Re: Analysis of Modap worm

[Paul Wouters <paul () xtdnet nl>]

On Mon, 16 Sep 2002, Mario van Velzen wrote:

> If you have any comments or concerns, please do not hesitate to contact
> me.

We had some clients who got infected (by what seemes like to udp 2002
version from the files in /tmp) but apparently that IP got on a list of
servers using udp 4156.

Since we're seeing dozens of attempts/second, I was wondering if anyone
has tried to counterstrike the incoming requests (to stop that target
giving out your IP to other victims it infects).

With pudclient, I can at times connect to the infected machines, but it
seems killing them hardly works. Likely because the machine is overloaded,
and filling its bandwidth with udp packets. Using 'pstree' I also found
this new version apparently changes the name. I'v seen it called httpd
and kswapd so far.

I haven't managed to cat a copy of the new version .c file so far from
any infected machine to check.

So far, the only damage control we can do is filter port 4156. It saves
an ICMP port unreacahble message. We're still experiencing 50kbit/sec
incoming on some ADSL customers though :(

Paul



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com