ISC Diary

Use Discount Code SANSFIREISC10 when registering to get a 10% discount!!

Increase in ICMP scans

Published: 2003-08-18,
Last Updated: 2003-08-18 18:46:52 UTC
by Handlers (Version: 1)

Over the last few hours, sensors detected a remarkable increase in ICMP
traffic. At this point, we assume that the traffic is linked to the
'Nachi' worm: http://vil.nai.com/vil/content/v_100559.htm
The worm is also known as 'Welchia' (
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html )
While the investigation is still in progress, we did identify so far the following characteristics:

- some of the traffic is spoofed

- the data content is all '170' (0xAA)

- ICMP echo requests (type 8, code 0)
Source-Target correlation fingerprints
ICMP Data: http://isc.sans.org/images/icmpfp.png

all Data: http://isc.sans.org/images/allfp.png
port 135: http://isc.sans.org/images/port135fp.png
Sample Packet
(target IP obfuscated)



0x0000   4500 005c 2dc8 0000 7901 66a6 4349 919e        E..\-...y.f.CI..

0x0010   xxxx xxxx 0800 3318 0200 6d92 aaaa aaaa        ......3...m.....

0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................

0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................

0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa        ................

0x0050   aaaa aaaa aaaa aaaa aaaa aaaa                  ............

Snort identifies these packets as "ICMP PING CyberKit 2.2 Windows".

Keywords:

0 comment(s)

Top of page