Hosting Provided By

new attack tool combining SMB and WebDAV?

From: Matt Power <mhpower(at)bos.bindview.com>
Date: Sun Mar 30 2003 - 17:49:41 EST

A possibly new attack tool is being used in the wild that sends traffic to a set of nearby IP addresses, using tcp ports 445 and 80. The observed traffic on port 80 (first noticed around 2200 GMT on 30 March) consisted of:

  OPTIONS / HTTP/1.1
  translate: f
  User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600   Host: a.b.c.d
  Content-Length: 0
  Connection: Keep-Alive

where a.b.c.d is the destination IP address. The traffic on port 445 looked like the usual attack traffic described at, for example, http://www.cert.org/advisories/CA-2003-08.html

In many cases, packets on both port 445 and 80 were sent to the same destination IP address.

By "set of nearby IP addresses", I mean that the attacking machine was apparently trying to send data to all machines within an IP address range (rather than, for example, send data to IP addresses selected at random). It wasn't immediately clear why some IP addresses were skipped. A possibility is that the attacker had access to earlier reconnaissance data about which IP addresses were in use.

The third type of traffic from the attacking machine consisted of very large ICMP echo-request packets, all going to the same destination IP address. The ICMP packet contents consisted entirely of the lowercase letters 'a' through 'w' repeated many times, e.g.,

abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvw...

Anyway, this may mean that some type of WebDAV data-gathering or exploit capability has been incorporated into a software package that also compromises machines via SMB. There wasn't direct evidence that the software package was associated with planned exploitation of the CA-2003-09 vulnerability via WebDAV, although it may have been. The ICMP traffic suggests that the software package may have a DoS capability that's separate from the SMB and WebDAV traffic.

Do you need help?

Matt Power
BindView Corporation, RAZOR Team
mhpower@bos.bindview.com

Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfihl1 Received on Mon Mar 31 16:56:30 2003

This message: [ Message body ]
Next message: John S. Pitts: "RE: strange DNS behavior over the last 2 days"
Previous message: Wilson, Aaron J.: "SQL Slammer Variant?"
Next in thread: James C Slora Jr: "RE: new attack tool combining SMB and WebDAV?"
Reply: James C Slora Jr: "RE: new attack tool combining SMB and WebDAV?"
Reply: Bill McCarty: "Re: new attack tool combining SMB and WebDAV?"
Reply: Toby Miller: "RE: new attack tool combining SMB and WebDAV?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:00 EDT