Security Incidents mailing list archives

RE: Code red variants?

From: "Korkmaz, Murat" <Murat_Korkmaz () nai com>
Date: Wed, 5 Sep 2001 18:06:36 -0700
 Hi,
 i suppose it is a trojan which uses ack tunneling method. I dont know what
type of firewall you are using but there are some firewalls doesnt check out
the ack packets.
 anyway, here is the tool for it, ACKCMD that you can find it at     
  http://ntsecurity.nu/toolbox/ackcmd/
 there you are gonna find some information as well.
 cheers
 Murat-
 
-----Original Message-----
From: Russell Fulton [mailto:r.fulton () auckland ac nz]
Sent: Wednesday, September 05, 2001 4:14 PM
To: incidents () securityfocus com
Subject: Code red variants?


Snort logged a bunch of somewhat anomolous packets.  At first glance 
they appear to be standard cmd.exe packets from code red.

[**] WEB-IIS cmd.exe access [**]
09/06-07:10:23.613276 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x5EA
130.67.240.225:1450 -> 130.216.223.150:80 TCP TTL:101 TOS:0x0 ID:24351
IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE68E61F7  Ack: 0xE5C99396  Win: 0x2238  TcpLen: 20
00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43  ..u..U..E......C
6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55  loseHandle..u..U
F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74  ..E......_lcreat
00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F  ..u..U..E......_
6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8  lwrite..u..U..E.
E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC  ....._lclose..u.
FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79  .U..E......GetSy
73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89  stemTime..u..U..
45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C  E......WS2_32.DL

[ snip ]

however what puzzeled me is that the destination (130.216.223.150) is
firewalled.  I then looked at the argus logs:

06 Sep 01 07:10:23           tcp  130.67.240.225.1450   ?>
130.216.223.150.80    1        1         1460         0           A_RPA

Which shows a single incoming packet with ACK set and payload.

This suggests that the source is simply firing out packets without
waiting for the handshake to complete.  This is not standard code red
behaviour otherwise snort would be logging far more code red alerts.

Also there was no ida alert for this address.

I then used argus do dump all traffic from 130.67/16 (online.no) and found
that there is a steady trickle of such packets.

06 Sep 01 00:02:34    tcp  130.67.216.237.3339   ?>    130.216.246.91.80
1        0         1460         0           A_
06 Sep 01 00:04:27    tcp  130.67.216.237.3955   ?>   130.216.145.172.80
2        0         2920         0           A_
06 Sep 01 00:06:58    tcp  130.67.216.237.3339   ?>    130.216.246.91.80
1        0         2920         0           A_
06 Sep 01 00:17:00    tcp   130.67.114.61.2124   ?>   130.216.213.213.80
1        0         1460         0           A_
06 Sep 01 00:58:01    tcp    130.67.10.87.1922   ?>    130.216.78.223.80
1        0         1460         0           A_
06 Sep 01 01:08:47    tcp  130.67.240.131.3281   ?>    130.216.185.75.80
1        1         1460         0           A_R
06 Sep 01 01:23:10    tcp   130.67.58.251.3371   ?>   130.216.187.210.80
1        0         1460         0           A_
06 Sep 01 01:28:38    tcp  130.67.118.172.4396   ?>    130.216.149.34.80
2        0         2920         0           A_
06 Sep 01 01:28:59    tcp   130.67.229.89.2904   ?>     130.216.51.74.80
1        0         1460         0           A_
06 Sep 01 01:33:50    tcp  130.67.118.172.3032   ?>     130.216.72.91.80
1        0         1460         0           A_

This explains one thing: I had noticed that the snort cmd.exe count
was consistantly higher than the .ida count but I could not find any
packets other than appearantly ordinary code red ones.

For comparision I dumped all traffic for another 130/8 which I know
has a whole bunch of code red compromised machine and saw none of the
bare ACK packets.

Any idea what is going on?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Current thread:

Code red variants? Russell Fulton (Sep 05)
- <Possible follow-ups>
- Re: Code red variants? Matthew Collins (Sep 06)
  - Re: Code red variants? Russell Fulton (Sep 06)
- RE: Code red variants? Korkmaz, Murat (Sep 06)