Skip to Main Content

Hitachi Logo
earth icon
    mail icon Contact Us
    Hitachi Global
    Hitachi Global

    HIRT-PUB07005:Let's take a look at the flow of packet data transmitted by a worm Part II (2)

    The flow of packet data transmitted by typical worms

    The following shows the typical five worms visualized by the tool.

    Blaster

    (1) Outline
    Blaster transmits a packet that attacks the vulnerability of Windows (MS03-026) to the TCP port #135*4 of random IP addresses.

    (2) Searching activity
    Blaster searches IP addresses with a fixed 1st ~ 3rd octet and monotonically increases 4th octet. This will be because adjacent nodes in the same network segment as that of the infected node can be found effectively.

    Visualization of MS Blaster

    Reference: Buffer overrun in RPC interface may allow code execution (823980) (MS03-026)
    (http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx)

    Nimda

    (1) Outline
    Nimda attacks vulnerability of the web server (IIS: Internet Information Service) (MS00-078) using TCP port #80 and transfers the body of the worm to the target node through TCP port #137 - #139 and #445.

    (2) Searching activity
    In case of the Nimda worm, a bias is seen in the range of the first octet. In the third and fourth octets meanwhile, the address is selected in a more random manner than the other octets.

    Visualization of Nimda

     

    Reference: Patch for 'Web server folder traversal' vulnerability (MS00-078)
    (http://www.microsoft.com/technet/security/bulletin/MS00-078.mspx)

    Zotob

    (1) Outline
    Zotob transmits packets that attack the vulnerability in Plug and Play of Windows (MS05-039) using TCP port #445.

     

    (2) Searching activity
    The Zotob worm makes the search, expanding the range of the fourth octet of the destination IP address while fixing all the other octets. It is also evident that this worm changes the search patterns of the fourth octet over time.

    Figure:Visualization of <Zotob>
    Figure:Visualization of <Zotob>

    Reference: Vulnerability in Plug and Play could allow remote code execution and elevation of privilege (899588) (MS05-039)


    (http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)

    CodeRed

    (1) Outline
    CodeRed transmits a packet that attacks the vulnerability of web server (IIS: Internet Information Service) (MS01-033) using TCP port #80.

    (2) Searching activity
    While the CodeRed worm basically fixes the first and second octets of the destination IP address, it sometimes randomizes the range for these two octets in its search. Also, in this worm's case, there is a bias in the selected area of the first octet, as the Nimda worm.

    Visualization of CodeRed

     

    Reference: Unchecked Index Server ISAPI extension could enable web server compromise (MS01-033)

    (http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx)

    SQLSlammer

    (1) Outline
    SQLSlammer targets the vulnerability of SQL Server 2000 (MS02-039) that transmits harmful packets to UDP port #1434.

    (2) Searching activity
    The SQLSlammer worm conducts the search, expanding the range of all the octets of the destination IP address, whereby the worm may search a wider area without limiting the target networks. Also, this worm transmits far more packets than other worms within a specific period. Therefore, it is recommended to set the playing speed to slow when you use the visualization tool provided on this website.

    Visualization of SQLSlammer

     


    Reference: Buffer overruns in SQL Server 2000 resolution service might enable code execution (323875) (MS02-039)(http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx)



    *4 A special number assigned to a virtual data connection to distinguish the information destination on the computer. Assuming that IP address is a hotel address, a port is a room number