Looks like there may be a worm going around hitting systems that run
BlackIce. Common characteristics of the packets: Source port 4000 (but
random target port) and the string
"insert witty message here".
details will be posted here:
http://isc.sans.org/diary.html
as I get them together.
Confirmed. We had our first customer (colo) hit yesterday evening at
20:43 PST. Additionally, they experienced the hard drive corruption (which
was added to the ISC diary entry within the last several hours). Traffic
was 4000/udp. Initial 90 Mbit/s peak which leveled out at a constant
60 Mbit/s before we took them off-line.
-jr
* Johannes B. Ullrich <jullrich@sans.org> [20040320 00:44]:
The good news is that "witty" appears to not be a very witty propagator.
Our flow data shows attempts to connect to 4000/udp on hosts in our
network having a downward trend over the last few hours:
Time Unique Source IPs
08:00 350
09:00 332
10:00 297
11:00 298
12:00 265
(all times PST)
-jr
* Josh Richards <jrichard@digitalwest.net> [20040320 11:10]:
Has anyone figured out the collateral damage if 4000/udp were to be
blocked for a couple of days? Since the exploit is in the ICQ code of
ISS's products, does blocking 4000/udp block ICQ as well?
Thanks
-S
The number of immediately vulnerable hosts was rapidly depleted by the
worm, given the launch was AFTER most business had shut down for the
weekend. I'll venture that Black Ice, a commercial security product, is
deployed much more widely on the corporate laptop than the home machine.
I expect to see more than a slight bump in those numbers come Monday AM.
g
I can acknowledge that we see the worm also in Europe/Austria. Today we
had a customer with a Black Ice firewall flooding us with random
4000/udp traffic before we shut him down.
Kind Regards,