Created: 2002-02-14
Modified: 2004-02-02 LB
2004-02-02:
A common source of tcp/80 probes is the Nachi/Welchia worm. It is indicated by combination
of tcp/80, tcp/135 and/or icmp scanning activity. If you received a mNW notice with this signature
you can confirm Nachi/Welchia using our SecCheck. See the Nachi/Welchia case study
in the Case Studies section to see exactly what to look for in the SecCheck results.
2002-02-14:
Throughout 2001 serveral versions of the Code Red and Nimda worms were released. Both propagate via tcp/80 (HTTP):
CA-2001-19: "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL
CA-2001-23: Continued Threat of the "Code Red" Worm
CA-2001-26: Nimda Worm
Even 6 months after the initial outbreak of Code Red, port 80 scans make up over 75% of all port scan activity on the Internet (based on mNW data in Feb 2002).
You'd think with all the Code Red and Nimda press and increased awareness of security issues, that the activity of these worms would die out.
I believe that one reason these infections have gone undetected is a side affect of Network Address Translation (NAT).
When an infected host has a PUBLIC IP address, it attempts to cross-infect other hosts in similar network address ranges.
For example: Worm
targetting LIKE IP addresses
I have not confirmed this conclusively, but I believe Code Red and Nimda's targeting algorithms are completely different when the infected host has a
PRIVATE IP address (and accesses the Internet via NAT). In this scenario, the worms appear to revert a completely RANDOM targetting algorithm.
For example: Worm
targetting RANDOM IP addresses
Note how the target IPs are completely unrelated to the source
IP.
Because infected hosts behind NAT generate RANDOM scanning,
they are much less likely to be detected than the case of
infected hosts performing focused (LIKE IPs) scanning. |
