Last Updated: 2006-09-01 22:39:14 UTC
by Joel Esler (Version: 4)
Well, guess what. One of loyal readers out there on the 'Information SuperHighway', Alex Pettinger, wrote and and gave us some netstat and fport outputs from one of his machines that seemed to be affected by the worm, (as well as a nice copy of it). It appears, in typical antivirus fashion to be named several things: McAfee is calling it "W32/SDbot.worm!MS06-040", Sophos is calling it, "W32/Vanebot-A", and Symantec is calling it, "W32.Randex.GEL". (Yes, it's been out for a couple days)
Let's take a look at this bad boy shall we? How does it spread.. well, it uses: MS04-007, MS05-017, MS05-039, and of course, our favorite bug of the moment, MS06-040.
This one should be relatively easy to catch, look for machines pounding away over port 139 (from reader submissions it's about 150 machines in just a few seconds, so it should be noisy), look for connections via IRC to "forum.ednet.es" over port 4915. (Until the next variant changes it, and we know it will). It has the ability to do a bunch of things including spreading to network shares..
Prevention, as always, (and it should have been done for years now), block 139 and 445 at the router/firewall. Netbios traffic shouldn't be allowed to exit or enter your network from egress points anyway.
Update your antivirus. At least daily.
Patch. You know the deal by now.
Now, since cleaning botnets, is.. pretty much impossible, prevention is the key. If you DO get hit with a botnet infection running throughout your network, my general recommendation is.. rebuild the box. Now, I know that sounds drastic to some of you, but it gets rid of the worm, gets rid of the botnet, and plus you have a brand new box! So, maintain those images, keep your antivirus up to date, patch your boxes, and make sure your IDS/IPS is up to date.
Cory, one of our ever vigilant readers, notified us that the link to 06-040 was incorrect. Thanks Cory. It has been fixed.
Update #2Since I wrote this article I've read many reports on Symantec and other sites that talk about worms and exploits using MS06-040 in their code, so, we're not going to list them all here, but be aware, they are out there! Most of the worm/c0de that I have seen have their machines connecting back to a botnet on IRC somewhere. Apparently that's the thing to do for hackers now-a-days, integrate code into worm, attach botnet c0de, and away you go compromising machines.
Patch those machines, update that antivirus, make sure your firewall is blocking as much as possible, and make sure your IDS/IPS that is on your network is running the latest ruleset.
Update #3Eric tells us:
"Some of [the worms] attack 445/tcp while others attack 139/tcp. One thing that we have noticed is that some of these variants do slow scans of the B-Class network that they infect as opposed to the more traditional massive, or what I like to call "puke scans", of the B class range. This has made then more difficult to detect and we've had to engineer a some new detection methods."
Final UpdateWe've been following this most recent outcropping of scanning. We'd like to thank all the people that submitted c0de to us, worms, firewall logs, packets, etc.. Thank you. It's what we needed. So that being said, I'm going to close out the story for us unless something new crops up. These worms have been out for awhile now, and hopefully we've given enough light on them. The general patch, update, and block stuff applies. There are ways to catch and prevent the worm with your Snort box if you are running the VRT ruleset with the most updated netbios.rules file, so make sure your ruleset is up-to-date.
Have a good weekend everyone!