Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Another day in the life - Padobot, ports 5000, 135, 445 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Another day in the life - Padobot, ports 5000, 135, 445
Overall It has been a fairly quiet day for the Internet at large. Just the "normal" elevated background noise and another MS worm-du-jour.

Another worm hit the streets exploiting the known Windows LSASS
vulnerability. Kaspersky Labs calls this one Padobot, with both an "a" and "b" signature. Details are at:
http://www.viruslist.com/eng/viruslist.html?id=1562410

The LSASS vulnerability is discussed in numerous Handlers Diaries, as well as Microsoft Security Bulletin MS04-011:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Possibly as a result, some have reported a very steep rise in port 5000 SYN scans. Upon closer examination, it looks like port 5000 (PnP) is being used to locate Windows hosts, after which connection attempts are made to ports 135 or 445. Here's a sample trace:

2004/05/25 11:23:02.222515 IP 200.21.67.104.3689 > target.net.126.5000: S win 16384

2004/05/25 11:23:02.228521 IP target.net.126.5000 > 200.21.67.104.3689: S ack 1444642199 win 5840

2004/05/25 11:23:02.691561 IP 200.21.67.104.3689 > target.net.126.5000: . ack win 17520

2004/05/25 11:23:02.703911 IP 200.21.67.104.3689 > target.net.126.5000: F ack win 17520

2004/05/25 11:23:02.708177 IP 200.21.67.104.3730 > target.net.126.445: S win 16384

2004/05/25 11:23:02.710557 IP target.net.126.5000 > 200.21.67.104.3689: . ack 0 win 5840

2004/05/25 11:23:03.146508 IP target.net.126.5000 > 200.21.67.104.3689: P ack win 5840

2004/05/25 11:23:03.187780 IP target.net.126.5000 > 200.21.67.104.3689: F ack win 5840

2004/05/25 11:23:03.576007 IP 200.21.67.104.3689 > target.net.126.5000: R win 0

2004/05/25 11:23:03.626723 IP 200.21.67.104.3689 > target.net.126.5000: R win 0

2004/05/25 11:23:05.445877 IP 200.21.67.104.3939 > target.net.126.135: S win 16384

2004/05/25 11:23:07.970316 IP 200.21.67.104.3939 > target.net.126.135: S win 16384

2004/05/25 11:23:12.237244 IP 200.21.67.104.4619 > target.net.126.445: S win 16384

2004/05/25 11:23:14.512929 IP 200.21.67.104.4895 > target.net.126.135: S win 16384

2004/05/25 11:23:17.374700 IP 200.21.67.104.4895 > target.net.126.135: S win 16384

2004/05/25 11:23:21.796316 IP 200.21.67.104.3655 > target.net.126.445: S win 16384

A graph of the port 5000 activity against two different networks is at: http://people.ists.dartmouth.edu/~gbakos/port5000.png

This seems to have quickly run its course, as the graph indicates a steep climb, then equally rapid trailoff. No doubt the vast majority of the LSASS pickin's have been had by Sasser and its variants.

George Bakos
gbakos <at> ists.dartmouth.edu
George

25 Posts

Sign Up for Free or Log In to start participating in the conversation!