netcurmudgeon (netcurmudgeon) wrote,

  • Mood:
  • Music:

Worm War

Today was Day Four of Worm War.

My firewall log analysis yesterday evening showed that three of my IP video servers were among the infected many. I spent the entire morning clearing SdBot off of these three servers. I finally had to unplug them from the network and plug them in behind the Police firewall: traffic bringing new infections was coming so fast that I couldn't keep the servers clean long enough to patch them. Thankfully once they were in the safer harbor of the Police network I got all of the updates loaded and the last dregs of SdBot cleaned off them.

Previous worms like Slammer, and Nachi would cause and infected PC to start hosing the network with infection traffic aimed at truly random IP addresses. We use a range of IP addresses ( -, set aside by the Internet gods for internal networks) that covers 1/256 of the Internet's addresses. A PC firing out traffic randomly has a 255 in 256 chance of sending to an address that's not in the range. Meaning, that all of those attempts will be logged by one of my firewalls. Look in the firewall logs and you can find the footprints of the infected PCs.

SdBot is proving much trickier to track down. A PC infected with SdBot doesn't just blast away at random IP addresses looking for its next victim. SdBot-carriers send their traffic to randomly generated IP addresses near their own. So, most of the traffic from an infected PC on our network is aimed at other 10.x.x.x addresses — which doesn't reach the firewall and thus doesn't generate a log entry. Some traffic does though, so about half of the PCs we've identified so far have been ID'd through log analysis. The other half have been ID'd through the labor-intensive process of capturing a sample of traffic from each site with Sniffer and then eyeballing the packets (this is made easier by exporting summary data to Excel and doing a few sorts).

So, while nothing crashed today, it was what one Mainer called one long fezzle from beginning to end. ...With more in the offing for tomorrow.


On the up-side, however, I must note (with complete geek satisfaction) that Asha and I took a nice long walk through the neighborhood behind our house at sunset ... and spent the entire time talking about MAC addresses, Ethernet, IP, TCP, the OSI Model, and how the whole thing works together to get the Spam du jour to your PC.

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.