well, for the last week there has been an odd increase in port 1026-1031 traffic. While everything points to popup spam, there are a few issues that are 'odd': - increase in sources that cause this traffic. - "natural" source ports vs. crafted source port which is typical for popup spam - 2-byte '00 00' payload (more details: http://isc.sans.org/diary.html ) As it very much looks like that the origin are compromised Windows systems (some appear to be behind NAT routers), I posted a list with IPs at http://feeds.dshield.org/port1026.dat The list is sorted by IP. If any of these systems live on your network, your help in tracking down the root cause of all this traffic is appreciated. Its (not yet) a big deal. But maybe its one of the few times we can stay ahead of the problem. Also, at this point it shouldn't be too hard to track these systems (its only about 5,000 unique sources) the columns of the data file: - ip address - first time seen on this day (GMT) - last time seen on this day (GMT) - number of packets detected - date The filter applied to the list: - the hosts sent traffic to port 1026-1031 - the source port was not 666 or 4177 - it happened today or yesterday (today: Dec. 2nd). -- CTO SANS Internet Storm Center http://isc.sans.org phone: (617) 786 1563 fax: (617) 786 1550 [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
DShield reports by AS for 'Blaster' and other issues
I setup a 'real time' report by AS to assist networks in finding infected systems. The URL: http://www.dshield.org/asreport.php This report is intended for automated parsing, so it comes as a simple tab delimited table with brief 'usage' header. You can filter by target port, protocol and AS. The AS number is required. The AS lookup is somewhat experimental. So feedback is appreciated. -- SANS - Internet Storm Center http://isc.sans.org PGP Key: http://isc.sans.org/jullrich.txt signature.asc Description: This is a digitally signed message part
Re: Arbor Networks DoS defense product
> What about timing? What about breaking up > segements of the network to be scanned by different hosts? Its realy a matter of getting a sizable 'line mine net' up. With dshield, I hope to ultimately have a couple in each AS, probably with some local aggregation. The trick is that you use other people's line mines. It doesn't help you to use your own. Scan & exploit often come in one package so by the time you figure out you are scanned, you probably already lost a few hosts. The trick with distributed (or 'collaborative' as I think it is better called) intrusion detection is that whoever gets scanned first tells everyone else. Also: This has to be automated. Because whoever gets hit first is probably too busy cleaning up to worry about posting all the gorry details on this or any other list. > How many > hits on the linemines constitute blocking? Are you blocking hosts or > networks? up to you... Setting too much of a policy would make the system predictable and vulnerable. (attacker knows: only scan 99 hosts from each zombie...) > Either way, what about dynamic ips? blocking a network will take care of them. Other than that: for a DSL/cable line the IP will not change much, and for a dialup line they would have to hangup&dial a lot to get a good IP distribution. > What about scans done > from different networks other than that which the supposed attacker is > originating from. Well, then these networks are marked as "attackers", which is ok. The can clean up their systems and enjoy full access again. > Its Universitys, unsecured wireless lans, etc. same thing: if you run an unsecured wireless network, maybe you shouldn't have given it access to the net in the first place.
Re: Arbor Networks DoS defense product
> > Even more, I would hate to see the advocation of a hostile reaction to > > what, so far, is not considered a crime. I agree. Scanning is no crime. But blocking isn't a crime either.
Re: Arbor Networks DoS defense product
sorry. getting confused by my own tricky url schemes: http://feeds.dshield.org/block.txt On Wed, 2002-05-15 at 17:13, Dan Hollis wrote: > > On 15 May 2002, Johannes B. Ullrich wrote: > > See http://www.dshield.org/block.txt ;-). We are about 24hrs away from > > getting a BGP test feed up. > > Error > >Sorry, the page could not be found. > >Click HERE to return to the DShield.org homepage. > > -Dan > -- > [-] Omae no subete no kichi wa ore no mono da. [-] > >
Re: New SubSeven outbreak?
> I have seen 6 portscans looking for SubSeven on a /24 in the past 24 hours. > It'd been a while since I had seen *any*, now I'm seeing all these. Is > this a new outbreak/vulnerability, or have I just been lucky? Has anybody > else seen an increase in scans on tcp port 27374? There are a number of IRC controlled bots that will allow scanning of subnets for Sub7. So you will see occasional flameups of Sub7 scans as they happen to focus on your network. Try to connect to some of the cable modem in 24/8 and you will see more of that. I should still have a little perl honeypot around that you can use to find out what they try to install on sub7 infected machines. -- --- [EMAIL PROTECTED]Join http://www.DShield.org Distributed Intrusion Detection System
Re: anybody else been spammed by "no-ip.com" yet?
> First, nobody wants to pay $.02 to email grandma. They will pick up the > phone instead. Second, nobody will send any emails that they don't have > to, period. This will just drive Internet users away because of the cost > rather than being driven away because of spam. sounds a bit like www.vanqish.com . But other than that, how would it work for mailing lists like this one? -- --- [EMAIL PROTECTED]Join http://www.DShield.org Distributed Intrusion Detection System
Re: anybody else been spammed by "no-ip.com" yet?
no spam. But I just took apart an IRC controlled botnet that used their service. (The trojan was a basic 'floodnet' binary and was distributed via email... ) -- --- [EMAIL PROTECTED]Join http://www.DShield.org Distributed Intrusion Detection System
RE: CIA Warns of Chinese Plans for Cyber-Attacks on U.S.
First of all: Does it matter if the Chinese Govt' is launching the attack or the kid next door? Personally, I would think if the Chinese Govt' has any sense at all, they surely look into cyberwar. Which respectable government doesn't ? In my opinion the real problem/story is the uphauling state of internet security. I am running DShield.org and regularly try to talk to people that show up as 'top attackers' in our list personally on the phone. Just a quote from a guy that identified himself as "MIS Department" for a public interest group (from memory, not word by word): Me: "I think your PC with the IP address xxx.xxx.xxx.xxx is infected with the Nimda virus and also used as an IRC proxy" MIS-Dept: "Are there any more number to an IP address or is this it?" (later he kind of suspected that his boss's desktop may be infected. It is still scanning nicely so far.) Other identified Nimda infections included a little mortage broker/bank and an office from a large tax preparation company. And thats just Nimda, which is pretty much 'in your face' as it scans quite actively. Don't get me started on all the home PCs used for botnet, ircs proxies or whatever the backdoor d'jeur is. I don't think a government effort will change anything. Somehow, the 'net' has to find a mechanism to deal with this. The problem is way too international. I am experimenting with a 'block list' lately of netblocks that are very active scanners. (if anybody is interested: http://feeds.dshield.org/block.txt). It kind of shows the problem. Next to the all-time favorite CN networks, there is your usual mix of AT&T Broadband, Chello NL, and two german universities. Anyway... How many systems are 'backdoored' at any time? My personal guess is 1 out of 1000. maybe 5000. (and thats before I had my coffee). -- --- [EMAIL PROTECTED] Join http://www.DShield.org Distributed Intrusion Detection System
