EmergingThreats> Main Web>2003294 (2007-03-16, MattJonkman) EditAttach

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003294; classtype:trojan-activity; sid:2003294; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2018-09-13 19:38:41 UTC

Added 2018-09-13 17:53:11 UTC

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003294; classtype:trojan-activity; sid:2003294; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:56:36 UTC

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003294; classtype:trojan-activity; sid:2003294; rev:8;)

Added 2011-10-12 19:13:12 UTC

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003294; sid:2003294; rev:8;)

Added 2011-09-14 22:26:09 UTC

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003294; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Allaple; sid:2003294; rev:8;)

Added 2011-02-04 17:22:22 UTC

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003294; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Allaple; sid:2003294; rev:6;)

Added 2009-02-16 21:30:24 UTC

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003294; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Allaple; sid:2003294; rev:6;)

Added 2009-02-16 21:30:24 UTC

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; sid:2003294; rev:5;)

Added 2008-01-31 10:12:24 UTC

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; sid:2003294; rev:5;)

Added 2008-01-31 10:12:24 UTC

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; sid:2003294; rev:4;)

Added 2007-03-16 08:45:23 UTC

Added reference to the following analysis by CERT-FI:

Greetings all,

Lately there's been more or less talk on various forums on increased ICMP traffic anomalies, so I thought I'd bring my two euro cents into the game.

I've been the assigned case handler on the Allaple worm for about 8 months now here at CERT-FI. I've been tracking the evolution of the worm and the attacks and methods ever since the first variants.

Allaple is a polymorphic worm. The polymorphic layer(s) surrounding the binary are quite trivial to bypass, and I created an unpacker for the worm a while ago that is able to unpack every variant I've seen so far. If you feel you would benefit on such a tool, feel free to contact me.

The first variants spread through Radmin installations that had weak passwords. Every variant so far also tries to locate all html files on the harddisk to prepend an -tag into the file to ensure activation of the worm when a local webmaster views the files. Traces of this behaviour can be seen on some websites: There's an tag right below the tag in the page, with the source pointing to a random UUID.

The first variants were DDOSsing only 1 target, www.starman.ee, and the DDOS was a basic SYN flood. Shortly after, another target, www.if.ee was added to the DDOS routine in the code.

A bit after that the spreading mechanisms were changed from Radmin scans to the basic catering of Windows exploits, and yet another target was added: www.online.if.ee

The SYN DDOS routine has been the same from the first variant to the latest variant available. Early in the winter code was added to do HTTP GETs on the target websites. Few other ports were also targeted. www.if.ee is currently getting gentle packet love on tcp ports 22,80 and 97. www.starman.ee is getting packets and HTTP gets on port 80, and www.online.if.ee is getting packets on ports 80 and 443 if I remember right.

The worms have absolutely no Command and Control channels in them. Once released, there is no way to make them disappear. Their sole purpose is to spread and DDOS.

In case you are in the correct position, and you feel you could want to help in this pesky problem, here are a few tricks you can use to identify Allaple variants on the loose in your networks:

1) ICMP packets with the string "Babcdefghijklmnopqrstuvwabcdefghi", sans quotes, in the payload.

2) HTTP GET requests to www.if.ee. Due to a mishap in the code, the GET request is unique. The request looks something like this: "GET / HTTP/1.1\r\n". There are two whitespaces trailing after the first slash. While the RFC says this is ok, we have not been able to reproduce this behaviour with any real client. Thus, every client showing this behaviour should be blackholed to the abyss.

3) TCP SYN packets to www.if.ee, port 97. There is no real service in this port. We do know why it is targeted, but I can't discuss the reasons why. All I can state is that it's an error on the attackers side smile

We have no reason to believe that there would be no more variants, it's just a matter of time when a new one pops out in the open.

If you have any question on any aspects of this issue, I'll gladly help all I can. Contacts preferably through our team address at cert@ficora.fi to provide fail-over in case I'm somewhere else smile Also please add the following tracking ticket to the subject:

[CERT-FI: 19608]

Regards, Toni Koivunen Information Security Adviser CERT-FI / FICORA

-- MattJonkman - 16 Mar 2007

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; sid:2003294; rev:3;)

Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2007-03-16 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats