• Welcome to Valhalla Legends Archive.
 

New Worm?

Started by Arta, December 11, 2003, 04:26 PM

Previous topic - Next topic

Arta

I'm getting lots of odd ICMP traffic that looks pretty odd to me. They are all ping packets with a fairly strange payload:


000 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
010 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
020 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................
030 : AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA   ................


What makes me think this is a worm is that all the traffic is coming from other customers of my ISP, and the source ip addresses increment very neatly - 80.4, 80.5, 80.6, 80.7 - which looks rather like it could be a set of machines infected by a worm that increments the subnet (2nd octect) it targets. Although this doesn't really tally with the apparent lack of any bytecode in the payload, I figured it could be an exploratory probe or somesuch.

Does anyone have any other ideas? Whatever it is, it's very strange. The thought does occur that my ISP could be doing something sneaky, to which I'd almost certainly object :)

I started getting traffic at  2003-12-11 20:18:33 GMT and have been getting it ever since.

iago

If it's ICMP (that's UDP, right?) there's no guarentee those source addresses are real.  What kind of volume is it coming in?
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Arta

No, ICMP is it's own protocol. That's still no guarantee that the source addresses are real, but I find it pretty unlikely that they're all forged. They're too consistent. I've had ~170 packets in 3.5 hours, so not a huge amount, but enough for it to be interesting.

iago

I thought IMCP worked the same way as UDP?  ohwell, I don't really know anything about ICMP :)

But maybe somebody else could shed more light on this, I have no idea
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Banana fanna fo fanna

I've heard rumours that ISP's will send strange pings/portscans to their customers to make sure they're using a real cable modem and not running a server.

Arta

Yes, me too, but this traffic doesn't look remotely like a portscan, and I don't see how a ping could be used for that purpose.

UserLoser.

#6
Uh-oh, I run a Webserver on my computer & some other open ports :-\

iago

Good ol' dsl, I can sit here with my 130up/30down going full 24/7 and they won't care
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Newby

Heh, I've gotten lots of those forever.

I think its just my ISP. But wtf do they want from me? :P
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

Grok

Quote from: St0rm.iD on December 11, 2003, 05:20 PM
I've heard rumours that ISP's will send strange pings/portscans to their customers to make sure they're using a real cable modem and not running a server.

I'd love to catch my ISP portscanning my computer so I could sue them for a few years of free service.

Eibro

My ISP does it to me frequently.
Eibro of Yeti Lovers.

UserLoser.

How do you know if you're recieving things like that?

j0k3r

Get a firewall (software I guess) or packet logger.

Maybe someone can elaborate on that...
QuoteAnyone attempting to generate random numbers by deterministic means is, of course, living in a state of sin
John Vo

j0k3r

I think he got down and up mixed up.
QuoteAnyone attempting to generate random numbers by deterministic means is, of course, living in a state of sin
John Vo

Yoni

Back on Arta's topic:

I ran a packet logger a few weeks ago for completely different purposes and saw the same thing you did. ICMP pings from spoofed(?) IPs within my ISP's subnet, all bytes set to 0xAA, once every 30-60 seconds or so.

I didn't pay too much attention to it... I will check again.