|
Over the last few hours, sensors detected a remarkable increase in ICMP
traffic. At this point, we assume that the traffic is linked to the 'Nachi' worm: http://vil.nai.com/vil/content/v_100559.htm The worm is also known as 'Welchia' ( http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html ) While the investigation is still in progress, we did identify so far the following characteristics: - some of the traffic is spoofed - the data content is all '170' (0xAA) - ICMP echo requests (type 8, code 0) Source-Target correlation fingerprints ICMP Data: http://isc.sans.org/images/icmpfp.png all Data: http://isc.sans.org/images/allfp.png port 135: http://isc.sans.org/images/port135fp.png Sample Packet (target IP obfuscated)
Snort identifies these packets as "ICMP PING CyberKit 2.2 Windows". |
Handlers 76 Posts Aug 18th 2003 |
| Thread locked Subscribe |
Aug 18th 2003 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
