Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Re: More info on blocking the Bagle worm

Re: More info on blocking the Bagle worm

From: Anders Henke <anders_at_schlund.de>
Date: Fri, 23 Jan 2004 12:44:11 +0100

On Jan 20th 2004, Anders Henke wrote:
> A few notes on the impact of beagle from an ISP's point of view - our
> company is hosting 10 out of the 35 sites listed at
> http://vil.nai.com/vil/content/v_100965.htm (we're hosting 3.5M of
> domains and also our largest competitor does host 9 beagle-sites, so
> don't wonder or misinterpret the "high" percentage).

A few more current informations:
-the first mass of beagle requests against sites hosted here started on
 Sunday 18th around 12:35 (AM) local time from a couple of dsl-lines
 in Germany and Belgium, followed a few seconds later by other
 dialup-ips from Canada, the USA and eastern europe.

A few stats for the last few days for HTTP-requests on /1.php using
the useragent "beagle_beagle", summarized from 8 out of the 10
beagle-attacked sites hosted here; the remaining two sites are hosted
on either customer-operated or non-unix-boxes, so gathering statistics
for them is not too easyly automatable for me:

Sun 18/Jan/2004: 4426 different IPs, 312079 hits
Mon 19/Jan/2004: 151599 different IPs, 15282351 hits
Tue 20/Jan/2004: 249976 different IPs, 25252216 hits
Wed 21/Jan/2004: 271682 different IPs, 30467877 hits
Thu 22/Jan/2004: 265435 different IPs, 30017118 hits

The hitrate varies by daytime of affected IPs; as most IPs are located
in Europe (as well as we are), the hitrate does follow the same
graphs you usually see e.g. in access or bandwith usage.

>From a non-representative glance at a few hundred IPs, almost
all infected hosts are dropping or rejecting incoming traffic
to Port 6777.
The sympoms of this are the same ones experienced with
-personal as well as professional firewalls (dropping traffic,
 rejecting with tcp-reset or icmp-prohibited),
-Cisco-Routers using ACLs ("no route to host"-symptom for certain
 tcp, but not e.g. icmp traffic),
-a few requests are also made via (transparent?) proxies and
 contain X-Forwarded-For-HTTP-Headers, many also seem to be
 located behind NAT-gateways.
Only about 2% of tested hosts are really accessible on port 6777.

My interpretation of those numbers is that on the one hand, most users
today seem to be at some level protected from network attacks (or their
ISPs have timely implemented access rules against such abuse) as well
as the slowly decreasing number for Thursday's hits gives the impression
that people are keeping their virus scanners quite current.

On the other hand the strong spread within the first 48 hours makes
one ask the question why such "security-aware" users still do manually
click on executables attached to a stranger's "Test"-mail without thinking.
As the strong spread of massmailer-viruses, trojan horses or worms
during the last few years, people should better know; maybe those people
do believe to be protected from "evil packets" by firewalls and virus
scanners ...

Regards,

Anders 

-- 
Schlund + Partner AG              Security
Brauerstrasse 48                  v://49.721.91374.50
D-76135 Karlsruhe                 f://49.721.91374.225
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Jan 23 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos