Symantec Anti-Virus detects and removes it.
But where is it coming from?
How do I catch this worm and tell where it is repeatedly coming from?
Run wireshark. Grep for samba things when anti-virus warning appears.
filter: "Protocol is smb"
When you catch it contact people responsible for
It can be seen I think the worm nicely checks directory \System32 exists?
IF yes then does \System32\xxxxxx.dll exist?
If error then it can try and create it using "NT Create AndX"
attack-ip target-ip SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \System32
target-ip attack-ip SMB Trans2 Response, QUERY_PATH_INFO
attack-ip target-ip SMB Trans2 Request, FIND_FIRST2, Pattern: \System32\nmlnszk.dll
target-ip attack-ip SMB Trans2 Response, FIND_FIRST2, Error: STATUS_NO_SUCH_FILE
attack-ip target-ip SMB NT Create AndX Request, FID: 0x4004, Path: \System32\nmlnszk.u
target-ip attack-ip SMB NT Create AndX Response, FID: 0x4004
This filter would catch the single worm file creation entry.
The worm is trying various exploits so worm trace will be different on different systems.
filter: "Protocol is smb and smb.cmd == 0xa2" (0xa2 = NT Create AndX command)
No. size Time Source Destination Protocol Info
42655 191 2009-02-04 16:59:50.938003SMB Negotiate Protocol Request
42656 240 2009-02-04 16:59:50.938419SMB Negotiate Protocol Response
42664 202 2009-02-04 16:59:51.338727SMB [TCP Retransmission] Session Setup AndX Request
42666 338 2009-02-04 16:59:51.394477SMB Session Setup AndX Response
42667 134 2009-02-04 16:59:51.465066SMB Tree Connect AndX Request, Path: \\ \IPC$
42668 114 2009-02-04 16:59:51.465327SMB Tree Connect AndX Response
42675 138 2009-02-04 16:59:51.552181SMB Tree Connect AndX Request, Path: \\ \ADMIN$
42676 120 2009-02-04 16:59:51.552603SMB Tree Connect AndX Response
42678 152 2009-02-04 16:59:51.638915SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \System32
42679 158 2009-02-04 16:59:51.659161SMB Trans2 Response, QUERY_PATH_INFO
42683 182 2009-02-04 16:59:51.793915SMB Trans2 Request, FIND_FIRST2, Pattern: \System32\nmlnszk.dll
42684 126 2009-02-04 16:59:51.794635SMB Trans2 Response, FIND_FIRST2, Error: STATUS_NO_SUCH_FILE
42685 182 2009-02-04 16:59:51.897687SMB NT Create AndX Request, FID: 0x4004, Path: \System32\nmlnszk.u
42686 193 2009-02-04 16:59:51.898647SMB NT Create AndX Response, FID: 0x4004
42687 130 2009-02-04 16:59:52.022915SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x4004, Query File Internal Info
42688 126 2009-02-04 16:59:52.023171SMB Trans2 Response, FID: 0x4004, QUERY_FILE_INFO
42765 1452 2009-02-04 16:59:52.719398SMB Write AndX Request, FID: 0x4004, 65536 bytes at offset 0
42767 105 2009-02-04 16:59:52.719683SMB Write AndX Response, FID: 0x4004, 65536 bytes
42837 1452 2009-02-04 16:59:53.081002SMB Write AndX Request, FID: 0x4004, 65536 bytes at offset 65536
42838 105 2009-02-04 16:59:53.081348SMB Write AndX Response, FID: 0x4004, 65536 bytes
42878 1220 2009-02-04 16:59:53.278313SMB Write AndX Request, FID: 0x4004, 36252 bytes at offset 131072
42880 105 2009-02-04 16:59:53.278510SMB Write AndX Response, FID: 0x4004, 36252 bytes
42883 99 2009-02-04 16:59:53.378656SMB Close Request, FID: 0x4004
42884 93 2009-02-04 16:59:53.474645SMB Close Response, FID: 0x4004
42885 182 2009-02-04 16:59:53.574003SMB NT Create AndX Request, Path: \System32\nmlnszk.u
42886 93 2009-02-04 16:59:53.574507SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
42887 156 2009-02-04 16:59:53.695878SMB NT Create AndX Request, FID: 0x4005, Path: \atsvc
42888 193 2009-02-04 16:59:53.696443SMB NT Create AndX Response, FID: 0x4005
42889 238 2009-02-04 16:59:53.839391DCERPC Bind: call_id: 1, 2 context items, 1st ATSVC V1.0
42890 105 2009-02-04 16:59:53.839722SMB Write AndX Response, FID: 0x4005, 116 bytes
42891 117 2009-02-04 16:59:53.922325SMB Read AndX Request, FID: 0x4005, 1024 bytes at offset 0
42892 210 2009-02-04 16:59:53.922640DCERPC Bind_ack: call_id: 1 Provider rejection, reason: Proposed transfer syntaxes not supported
42894 288 2009-02-04 16:59:54.038937ATSVC JobAdd request
42902 146 2009-02-04 16:59:54.303584ATSVC JobAdd response
42903 99 2009-02-04 16:59:54.387352SMB Close Request, FID: 0x4005
42904 93 2009-02-04 16:59:54.387786SMB Close Response, FID: 0x4005
43053 93 2009-02-04 17:00:21.493987SMB Tree Disconnect Request
43058 93 2009-02-04 17:00:22.587186SMB [TCP Retransmission] Tree Disconnect Request
43068 93 2009-02-04 17:00:24.666464SMB [TCP Retransmission] Tree Disconnect Request
43084 93 2009-02-04 17:00:28.712442SMB [TCP Retransmission] Tree Disconnect Request
43101 93 2009-02-04 17:00:32.759072SMB [TCP Retransmission] Tree Disconnect Request
43116 93 2009-02-04 17:00:36.716295SMB [TCP Retransmission] Tree Disconnect Request
43132 107 2009-02-04 17:00:38.571797SMB Echo Request
43150 146 2009-02-04 17:00:44.806801SMB [TCP Retransmission] Echo Request
43218 146 2009-02-04 17:01:00.892194SMB [TCP Retransmission] Echo Request
e.g. Worm coming in using NetPathCanonicalize:
http://www.icmpecho.com/tag/downadup/
smb.service contains "NetPathCanonicalize"
NetPathCanonicalize again:
http://annysoft.wordpress.com/2009/02/01/downadupconfickerkido-infection-traffic-analysis/
http://www.f-secure.com/security_center/downadup.html
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
http://www.zdnet.co.uk/tsearch/downadup.htm
No comments:
Post a Comment