Opaserv reaching Code Red Magnitude

Discussion in 'malware problems & news' started by Paul Wilders, Oct 31, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    according to Lawrence Baldwin:

    "Despite the lack of media coverage, Opaserv is shaping up to be one of the most prolific Internet worms ever. Since October 1, 2002, myNetWatchman users have been probed by over 1,000,000 distinct source IP addresses. Since many of these infected hosts appear to be dialup connections, the actual number of infected hosts is much less than 1M, but still it is extremely prolific.

    These probes target UDP port 137 (Netbios Adapter Status). Though these probes are generated by many other worms, our own honeypot analysis indicates that almost all are sourced from hosts infected with the Opaserv worm."


    See here.

    regards.

    paul
     
  2. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I would have thought it surpassed anything from the past. Daily my firewall log is full of UDP 137 scans. I personally never experienced such traffic from code red even.
     
  3. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    I agree with root ... continue to see tons of NetBIOS Name (UDP 137) hits everyday. ;)
     
  4. Old_Sixteen

    Old_Sixteen Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    17
    Here is link to the dshield map of port 137 attacks, Outrageous!
    http://www.dshield.org/images/attack_map0000-00-00.png

    Here also, from the Internet Storm Center:
    http://isc.incidents.org/analysis.html?id=170

    But, ISC attributes much of this activity to BugBear.
    I checked for Opaserv at Message Labs, 'cause I had forgotten that Message Labs only looks at email borne virii.
    The daily count at ML, BugBear and Klez still very much active:
    http://www.messagelabs.com/viruseye/

    My port hits today are 78 out of 100 to 137, this really has taken off. I agree that the "low profile" given this at the major AVs "due to media coverage" is a poor excuse for lack of real action.

    Thanks for the insight on Opaserv!
     
Loading...
Thread Status:
Not open for further replies.