UDP port 4000 traffic: likely a new worm
Looks like there may be a worm going around hitting systems that run BlackIce. Common characteristics of the packets: Source port 4000 (but random target port) and the string "insert witty message here". details will be posted here: http://isc.sans.org/diary.html as I get them together. -- CTO SANS Internet Storm Center http://isc.sans.org phone: (617) 837 2807 jullrich@sans.org contact details: http://johannes.homepc.org/contact.htm
Confirmed. We had our first customer (colo) hit yesterday evening at 20:43 PST. Additionally, they experienced the hard drive corruption (which was added to the ISC diary entry within the last several hours). Traffic was 4000/udp. Initial 90 Mbit/s peak which leveled out at a constant 60 Mbit/s before we took them off-line. -jr * Johannes B. Ullrich <jullrich@sans.org> [20040320 00:44]:
Looks like there may be a worm going around hitting systems that run BlackIce. Common characteristics of the packets: Source port 4000 (but random target port) and the string "insert witty message here".
details will be posted here: http://isc.sans.org/diary.html as I get them together.
-- Josh Richards | Colocation Web Hosting Bandwidth Digital West Networks | +1 805 781-9378 / www.digitalwest.net San Luis Obispo, CA | AS14589 & AS29962 jrichard@digitalwest.net | DWNI - Making Internet Business Better
The good news is that "witty" appears to not be a very witty propagator. Our flow data shows attempts to connect to 4000/udp on hosts in our network having a downward trend over the last few hours: Time Unique Source IPs 08:00 350 09:00 332 10:00 297 11:00 298 12:00 265 (all times PST) -jr * Josh Richards <jrichard@digitalwest.net> [20040320 11:10]:
Confirmed. We had our first customer (colo) hit yesterday evening at 20:43 PST. Additionally, they experienced the hard drive corruption (which was added to the ISC diary entry within the last several hours). Traffic was 4000/udp. Initial 90 Mbit/s peak which leveled out at a constant 60 Mbit/s before we took them off-line.
-jr
* Johannes B. Ullrich <jullrich@sans.org> [20040320 00:44]:
Looks like there may be a worm going around hitting systems that run BlackIce. Common characteristics of the packets: Source port 4000 (but random target port) and the string "insert witty message here".
details will be posted here: http://isc.sans.org/diary.html as I get them together.
-- Josh Richards | Colocation Web Hosting Bandwidth Digital West Networks | +1 805 781-9378 / www.digitalwest.net San Luis Obispo, CA | AS14589 & AS29962 jrichard@digitalwest.net | DWNI - Making Internet Business Better
The number of immediately vulnerable hosts was rapidly depleted by the worm, given the launch was AFTER most business had shut down for the weekend. I'll venture that Black Ice, a commercial security product, is deployed much more widely on the corporate laptop than the home machine. I expect to see more than a slight bump in those numbers come Monday AM. g On Sat, 20 Mar 2004 13:50:30 -0800 Josh Richards <jrichard@digitalwest.net> wrote:
The good news is that "witty" appears to not be a very witty propagator. Our flow data shows attempts to connect to 4000/udp on hosts in our network having a downward trend over the last few hours:
Time Unique Source IPs 08:00 350 09:00 332 10:00 297 11:00 298 12:00 265
-- George Bakos Institute for Security Technology Studies Dartmouth College gbakos@ists.dartmouth.edu 603.646.0665 -voice 603.646.0666 -fax pub 1024D/081ECB85 1999-04-09 George Bakos <gbakos@ists.dartmouth.edu> Key fingerprint = D646 8F91 F795 27EC FF8B 8C95 B102 9EB2 081E CB85
I can acknowledge that we see the worm also in Europe/Austria. Today we had a customer with a Black Ice firewall flooding us with random 4000/udp traffic before we shut him down. Kind Regards, -- DI (FH) Florian Frotzler IT Planning e W ) a ) v ) e eWave Telekommunikation GmbH A-1210 Wien, Ignaz-Koeck-Strasse 1
Von: George Bakos
The number of immediately vulnerable hosts was rapidly depleted by the worm, given the launch was AFTER most business had shut down for the weekend. I'll venture that Black Ice, a commercial security product, is deployed much more widely on the corporate laptop than the home machine.
I expect to see more than a slight bump in those numbers come Monday AM.
g
On Sat, 20 Mar 2004 13:50:30 -0800 Josh Richards <jrichard@digitalwest.net> wrote:
The good news is that "witty" appears to not be a very witty propagator. Our flow data shows attempts to connect to 4000/udp on hosts in our network having a downward trend over the last few hours:
Time Unique Source IPs 08:00 350 09:00 332 10:00 297 11:00 298 12:00 265
-- George Bakos Institute for Security Technology Studies Dartmouth College gbakos@ists.dartmouth.edu 603.646.0665 -voice 603.646.0666 -fax
pub 1024D/081ECB85 1999-04-09 George Bakos <gbakos@ists.dartmouth.edu> Key fingerprint = D646 8F91 F795 27EC FF8B 8C95 B102 9EB2 081E CB85
Has anyone figured out the collateral damage if 4000/udp were to be blocked for a couple of days? Since the exploit is in the ICQ code of ISS's products, does blocking 4000/udp block ICQ as well? Thanks -S -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
participants (5)
-
Florian Frotzler -
George Bakos -
Johannes B. Ullrich -
Josh Richards -
Scott Call