[nsp-sec] Strange targeted increase in TCP-445 scanning

[Matthew.Swaar at us-cert.gov]

A single Federal Agency is receiving an anomalous amount of TCP-445
scanning.  This network has gone from experiencing ~60k inbound flows to
TCP-445 per day to over 120M in less than a month.  The IP space of the
network in question suggests a potential answer, but I'm not sure that I
completely buy it yet.  (And I still have folks looking for a the always
possible "sensor issue", although I think I've managed to rule out a
routing loop.)

In the past, we've observed failed "parking"/beheading attempts (done
via DNS entries for the C2) involving RFC3927 address space showing up
at this network (169.252./15; easy to typo "253" in the 2nd octet vice
254) but this usually involves a single IP/Port.  What we're seeing now
looks like attempted propagation moreso than C2.  So, that means the
miscreant has to:
	1.  Mistakenly release malware with RFC3927 address space in
place of all valid IPv4 address space in the (assumed) "remote
target-selection" function.	
	2.  Typo the 2nd octet.
	3.  Not notice that the malware isn't spreading (or isn't
spreading as expected) for ~30 days.

This is certainly possible...but I'd prefer a "one mistake" answer.
I've attached a few graphs showing the recent increase, and I've also
attached a .txt file with some recent sources.  Since this activity
could be spoofed, I'm not sending the IPS out for remediation (so I
haven't included timestamps) but if anyone does see an ASN of theirs in
the list, could you look for TCP-445 syn-scanning to 169.253./16 and let
me know what's causing this?

Password on the zipped .ppt file is '445st4t3' without the quotes.
 
Very Respectfully,

US-CERT Ops Center
888-282-0870
POC: Matt Swaar - Analyst
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 445_sources.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20100331/e5709266/attachment-0001.txt>