how-to block ads
|
|
Share Topic
 |
 |
|
|
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
| reply to Komputerguy
Re: Port 137 Scans or 'Intro to Basic Forensics' All port 137 traffic should be considered malicious, have I given an impression otherwise?
What I am trying to show is here what might be the source of the 137 traffic. If its source port 137 then its using a native Netbios API call (and hence wouldn't be Opaserv or Bugbear as they don't use API calls to Netbios for the 137 probe), or if the source port is greater then 1023 then its an application and given currently active worms on the internet likely Opaserv or Bugbear. Also given that Windows doesn't normally dynamically assign ports in the higher ranges (xx,xxx for example) then you can feel fairly confident that the infected or attacking system is behind a firewall as firewalls do map ports into the higher ranges. Of course there is nothing cut into stone here but this can give you a reasonable confidence as to what is happening.
Could you give me an example of what you are thinking and perhaps it would help me understand where you are coming from and perhaps we can expand out the topic a bit to cover that.
Blake | |
| said by Link Logger:
All port 137 traffic should be considered malicious, have I given an impression otherwise?
From my interpretation (which certainly is susceptible to frequent lapses ), Yes.
said by Link Logger:
Could you give me an example of what you are thinking and perhaps it would help me understand where you are coming from and perhaps we can expand out the topic a bit to cover that.
Fair enough. First, one of your examples is that of ping. I would not personally consider that inherently malicious. It may be malicious, it may not be. In some cases it depends on the context of your network if ping is considered malicious or undesirable. Another specific example would be any Windows software which was coded to use the gethostbyaddr will attempt to resolve the name of a given API. If that fails, it will do just what you described in that it will then attempt to get a NetBIOS name resolution using port 137. The software does NOT have to be malicious for this to happen. In fact, until a newer API came out called getnameinfo, the getnamebyaddr API was very commonly used and still is, actually.
A specific example is WallWatcher, a Linksys router log application. Up until recently it was using getnamebyaddr which occasionally might cause the NetBIOS 137 connections. This was recognized as being undesirable by the author and users, but programmatically there was few alternatives to resolving the name of a system. On a recent version, this functonality was changed to use getnameinfo which resolves the issue. But this API is not fully supported by all platforms so some OS's still may end up using the older getnamebyaddr API. This software is far from being malicious as is the connection attempt on port 137.
And undesirable != malicious in all cases. Also IMO, systems that are attempting connections due to being poorly configured systems are not malicious. Annoying and undesirable, yes, but not malicious.
Second, is it not true that if a system is "poorly configured" for Windows sharing, it will attempt to browse, and thus possibly making connection attempts in these port ranges? I think this is common for broadband configurations that may have your entire neighborhood on the same shared channel. If true, I wouldn't call that malicious, either. Annoying and undesirable, maybe, but not necessarily malicious.
--
What can possibly go wrong? | |
Reviews:
·Shaw
| reply to Link Logger
Link Logger I apologize my question is a little late in the thread, but the majority of information on opaserv for example, from various antivirus sites, tend to describe what it does and not how it does it. In other words it is a worm that spreads via network shares, creates certain files in the windows folder,makes certain registry entries and then scans a range of IP addresses for the local area network searching for computers with an open C: share and NETBIOS enabled over TCP/IP, etc. Given what you describe above in your ping -a example, exactly how does opaserv perform its scan as described? Is it as something as simple as an nbtstat -A request? I'm not particularly computer literate, and describing what it does leaves me very curious as to the how, which in turn would help my understanding of your example. Regards | |
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
| The ping -A example given above were an example of how Windows uses the 'root/system' netbios process to send out a hostname request via source port 137.
Basically how Opaserv works is it uses a nbtstat -A like command send using dynamically allocated UDP port to see if any shares are available. It then attempts to connect to those shares in order to copy its payload onto the victim's system and update their registry such that the payload will be run on next boot up. There are some other enhancements that it uses to connect, for example it can get around fileshare passwords on unpatched Windows 98 systems due to a vul in its fileshare security.
Blake | |
|
