Skip to main content

Hitachi
Contact UsContact Us

HIRT-PUB07004: Let's take a look at the flow of packet data transmitted by a worm (2)

The flow of packet data transmitted by typical worms


The following shows the typical five worms visualized by the tool.

Blaster

Figure:Visualization of <MS Blaster>

(1) Outline

Blaster transmits a packet that attacks the vulnerability of Windows (MS03-026) to the TCP port #135*4 of random IP addresses.

(2) Searching activity

Blaster searches IP addresses with a fixed 1st ~ 3rd octet and monotonically increases 4th octet. This will be because adjacent nodes in the same network segment as that of the infected node can be found effectively.

Reference: Buffer overrun in RPC interface may allow code execution (823980) (MS03-026)
( http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx)

Nimda

Figure:Visualization of <Nimda>

(1) Outline

Nimda attacks vulnerability of the web server (IIS: Internet Information Service) (MS00-078) using TCP port #80 and transfers the body of the worm to the target node through TCP port #137 - #139 and #445.

(2) Searching activity

Nimda expands the searching range by changing the 3rd ~ 4th octet randomly while fixing the 1st ~ 2nd octet of the destination IP address.

Reference: Patch for 'Web server folder traversal' vulnerability (MS00-078)
( http://www.microsoft.com/technet/security/bulletin/MS00-078.mspx)

Zotob

Figure:Visualization of <Zotob>

(1) Outline

Zotob transmits packets that attack the vulnerability in Plug and Play of Windows (MS05-039) using TCP port #445.

(2) Searching activity

Zotob searches IP addresses with fixed 1st ~ 3rd octet and regularly changes the 4th octet split in five blocks. Moreover, it gradually expands the search target over time, by gradually adding a random nature to the 3rd octet.

Reference: Vulnerability in Plug and Play could allow remote code execution and elevation of privilege (899588) (MS05-039)
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)

CodeRed

Figure:Visualization of <CodeRed>

(1) Outline

CodeRed transmits a packet that attacks the vulnerability of web server (IIS: Internet Information Service) (MS01-033) using TCP port #80.

(2) Searching activity

CodeRed searches IP addresses changing the 2nd ~ 4th octet while fixing the 1st octet of the destination IP address. Moreover, it splits the 3rd octet into three blocks, which are regularly changed for searching, while also performing the same as the 4th octet.

Reference: Unchecked Index Server ISAPI extension could enable web server compromise (MS01-033)
( http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx)

SQLSlammer

Figure:Visualization of <SQLSlammer>

(1) Outline

SQLSlammer targets the vulnerability of SQL Server 2000 (MS02-039) that transmits harmful packets to UDP port #1434.

(2) Searching activity

SQLSlammer searches IP addresses by randomly changing the 1st ~ 4th octet of the destination IP address. This is intended to explore a wide range without limiting the target network.

  • * This worm transmits far more packets than other worms within a specific period. Therefore, it is recommended to set the playing speed to slow when you use the visualization tool provided on this website.
Reference: Buffer overruns in SQL Server 2000 resolution service might enable code execution (323875) (MS02-039)
( http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx)

*4
A special number assigned to a virtual data connection to distinguish the information destination on the computer. Assuming that IP address is a hotel address, a port is a room number