Possible Virus or worm -- suggestions please!!!

[Ringo Langly]

Hi all,

On our network yesterday we were down due to a VERY peculiar issue
that I can only think is a virus. At sometime around 8am CST
yesterday (June 29th) we had 4 PC's on our network start sending http
packets to the website www.energex.com.au, but each packet went
sequentially through IP addresses. After 250 or so IP's it totally
changed IP's and started going up again.

We think the PC's also spoofed MAC addresses, so it was almost
impossible to track down where they were. The only way we were able
to see the traffic was via our firewall server, which we disconnected
from the Internet as to stop the DoS attack it was apparently trying
to do.

After basically going port by port in our computer room trying to find
where these computers were at, we found that 2 were off-site coming in
via T-1, one was within the local building, and one we never did track
down. Since the destination did not change we blocked the packets at
the router level based on destination which made the network useable.

This morning it's gone... like it never happened. With the filters on
our routers turned off, we're seeing zero abnormal traffic going to
the energex website, and we're still not sure where the 4 PC's are.

Has anyone else ran into this issue? I've found worms that broadcast
to sequential IP addresses, but none that actually change the source
of the packet to a sequential IP. This also appeared to be a DoS
attack on www.energex.com.au, but i've found no other references to
anyone with this problem. We're in Texas, which is quite a few miles
away from Australia, so not sure why anyone would try to start this
from our network.

Suggestions or comments please! We're going over our network with a
fine tooth comb right now, and though all is back to normal now,
things are still locked-down.

Thanks for any light that can be shead on this. Oh, and if this
helps, our network is basically Windows clients (from 98 through XP),
all servers are Windows from NT 4.0 through 2003 (with a few Linux
boxes sprinkled in), and most of our routers are Cisco.

- Ringo -

 

[Phillip Windell]

This morning it's gone... like it never happened. With the filters on
our routers turned off, we're seeing zero abnormal traffic going to
the energex website, and we're still not sure where the 4 PC's are.

If it is a virus, then double checking that your AV definitions are current
and then running a full manual scan on the machines should turn up the
guilty machines. If it doesn catch it, then maybe the next AV definition
when it comes out will catch it then.

I have never heard of them faking the MAC address though,...did you find the
actual machines with those MACs? The MAC will more solidly identify a
machine than an easily faked IP# would.

 

[Ringo Langly]

If it is a virus, then double checking that your AV definitions are current
and then running a full manual scan on the machines should turn up the
guilty machines. If it doesn catch it, then maybe the next AV definition
when it comes out will catch it then.

I have never heard of them faking the MAC address though,...did you find the
actual machines with those MACs? The MAC will more solidly identify a
machine than an easily faked IP# would.

Hi Phillip,

We push the latest virus dats to each workstation on a daily basis,
but we are going through our PC lists to see if any haven't been
updated. With over 1000 devices on our network though, I'm sure some
might have issues where they're not updating. Thus far we've found a
few, but updating the dat's and doing a virus scan yields nothing.

I'm seeing three posibilities:
1) Someone hacked into our network and dropped something on 4 PC's to
do a DoS attach on the energex.com.au website
2) Some software malfunctioned and started spewing packets to this
website (but doesn't account for the sudden start and stop, or the
IP/Mac spoofing)
3) Someone bypassed our wireless security and placed 4 devices outside
our physical network to do a DoS attack. Our wireless is rather
secure, but who knows.

At any rate, we did track down the physical location of three of four
devices, and two of three were from remote sites.

The odd thing is after 24 hours of fubar it went away on it's own.
This is what makes me think it's a virus or worm -- but I can find no
other mention of such a virus or worm on the Internet.

Strange...

- Ringo -

 

[Ringo Langly]

If it is a virus, then double checking that your AV definitions are current
and then running a full manual scan on the machines should turn up the
guilty machines. If it doesn catch it, then maybe the next AV definition
when it comes out will catch it then.

I have never heard of them faking the MAC address though,...did you find the
actual machines with those MACs? The MAC will more solidly identify a
machine than an easily faked IP# would.

Hi Phillip,

We push the latest virus dats to each workstation on a daily basis,
but we are going through our PC lists to see if any haven't been
updated. With over 1000 devices on our network though, I'm sure some
might have issues where they're not updating. Thus far we've found a
few, but updating the dat's and doing a virus scan yields nothing.

I'm seeing three posibilities:
1) Someone hacked into our network and dropped something on 4 PC's to
do a DoS attach on the energex.com.au website
2) Some software malfunctioned and started spewing packets to this
website (but doesn't account for the sudden start and stop, or the
IP/Mac spoofing)
3) Someone bypassed our wireless security and placed 4 devices outside
our physical network to do a DoS attack. Our wireless is rather
secure, but who knows.

At any rate, we did track down the physical location of three of four
devices, and two of three were from remote sites.

The odd thing is after 24 hours of fubar it went away on it's own.
This is what makes me think it's a virus or worm -- but I can find no
other mention of such a virus or worm on the Internet.

Strange...

- Ringo -