I can acknowledge that we see the worm also in Europe/Austria. Today we
had a customer with a Black Ice firewall flooding us with random
4000/udp traffic before we shut him down.
Kind Regards,
--
DI (FH) Florian Frotzler
IT Planning
e W ) a ) v ) e
eWave Telekommunikation GmbH
A-1210 Wie
The number of immediately vulnerable hosts was rapidly depleted by the
worm, given the launch was AFTER most business had shut down for the
weekend. I'll venture that Black Ice, a commercial security product, is
deployed much more widely on the corporate laptop than the home machine.
I expect to
Unfortunately the vulnerability has proven to not be restricted to port 4000. Keep
monitoring SANS :-(
-Original Message-
From: Josh Richards <[EMAIL PROTECTED]>
Date: Sat, 20 Mar 2004 13:50:30
To:[EMAIL PROTECTED]
Subject: Re: UDP port 4000 traffic: likely a new worm
The goo
Has anyone figured out the collateral damage if 4000/udp were to be
blocked for a couple of days? Since the exploit is in the ICQ code of
ISS's products, does blocking 4000/udp block ICQ as well?
Thanks
-S
--
Scott Call Router Geek, ATGi, home of $6.95 Prime Rib
I make the world a better
The good news is that "witty" appears to not be a very witty propagator.
Our flow data shows attempts to connect to 4000/udp on hosts in our
network having a downward trend over the last few hours:
Time Unique Source IPs
08:00 350
09:00 332
10:00 297
11:00 298
12:00 265
(all times
Confirmed. We had our first customer (colo) hit yesterday evening at
20:43 PST. Additionally, they experienced the hard drive corruption (which
was added to the ISC diary entry within the last several hours). Traffic
was 4000/udp. Initial 90 Mbit/s peak which leveled out at a constant
60 Mbi
Looks like there may be a worm going around hitting systems that run
BlackIce. Common characteristics of the packets: Source port 4000 (but
random target port) and the string
"insert witty message here".
details will be posted here:
http://isc.sans.org/diary.html
as I get them together.
--
CTO
