[nsp-sec] Morto worm C&C (RDP Scanner)
Michael Sinatra
michael at rancid.berkeley.edu
Wed Aug 31 15:47:48 EDT 2011
I found some hosts in AS25 that don't appear to be doing any RDP
scanning, but are running skype. Some of these hosts contacted
128.59.163.178 on port 10119, with the source port being the random
skype listening port (you can generally check this by looking in the
skype settings for the machine in question). So it appears that some of
the connection attempts may be spurious, due to skype activity.
For someone who understands the skype protocol better than I do, do we
know if skype's supernode and/or relay/cache host functions will cause
connection attempts after a host has gone off the air? That seems to be
happening in a number of cases.
michael
On 08/30/11 12:56, Joel Rosenblatt wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> Looking back further, it appears that if you have a machine talking to
>
> 128.59.163.178 on port 10119 (UDP) anytime after July 30 2011 18:00
> -0500, you can assume that it is infected
>
> This is an interesting bot .. the scanning always lasts for a little
> less than 1 hour, then it goes to sleep for a random amount of time,
> sometimes up to 10 days
>
> If I find some free time, I'll go through our netflow data as far back
> as I can and see if I can pull some more IPs from it.
>
> Thanks,
> Joel
>
> --On Tuesday, August 30, 2011 2:29 PM -0400 Joel Rosenblatt
> <joel at columbia.edu> wrote:
>
>> Hi,
>>
>> I found what looks like a Morto worm C&C on our network on the 25th -
>> it was taken down, but the bots are still reporting in - see attached
>> file for IPs
>>
>> Start time for IP's found 2011/08/26 14:09:29 -0500
>> End time 2011/08/29 01:43:28 -0500
>>
>> Here are the ASNs found:
>>
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list