What I've got so far is that the 7654 IRC connection is typical of the "SDBot" family of malware.
The number of infections has stabilized -- only one new infected machine in the last three hours. That strongly suggests that machines with up to date patches and/or antivirus and/or non-blank passwords are probably immune, which argues against the 0day hypothesis. Dave > -----Original Message----- > From: Olivier Meyer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 13, 2006 2:40 PM > To: [EMAIL PROTECTED] > Subject: Re: RE: Worm attack on our network this morning -- > anyone else see this? > > Did you identify the backdoor used? > > > On 12/13/06, David Gillett <[EMAIL PROTECTED]> wrote: > > I neglected to mention that the "phone home" > destinations are all > > in the 86.x.x.x range. > > > > Dave > > > > > > > -----Original Message----- > > > From: David Gillett [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, December 13, 2006 1:05 PM > > > To: '[email protected]' > > > Subject: Worm attack on our network this morning -- > anyone else see > > > this? > > > > > > Late Monday afternoon, I noticed that a machine was scanning > > > random addresses across both campuses using port 135 (DCE). I > > > blocked the port and tracked the machine to the support > area, where > > > one of the techs was reformatting a laptop. > > > Late Tuesday afternoon, I noticed similar traffic from another > > > machine, and blocked that port. > > > > > > This morning, that second machine showed up somewhere else on > > > campus, and similar traffic was flooding from 22 additional > > > machines, 19 at the big campus and 3 at the other > > > -- most appear to also be laptops. > > > > > > In addition to spreading via port 135, I've also seen: > > > > > > 1. At least one machine eventually started similar > scanning on port > > > 445 (CIFS). > > > > > > 2. These machines all try to "phone home" to port 7654 of > a remote > > > machine. I've got that blocked now, but one succeeded and > appeared > > > to be talking IRC over that port, reporting a "successful file > > > download" to/from an additional machine which (so far) doesn't > > > appear to have been trying to spread the infection further. > > > > > > I've got the "phone home" traffic blocked, and the > known infected > > > machines null-routed at the gateway, which *should* make it just > > > about impossible for them to infect outside their own VLANs. > > > > > > The targets are all PCs, and most seem to be laptops. I'm > > > thinking about this week's MS Office 0days, and maybe > about recent > > > wireless driver vulnerabilities, but this *could* be > something older > > > that walked in on a visiting laptop.... > > > > > > David Gillett > > > > > > > > > > > > > ---------------------------------------------------------------------- > > -------- > > This List Sponsored by: Black Hat > > > > Attend the Black Hat Briefings & Training USA, July > 29-August 3 in Las Vegas. > > World renowned security experts reveal tomorrow's threats > today. Free > > of vendor pitches, the Briefings are designed to be pragmatic > > regardless of your security environment. Featuring 36 hands-on > > training courses and 10 conference tracks, networking > opportunities with over 2,500 delegates from 40+ nations. > > > > http://www.blackhat.com > > > ---------------------------------------------------------------------- > > -------- > > > > > > > -- > The information in this electronic mail (including attachments, if > any) is privileged and confidential and is intended only for the > recipient(s) listed above. Any review, use, disclosure, > distribution or copying of this electronic mail is prohibited > except by or on behalf of the intended recipient. If you have > received this electronic mail in error, please notify me > immediately by reply email and destroy all copies of this > electronic mail. Thank you. > ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
