Security Incidents mailing list archives
RE: Unicode worm?
From: "Turner, Keith (Contractor)" <TurnerL () tea-emh1 army mil>
Date: Thu, 22 Aug 2002 12:12:06 -0400
Based on each analysis I've seen on the Nimda worm, this is not the Nimda worm. The Nimda worm targets ip addresses semi-randomly, different subnet masks get different probabilities. This looks like an incremental scan. Also, it's only a single Unicode request. It doesn't include the other tidbits which Nimda does, like checking for code red leftovers (root.exe), /c or /d. Keith -----Original Message----- From: Dean White [mailto:dean () achillean com au] Sent: Thursday, August 22, 2002 1:09 AM To: Larsen, Colin Cc: incidents () securityfocus com Subject: Re: Unicode worm? This is most likely the Nimda worm. The vulnerability the worm is attemting to exploit is called the Unicode Web transversal exploit. The worm is issuing a command to retrieve the directory listing of the C: drive. It does this to determine if it can successfully execute the cmd.exe shell with privledge. This worm copies itself to the server as admin.dll via TFTP. The source of the attack has a listening TFTP server to transmit the worm to the new system. Hope this clears this up. Cheers, Dean ---------------------------------------------------------------------------- ---- Dean White dean () achillean com au Technical Director http://www.achillean.com.au Achillean Pty. Ltd. "The integrity of your business is our business" ---------------------------------------------------------------------------- ---- On Thu, Aug 22, 2002 at 02:26:50PM +1000, Larsen, Colin wrote:
I get this every day. Usually in batches of 8 to 16 probes. Mostly from China, Korea (even 2 nights of a couple of hundred probes from an Asian IT university!)I figure its a fact of life that anything attached to the big wide world is gonna get shot at. Colin. -----Original Message----- From: John Sage [mailto:jsage () finchhaven com] Sent: Thursday, 22 August 2002 4:01 p.m. To: incidents () securityfocus com Subject: Re: Unicode worm? Soeren, Keith: On Wed, Aug 21, 2002 at 07:43:00PM +0200, Soeren Ziehe wrote:In article <51F912F2A6CDD111810A00600811BA42024D8BE9@TEA05> [21 Aug 02] Turner, Keith (Contractor) <TurnerL () tea-emh1 army mil> wrote:[08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/scripts/..%255c%255c../winnt/system32/cmd.e xe'I'm seeing the same requests.I've recently seen several single-payload packet probes of the form: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/11-02:27:44.357277 216.181.16.2:4723 -> 12.82.129.71:80 TCP TTL:110 TOS:0x0 ID:26376 IpLen:20 DgmLen:99 DF ***AP*** Seq: 0x36AEB784 Ack: 0x71FD0774 Win: 0x2238 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 5c%5c../winnt/sy 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/ 63 2B 64 69 72 0D 0A 69 72 0D 0A c+dir..ir.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ These have source IP's _not_ within my class B, or A; very quick, typically six to nine packets for the total transaction, and they're gone. - John -- "You are in a little maze of twisty passages, all different." PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Unicode worm? Turner, Keith (Contractor) (Aug 21)
- Re: Unicode worm? Soeren Ziehe (Aug 21)
- Re: Unicode worm? John Sage (Aug 21)
- Re: Unicode worm? Kurt Seifried (Aug 22)
- Re: Unicode worm? Jonathan Rickman (Aug 23)
- <Possible follow-ups>
- RE: Unicode worm? Larsen, Colin (Aug 21)
- Re: Unicode worm? Dean White (Aug 22)
- RE: Unicode worm? Deus, Attonbitus (Aug 22)
- RE: Unicode worm? Turner, Keith (Contractor) (Aug 22)
- Re: Unicode worm? pj (Aug 23)
- Re: Unicode worm? Soeren Ziehe (Aug 21)