MSBLAST.D (W32/Nachi) Worm

Infection sequence:
  1. This worm scans the local subnet (port 135) for target machines. It sends an ICMP ping to potential victim machines, and upon a reply, sends the exploit data.

  2. A remote shell is created on the target system on TCP port 707. Victim machines are instructed to download the worm via TFTP. Two programs are downloaded:
    C:\WINDOWS\SYSTEM32\WINS\DLLHOST.EXE
    C:\WINDOWS\SYSTEM32\WINS\SVCHOST.EXE
    Their MD5 signature:
    53bfe15e9143d86b276d73fdcaf66265 DLLHOST.EXE
    a08f3b74a44279644e3e5db508491131 SVCHOST.EXE

  3. Download and apply the MS03-026 patch to the machine so as to prevent the RPC service from failing

  4. Reboot the system to make the patch active

  5. Start the ICMP scan

Process tables of the infected honeypot

Event log shown in the honeypot:

Aug 19 15:13:58 honey2 Eventlog to Syslog Service Started: Version 3.4 Aug 19 15:15:34 honey2 Service Control Manager: PC20\IE: The Fast User Switching Compatibility service was successfully sent a start control. Aug 19 15:15:34 honey2 Service Control Manager: N/A: The Fast User Switching Compatibility service entered the running state. Aug 19 15:15:34 honey2 Service Control Manager: NT AUTHORITY\SYSTEM: The Network Connections service was successfully sent a start control. Aug 19 15:15:34 honey2 Service Control Manager: N/A: The Network Connections service entered the running state. Aug 19 15:15:34 honey2 Service Control Manager: NT AUTHORITY\SYSTEM: The SSDP Discovery Service service was successfully sent a start control. Aug 19 15:15:34 honey2 Service Control Manager: N/A: The SSDP Discovery Service service entered the running state. Aug 19 15:15:34 honey2 Service Control Manager: NT AUTHORITY\SYSTEM: The Network Location Awareness (NLA) service was successfully sent a start cont rol. Aug 19 15:15:34 honey2 Service Control Manager: N/A: The Network Location Awareness (NLA) service entered the running state. Aug 19 15:17:39 honey2 NtServicePack: NT AUTHORITY\SYSTEM: Windows XP Hotfix KB823980 was installed. The worm applied the patch and reboot the honeypot Aug 19 15:19:12 honey2 Eventlog to Syslog Service Started: Version 3.4 Aug 19 15:20:42 honey2 Service Control Manager: NT AUTHORITY\SYSTEM: The Network Connections Sharing service was successfully sent a start control. Aug 19 15:20:42 honey2 Service Control Manager: N/A: The Network Connections Sharing service entered the running state. Aug 19 15:27:08 honey2 Service Control Manager: PC20\IE: The Fast User Switching Compatibility service was successfully sent a start control. Aug 19 15:27:08 honey2 Service Control Manager: N/A: The Fast User Switching Compatibility service entered the running state. Aug 19 15:27:18 honey2 Service Control Manager: NT AUTHORITY\SYSTEM: The Network Connections service was successfully sent a start control. Aug 19 15:27:18 honey2 Service Control Manager: N/A: The Network Connections service entered the running state. Aug 19 15:27:18 honey2 Service Control Manager: N/A: The Network Location Awareness (NLA) service entered the running state. Aug 19 15:28:03 honey2 Service Control Manager: NT AUTHORITY\SYSTEM: The Windows Image Acquisition (WIA) service was successfully sent a start contr ol. Aug 19 15:28:03 honey2 Service Control Manager: N/A: The Windows Image Acquisition (WIA) service entered the running state. ICMP signature from WORM_MSBLAST.D 14:26:49.106465 137.186.236.133 > 192.168.20.2: icmp: echo request 0x0000 4500 005c ed04 0000 7001 12b2 89ba ec85 E..\....p....... 0x0010 c0a8 1402 0800 434d 0200 5d5d aaaa aaaa ......CM..]].... 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............ 14:36:30.181612 137.186.195.162 > 192.168.20.2: icmp: echo request 0x0000 4500 005c f3de 0000 7001 34bb 89ba c3a2 E..\....p.4..... 0x0010 c0a8 1402 0800 c25b 0200 de4e aaaa aaaa .......[...N.... 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............ 14:38:51.110773 137.186.231.151 > 192.168.20.2: icmp: echo request 0x0000 4500 005c 56d4 0000 7001 add0 89ba e797 E..\V...p....... 0x0010 c0a8 1402 0800 4a6b 0200 563f aaaa aaaa ......Jk..V?.... 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............ 14:39:03.922866 137.186.246.58 > 192.168.20.2: icmp: echo request 0x0000 4500 005c fe6c 0000 7001 f794 89ba f63a E..\.l..p......: 0x0010 c0a8 1402 0800 4b4d 0200 555d aaaa aaaa ......KM..U].... 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............ 14:44:22.148421 137.186.238.242 > 192.168.20.2: icmp: echo request 0x0000 4500 005c f9c7 0000 7001 0382 89ba eef2 E..\....p....... 0x0010 c0a8 1402 0800 4b4d 0200 555d aaaa aaaa ......KM..U].... 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............ Hacking Pattern

ICMP flood from the honeypot

15:19:22.148515 192.168.20.2 > 192.168.0.0: icmp: echo request 15:19:22.154455 192.168.20.2 > 192.168.0.1: icmp: echo request 15:19:22.164797 192.168.20.2 > 192.168.0.2: icmp: echo request 15:19:22.174535 192.168.20.2 > 192.168.0.3: icmp: echo request 15:19:22.184530 192.168.20.2 > 192.168.0.4: icmp: echo request 15:19:22.194525 192.168.20.2 > 192.168.0.5: icmp: echo request 15:19:22.205040 192.168.20.2 > 192.168.0.6: icmp: echo request 15:19:22.214541 192.168.20.2 > 192.168.0.7: icmp: echo request 15:19:22.224469 192.168.20.2 > 192.168.0.8: icmp: echo request 15:19:22.234570 192.168.20.2 > 192.168.0.9: icmp: echo request 15:19:22.244549 192.168.20.2 > 192.168.0.10: icmp: echo request 15:19:22.254624 192.168.20.2 > 192.168.0.11: icmp: echo request 15:19:22.264836 192.168.20.2 > 192.168.0.12: icmp: echo request 15:19:22.274668 192.168.20.2 > 192.168.0.13: icmp: echo request 15:19:22.284869 192.168.20.2 > 192.168.0.14: icmp: echo request 15:19:22.294626 192.168.20.2 > 192.168.0.15: icmp: echo request 15:19:22.305007 192.168.20.2 > 192.168.0.16: icmp: echo request 15:19:22.315078 192.168.20.2 > 192.168.0.17: icmp: echo request 15:19:22.325197 192.168.20.2 > 192.168.0.18: icmp: echo request 15:19:22.334797 192.168.20.2 > 192.168.0.19: icmp: echo request 15:19:22.344707 192.168.20.2 > 192.168.0.20: icmp: echo request 15:19:22.354669 192.168.20.2 > 192.168.0.21: icmp: echo request 15:19:22.364698 192.168.20.2 > 192.168.0.22: icmp: echo request 15:19:22.414540 192.168.20.2 > 192.168.0.23: icmp: echo request 15:19:22.430271 192.168.20.2 > 192.168.0.24: icmp: echo request 15:19:22.431010 192.168.20.2 > 192.168.0.25: icmp: echo request 15:19:22.434799 192.168.20.2 > 192.168.0.26: icmp: echo request 15:19:22.444860 192.168.20.2 > 192.168.0.27: icmp: echo request 15:19:22.454752 192.168.20.2 > 192.168.0.28: icmp: echo request 15:19:22.464876 192.168.20.2 > 192.168.0.29: icmp: echo request 15:19:22.475364 192.168.20.2 > 192.168.0.30: icmp: echo request 15:19:22.484952 192.168.20.2 > 192.168.0.31: icmp: echo request 15:19:22.495440 192.168.20.2 > 192.168.0.32: icmp: echo request 15:19:22.504901 192.168.20.2 > 192.168.0.33: icmp: echo request 15:19:22.515179 192.168.20.2 > 192.168.0.34: icmp: echo request 15:19:22.525057 192.168.20.2 > 192.168.0.35: icmp: echo request 15:19:22.534980 192.168.20.2 > 192.168.0.36: icmp: echo request 15:19:22.545075 192.168.20.2 > 192.168.0.37: icmp: echo request 15:19:22.555652 192.168.20.2 > 192.168.0.38: icmp: echo request 15:19:22.564883 192.168.20.2 > 192.168.0.39: icmp: echo request 15:19:22.575028 192.168.20.2 > 192.168.0.40: icmp: echo request 15:19:22.585401 192.168.20.2 > 192.168.0.41: icmp: echo request 15:19:22.595036 192.168.20.2 > 192.168.0.42: icmp: echo request 15:19:22.605430 192.168.20.2 > 192.168.0.43: icmp: echo request 15:19:22.615346 192.168.20.2 > 192.168.0.44: icmp: echo request 15:19:22.625368 192.168.20.2 > 192.168.0.45: icmp: echo request 15:19:22.635116 192.168.20.2 > 192.168.0.46: icmp: echo request 15:19:22.645480 192.168.20.2 > 192.168.0.47: icmp: echo request 15:19:22.656112 192.168.20.2 > 192.168.0.48: icmp: echo request 15:19:22.665210 192.168.20.2 > 192.168.0.49: icmp: echo request 15:19:22.675673 192.168.20.2 > 192.168.0.50: icmp: echo request 15:19:22.685416 192.168.20.2 > 192.168.0.51: icmp: echo request 15:19:22.737774 192.168.20.2 > 192.168.0.52: icmp: echo request 15:19:22.739029 192.168.20.2 > 192.168.0.53: icmp: echo request 15:19:22.745224 192.168.20.2 > 192.168.0.54: icmp: echo request 15:19:22.755203 192.168.20.2 > 192.168.0.55: icmp: echo request 15:19:22.765091 192.168.20.2 > 192.168.0.56: icmp: echo request 15:19:22.775375 192.168.20.2 > 192.168.0.57: icmp: echo request 15:19:22.785752 192.168.20.2 > 192.168.0.58: icmp: echo request 15:19:22.795461 192.168.20.2 > 192.168.0.59: icmp: echo request 15:19:22.805812 192.168.20.2 > 192.168.0.60: icmp: echo request 15:19:22.815226 192.168.20.2 > 192.168.0.61: icmp: echo request 15:19:22.825660 192.168.20.2 > 192.168.0.62: icmp: echo request 15:19:22.835508 192.168.20.2 > 192.168.0.63: icmp: echo request 15:19:22.845565 192.168.20.2 > 192.168.0.64: icmp: echo request 15:19:22.855380 192.168.20.2 > 192.168.0.65: icmp: echo request 15:19:22.865736 192.168.20.2 > 192.168.0.66: icmp: echo request 15:19:22.875525 192.168.20.2 > 192.168.0.67: icmp: echo request 15:19:22.885947 192.168.20.2 > 192.168.0.68: icmp: echo request 15:19:22.895534 192.168.20.2 > 192.168.0.69: icmp: echo request 15:19:22.905902 192.168.20.2 > 192.168.0.70: icmp: echo request 15:19:22.915467 192.168.20.2 > 192.168.0.71: icmp: echo request 15:19:22.925766 192.168.20.2 > 192.168.0.72: icmp: echo request 15:19:22.935709 192.168.20.2 > 192.168.0.73: icmp: echo request 15:19:22.945698 192.168.20.2 > 192.168.0.74: icmp: echo request 15:19:22.956162 192.168.20.2 > 192.168.0.75: icmp: echo request 15:19:22.965481 192.168.20.2 > 192.168.0.76: icmp: echo request ICMP PING alert from our upstream IDS

The ICMP PING traffic is gradually dropped after Jan 1, 2004

Still have several thousands each day in Jan