Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: MS06-040 Worm SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS06-040 Worm
For the past several days, the Handlers here at ISC have received all kinds of emails about the recent increase in scanning on port 139, as noted by fellow handler Lorna, the other day, yes there was definitely something going on, but we haven't seen any c0de.

Well,  guess what.  One of loyal readers out there on the 'Information SuperHighway', Alex Pettinger, wrote and and gave us some netstat and fport outputs from one of his machines that seemed to be affected by the worm, (as well as a nice copy of it).  It appears, in typical antivirus fashion to be named several things: McAfee is calling it "W32/SDbot.worm!MS06-040", Sophos is calling it, "W32/Vanebot-A", and Symantec is calling it, "W32.Randex.GEL".  (Yes, it's been out for a couple days)

Let's take a look at this bad boy shall we?  How does it spread..  well, it uses: MS04-007, MS05-017, MS05-039, and of course, our favorite bug of the moment, MS06-040.

This one should be relatively easy to catch, look for machines pounding away over port 139 (from reader submissions it's about 150 machines in just a few seconds, so it should be noisy), look for connections via IRC to "forum.ednet.es" over port 4915.  (Until the next variant changes it, and we know it will).  It has the ability to do a bunch of things including spreading to network shares..

Prevention, as always, (and it should have been done for years now), block 139 and 445 at the router/firewall.  Netbios traffic shouldn't be allowed to exit or enter your network from egress points anyway. 

Update your antivirus.  At least daily.

Patch.  You know the deal by now.

Now, since cleaning botnets, is.. pretty much impossible, prevention is the key.  If you DO get hit with a botnet infection running throughout your network, my general recommendation is..  rebuild the box.  Now, I know that sounds drastic to some of you, but it gets rid of the worm, gets rid of the botnet, and plus you have a brand new box!  So, maintain those images, keep your antivirus up to date, patch your boxes, and make sure your IDS/IPS is up to date.
Joel

454 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!