RE: new attack tool combining SMB and WebDAV?

["James C Slora Jr" <Jim.Slora () phra com>]

I've seen similar WebDAV/SMB scans for a couple of months. Some of them are
apparently targeted (IDs increment continuously across multiple iterations of
the scan), and some of them just pass through my address space.

Your ICMP traffic was different from most of mine - I usually see 32 Es
(EEEEEEE etc) for the data.

Scans usually include a ping sweep then probes on TCP 135 139 445, UDP 137,
WebDAV requests identical to yours, and they often include a TCP 21 scan.
Occasionally there will also be a TCP 1433 scan. WebDAV and SMB requests
always seem to be there, and the other requests seem to vary slightly
depending on the source.

The ping sweep usually comes at the beginning of the scan, and the rest of the
scans usually target only machines that respond to the ping. I had at least
one scan where the targeted scan came before the ping sweep, indicating prior
recon.

Sometimes there is a continuous bombardment from a single address, repeating
the scan hundreds or even thousands of times.

I guess there is a script kiddie tool and that there is also a botnet toolkit
running these scans. I agree that there is probably an associated DoS
capability.

-----Original Message-----
From: Matt Power [mailto:mhpower () bos bindview com]
Sent: Sunday, March 30, 2003 17:50
To: incidents () securityfocus com; intrusions () incidents org
Subject: new attack tool combining SMB and WebDAV?


A possibly new attack tool is being used in the wild that sends
traffic to a set of nearby IP addresses, using tcp ports 445 and 80.
The observed traffic on port 80 (first noticed around 2200 GMT on 30
March) consisted of:

  OPTIONS / HTTP/1.1
  translate: f
  User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600
  Host: a.b.c.d
  Content-Length: 0
  Connection: Keep-Alive

where a.b.c.d is the destination IP address. The traffic on port 445
looked like the usual attack traffic described at, for example,
http://www.cert.org/advisories/CA-2003-08.html

In many cases, packets on both port 445 and 80 were sent to the same
destination IP address.

By "set of nearby IP addresses", I mean that the attacking machine was
apparently trying to send data to all machines within an IP address
range (rather than, for example, send data to IP addresses selected at
random). It wasn't immediately clear why some IP addresses were
skipped. A possibility is that the attacker had access to earlier
reconnaissance data about which IP addresses were in use.

The third type of traffic from the attacking machine consisted of very
large ICMP echo-request packets, all going to the same destination IP
address. The ICMP packet contents consisted entirely of the lowercase
letters 'a' through 'w' repeated many times, e.g.,

  abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvw...

Anyway, this may mean that some type of WebDAV data-gathering or
exploit capability has been incorporated into a software package that
also compromises machines via SMB. There wasn't direct evidence that
the software package was associated with planned exploitation of the
CA-2003-09 vulnerability via WebDAV, although it may have been. The
ICMP traffic suggests that the software package may have a DoS
capability that's separate from the SMB and WebDAV traffic.

Matt Power
BindView Corporation, RAZOR Team
mhpower () bos bindview com


----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfihl1