Hosting Provided By

Re: New attack or old Vulnerability Scanner?

From: Jason Falciola <falciola(at)us.ibm.com>
Date: Wed Apr 30 2003 - 13:41:05 EDT

Mark,

I agree that this is not a new technique. My original post [1] referenced the iis-kabom script and noted that it had 69 GET requests (many of which are similar to what you saw here). These tools are easily (and continually) being changed, and we regularly see GETs that start with /PBserver, /iisadmpwd, /Rpc, /adsamples, etc.

I also agree that the attackers have likely moved from scripted IIS-scan tools (using PHP, Perl, etc.) to using C or C++ to achieve significant speed increases. We have seen individual sources perform huge scans in a very brief period of time. Thanks also for the info on shell.exe - it made sense.

What's interesting to me is that this (exact?) pattern was seen by James last summer [2] from a Korean source and this User Agent string has known connections to a Chinese spam bot. Now there are several reports within days of eachother of the identical footprint being seen from US cable ranges. Is this a coincidence? Simply due to the circulation of tools/code in the underground? Or are we seeing more spammers (from Asia? or all over?) compromising boxes in the consumer broadband ranges and then using them as launching points for further attacks/spamming? [3].

[1] 
http://www.securityfocus.com/archive/75/319878/2003-04-27/2003-05-03/2
[2] 
http://cert.uni-stuttgart.de/archive/intrusions/2002/07/msg00119.html
[3] 
http://www.securityfocus.com/news/4217

Jason Falciola
Information Security Analyst
IBM Managed Security Services
falciola@us.ibm.com

Mark Embrich <mark_embrich@yahoo.com>
04/30/2003 12:24 PM

        To:     Jason Falciola/Sterling Forest/IBM@IBMUS, incidents@securityfocus.com
        cc: 
        Subject:        Re: New attack or old Vulnerability Scanner?

Hello Jason,

I think Reinhard Handwerker is correct:
from:
http://www.securityfocus.com/archive/75/319846/2003-04-27/2003-05-03/0

This is a slightly modified version of the old MS IIS-Unicode exploit, see
here:
http://downloads.securityfocus.com/vulnerabilities/exploits/iis-kabom.php

Do you need help?

Reinhard Handwerker
Internet Security Systems
Atlanta, GA

Taking a look at the link he provided, you can see that many of the GET attempts are different, but the overall method looks correct. Meaning that it doesn't bother to identify the web server, just mindlessly launches every attack against anything that responds to a SYN to TCP 80.

It also contains many of the similar GETs that I haven't seen in other IIS attacks, like the PBServer stuff and adsamples stuff.

However, the Indy.Library is new, meaning the attackers probably ported the iis-kaboom attacks to C++ or something.

about shell.exe, generally, it looks like they're looking for someone else's backdoor. Some googling got me several answers:

http://archives.neohapsis.com/archives/incidents/2001-04/0260.html antoine Bour says:
Hi

        I thing that this file is a copy of cmd.exe. 
        The methodology used by kids to deface NT web

sites is to use the unicode
exploit, to do a copy of cmd.exe in the directory scripts or other
executable directory before defacing the site. So even you patch the unicode
bug, they can continue defacing your site. regards

>From Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.lovit.html

When W32.Lovit runs, it does the following:

Do you need more help?

If the file C:\Windows\Winhlp32.exe exists, the virus renames this file to C:\Windows\Essdrv.exe and then copies itself as C:\Windows\Winhlp32.exe.

The virus copies itself as

C:\Windows\Sys32.exe
C:\Windows\System\Shell.exe
C:\Windows\Command\Deltree.exe
C:\Windows\Help\Live.hlp

http://www.commodon.com/threat/threat-bo.htm

says:
Provided below are several screen shots exemplifying a modified Back Orifice. It's been configured to install the server portion as "shell.exe", enter the name of "Windows Explorer Shell" in the registry, as well as listen on UDP port 4000.

Thanks again,
Mark Embrich

> I found it interesting that it doesn't look like

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents

Received on Wed Apr 30 14:17:08 2003

This message: [ Message body ]
Next message: Chris Mann: "Re: Logs showing GET /.hash=..."
Maybe in reply to: Mark Embrich: "New attack or old Vulnerability Scanner?"
In reply to Jason Falciola: "Re: New attack or old Vulnerability Scanner?"
Next in thread: Mark Embrich: "more iis-kabom Re: New attack or old Vulnerability Scanner?"
Reply: Mark Embrich: "more iis-kabom Re: New attack or old Vulnerability Scanner?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:04 EDT