Increase in ICMP scans

Published: 2003-08-18
Last Updated: 2003-08-18 18:46:52 UTC
by Handlers (Version: 1)
0 comment(s)
Over the last few hours, sensors detected a remarkable increase in ICMP
traffic. At this point, we assume that the traffic is linked to the
'Nachi' worm: http://vil.nai.com/vil/content/v_100559.htm
The worm is also known as 'Welchia' (
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html )
While the investigation is still in progress, we did identify so far the following characteristics:

- some of the traffic is spoofed

- the data content is all '170' (0xAA)

- ICMP echo requests (type 8, code 0)
Source-Target correlation fingerprints
ICMP Data: http://isc.sans.org/images/icmpfp.png

all Data: http://isc.sans.org/images/allfp.png
port 135: http://isc.sans.org/images/port135fp.png
Sample Packet
(target IP obfuscated)

0x0000 4500 005c 2dc8 0000 7901 66a6 4349 919e E..\-...y.f.CI..
0x0010 xxxx xxxx 0800 3318 0200 6d92 aaaa aaaa ......3...m.....
0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............


Snort identifies these packets as "ICMP PING CyberKit 2.2 Windows".

Keywords:
0 comment(s)

Comments


Diary Archives