New Worm?

Arta · December 11, 2003, 04:26 PM

I'm getting lots of odd ICMP traffic that looks pretty odd to me. They are all ping packets with a fairly strange payload:

Code Select


000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................

What makes me think this is a worm is that all the traffic is coming from other customers of my ISP, and the source ip addresses increment very neatly - 80.4, 80.5, 80.6, 80.7 - which looks rather like it could be a set of machines infected by a worm that increments the subnet (2nd octect) it targets. Although this doesn't really tally with the apparent lack of any bytecode in the payload, I figured it could be an exploratory probe or somesuch.

Does anyone have any other ideas? Whatever it is, it's very strange. The thought does occur that my ISP could be doing something sneaky, to which I'd almost certainly object

I started getting traffic at 2003-12-11 20:18:33 GMT and have been getting it ever since.

iago · December 11, 2003, 04:54 PM

If it's ICMP (that's UDP, right?) there's no guarentee those source addresses are real. What kind of volume is it coming in?

Arta · December 11, 2003, 05:04 PM

No, ICMP is it's own protocol. That's still no guarantee that the source addresses are real, but I find it pretty unlikely that they're all forged. They're too consistent. I've had ~170 packets in 3.5 hours, so not a huge amount, but enough for it to be interesting.

iago · December 11, 2003, 05:19 PM

I thought IMCP worked the same way as UDP? ohwell, I don't really know anything about ICMP

But maybe somebody else could shed more light on this, I have no idea

Banana fanna fo fanna · December 11, 2003, 05:20 PM

I've heard rumours that ISP's will send strange pings/portscans to their customers to make sure they're using a real cable modem and not running a server.

Arta · December 11, 2003, 05:22 PM

Yes, me too, but this traffic doesn't look remotely like a portscan, and I don't see how a ping could be used for that purpose.

UserLoser. · December 11, 2003, 05:45 PM

Uh-oh, I run a Webserver on my computer & some other open ports $:-\$

iago · December 11, 2003, 05:55 PM

Good ol' dsl, I can sit here with my 130up/30down going full 24/7 and they won't care

Newby · December 11, 2003, 06:07 PM

Heh, I've gotten lots of those forever.

I think its just my ISP. But wtf do they want from me?

Grok · December 11, 2003, 07:21 PM

Quote from: St0rm.iD on December 11, 2003, 05:20 PM
I've heard rumours that ISP's will send strange pings/portscans to their customers to make sure they're using a real cable modem and not running a server.

I'd love to catch my ISP portscanning my computer so I could sue them for a few years of free service.

Eibro · December 11, 2003, 07:24 PM

My ISP does it to me frequently.

UserLoser. · December 11, 2003, 07:24 PM

How do you know if you're recieving things like that?

j0k3r · December 11, 2003, 07:35 PM

Get a firewall (software I guess) or packet logger.

Maybe someone can elaborate on that...

j0k3r · December 11, 2003, 08:38 PM

I think he got down and up mixed up.

Yoni · December 12, 2003, 05:03 AM

Back on Arta's topic:

I ran a packet logger a few weeks ago for completely different purposes and saw the same thing you did. ICMP pings from spoofed(?) IPs within my ISP's subnet, all bytes set to 0xAA, once every 30-60 seconds or so.

I didn't pay too much attention to it... I will check again.

New Worm?

UserLoser.

UserLoser.