Re: Anyone know this tool?

Danny,

>From <http://www.cert.org/advisories/CA-2001-26.html>:

The selection of potential target IP addresses follows these rough probabilities:

50% of the time, an address with the same first two octets will be chosen 
25% of the time, an address with the same first octet will be chosen 
25% of the time, a random address will be chosen 

So some netblocks will be more likely to see larger quantities of Nimda than others, based on how bad the infestation is among your "neighbors". However, due to the random scanning 25% of the time, everyone is targeted eventually.

If you've made some network changes (new ISP, new IP range, etc.) or are monitoring a new segment, you may be seeing more Nimda traffic, and perhaps you're noticing patterns that went undetected before.

There have been instances of scanners written specifically to emulate Nimda in an attempt to escape detection, based on the assumption that analysts have become used to seeing such traffic and disregard it. This was discovered because active fingerprinting of the sources showed a *nix based OS rather than Microsoft.

Passive fingerprinting might help determine if this is genuine Nimda traffic, but we'd need full packet logs for that. The timestamps were in line with what you'd expect from Nimda.

However, if the source is in the same /8 or /16 as the destination, I'd say it's likely Nimda.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Jason Falciola
Security Intelligence Analyst
IBM Managed Security Services
falciola@us.ibm.com

Danny <danny@eboundary.com>
07/29/2003 01:10 PM  

        To:     Jason Falciola/Sterling Forest/IBM@IBMUS
        cc:     incidents@securityfocus.com
        Subject:        Re: Anyone know this tool?

hrm ok, I'm going to crawl back into my hole now :)

I'm kind of confused as to why i haven't see any of these patterns before the last 2 days though, Oh well.

Thanks guys.