Valhalla Legends Archive

I'm getting lots of odd ICMP traffic that looks pretty odd to me. They are all ping packets with a fairly strange payload:


000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................


What makes me think this is a worm is that all the traffic is coming from other customers of my ISP, and the source ip addresses increment very neatly - 80.4, 80.5, 80.6, 80.7 - which looks rather like it could be a set of machines infected by a worm that increments the subnet (2nd octect) it targets. Although this doesn't really tally with the apparent lack of any bytecode in the payload, I figured it could be an exploratory probe or somesuch.

Does anyone have any other ideas? Whatever it is, it's very strange. The thought does occur that my ISP could be doing something sneaky, to which I'd almost certainly object :)

I started getting traffic at  2003-12-11 20:18:33 GMT and have been getting it ever since.

If it's ICMP (that's UDP, right?) there's no guarentee those source addresses are real.  What kind of volume is it coming in?

No, ICMP is it's own protocol. That's still no guarantee that the source addresses are real, but I find it pretty unlikely that they're all forged. They're too consistent. I've had ~170 packets in 3.5 hours, so not a huge amount, but enough for it to be interesting.

I thought IMCP worked the same way as UDP?  ohwell, I don't really know anything about ICMP :)

But maybe somebody else could shed more light on this, I have no idea

I've heard rumours that ISP's will send strange pings/portscans to their customers to make sure they're using a real cable modem and not running a server.

Yes, me too, but this traffic doesn't look remotely like a portscan, and I don't see how a ping could be used for that purpose.

Uh-oh, I run a Webserver on my computer & some other open ports :-\

Good ol' dsl, I can sit here with my 130up/30down going full 24/7 and they won't care

Heh, I've gotten lots of those forever.

I think its just my ISP. But wtf do they want from me? :P

Quote from: St0rm.iD on December 11, 2003, 05:20 PM
I've heard rumours that ISP's will send strange pings/portscans to their customers to make sure they're using a real cable modem and not running a server.

I'd love to catch my ISP portscanning my computer so I could sue them for a few years of free service.

My ISP does it to me frequently.

How do you know if you're recieving things like that?

Get a firewall (software I guess) or packet logger.

Maybe someone can elaborate on that...

I think he got down and up mixed up.

Back on Arta's topic:

I ran a packet logger a few weeks ago for completely different purposes and saw the same thing you did. ICMP pings from spoofed(?) IPs within my ISP's subnet, all bytes set to 0xAA, once every 30-60 seconds or so.

I didn't pay too much attention to it... I will check again.

Snort is picking up these packets as traffic from some hacking tool called 'CyberKit'.

Just started getting traffic from hosts not on my ISP's subnet.

This is a (new?) worm: http://isc.sans.org/diary.html?date=2003-08-18

Edit:

Better information here: http://vil.nai.com/vil/content/v_100559.htm

Looks like I was right :)

Holy shit. Owned.

Quote12/13/2003 09:17:57.864   ICMP packet dropped   68.107.168.85, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 09:16:41.848   ICMP packet dropped   68.105.109.113, 8, WAN   MYIP, 8, LAN   'Ping'   0
12/13/2003 09:13:03.928   ICMP packet dropped   68.104.16.103, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 09:11:55.784   ICMP packet dropped   68.105.158.169, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 09:09:47.672   ICMP packet dropped   68.104.246.20, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 09:07:16.000   ICMP packet dropped   68.109.156.174, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 09:04:55.912   ICMP packet dropped   68.107.164.29, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 09:02:46.256   ICMP packet dropped   68.110.183.111, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:58:07.624   ICMP packet dropped   68.110.213.190, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:56:18.400   ICMP packet dropped   68.104.118.29, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:54:54.128   ICMP packet dropped   68.109.210.127, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:53:01.592   ICMP packet dropped   68.105.199.189, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:51:30.848   ICMP packet dropped   68.108.224.238, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:49:47.304   ICMP packet dropped   68.105.236.140, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:47:52.512   ICMP packet dropped   68.107.133.66, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:45:49.624   ICMP packet dropped   68.109.221.210, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:42:49.512   ICMP packet dropped   68.107.182.27, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:39:58.816   ICMP packet dropped   68.109.51.149, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:35:33.544   ICMP packet dropped   68.107.248.14, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:32:16.256   ICMP packet dropped   68.110.146.245, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:30:48.864   ICMP packet dropped   68.104.223.192, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:27:51.928   ICMP packet dropped   68.110.140.26, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:26:12.592   ICMP packet dropped   68.104.212.181, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:24:01.064   ICMP packet dropped   68.107.156.238, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:21:58.032   ICMP packet dropped   68.110.122.140, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:20:38.528   ICMP packet dropped   68.106.195.244, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:19:00.336   ICMP packet dropped   68.108.74.222, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:16:44.528   ICMP packet dropped   68.110.244.9, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:14:36.272   ICMP packet dropped   68.107.182.27, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:12:21.304   ICMP packet dropped   68.110.127.173, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:09:36.032   ICMP packet dropped   68.104.171.104, 8, WAN   MY IP, 8, LAN   'Ping'   0
12/13/2003 08:08:19.912   ICMP packet dropped   68.105.65.89, 8, WAN   MY IP, 8, LAN   'Ping'   

QuoteSelf removal
When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.

Hmm, where have we seen that before?

Quote from: j0k3r on December 13, 2003, 12:31 PM

QuoteSelf removal
When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.

Hmm, where have we seen that before?

Ah, whew. It's just Welchia. It'll be dead in 2.5 weeks. :)

This worm looked pretty thoughtful, since it deletes itself and installs patches and stuff, then it installed tftpd :(