Example: Blaster Worm; Accessing Data In The Profiler Database - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide

Accessing Data in the Profiler Database

730

Example: Blaster Worm

For example, the Blaster worm uses a special ICMP (ping) packet to exploit a vulnerability
in Remote Procedure Call (RPC), a Microsoft networking tool that enables desktops to
share files over a remote network. Your corporate firewall denies RPC filesharing traffic
to protect sensitive corporate files from Internet users, but enables RPC filesharing on a
local network for convenience.
A laptop user uses a wireless network to access the Internet. Because the laptop is
configured to allow RPC, it contracts the Blaster worm from an infected user on that
network. When the user returns to the office and connects the laptop to the corporate
network, the worm immediately begins scanning the internal network and infecting all
components that have RPC enabled.
Because the Profiler records all unique activity on the network, it identifies the ICMP
packet scans as a new event. Because you have configured the Profiler to send alerts for
new hosts, you also receive a log record on your pager indicating that a new host has
joined the network. A quick check of the Profiler's Network view tells you that the new
event is a user laptop suddenly scanning the entire network using ICMP, a possible sign
of the Blaster worm.
From the Profiler:
Restart the Profiler.
1.
Select the Network Profiler to quickly see the source, destination, and service of traffic
2.
on your network.
In the Service data table, select the ICMP service. The Network data viewer displays
3.
all network components using ICMP.
In the Access data table, select probe. The Network data viewer displays all network
4.
components that used ICMP to probe the network.
Set a Last Seen time interval of two hours.
5.
The Network Profiler displays all network components that used ICMP to probe the
network in the last two hours. You can now see that one IP address,
currently probing your network using ICMP. However, because you use DHCP to
dynamically assign IP addresses, you need to identify which user laptop is currently
using that IP address.
From Network Profiler, select the source address you want to investigate. The
6.
MAC/View area displays the host detail for the IP address.
In the View menu, select Profiles. The MAC/View area displays the context/value
7.
information about the IP/Mac address.
The IP/MAC address has the unique asset tag "darkness". After checking your IT
inventory, you determine who the laptop user is and patch the infected system.
The Profiler database is located on the NSM Device Server.
192.168.4.66
Copyright © 2010, Juniper Networks, Inc.
, is