Full Disclosure mailing list archives
Re: New malware to infect IIS and from there jump to clients
From: Matt Power <mhpower () bos bindview com>
Date: Sun, 27 Jun 2004 17:36:06 -0400
From: insecure <insecure () ameritech net> To: full-disclosure () lists netsys com Date: Fri, 25 Jun 2004 12:36:41 -0500
...
Berbew/Webber/Padodor Trojan, according to Lurhq. http://www.lurhq.com/berbew.html
This web page mentions: content:"id=crutop|26|vvpupkin0=" The upload is in an encoded format that consists of records that specify a machine name, a user name, and a web site that includes an HTML form. For example, if the machine name were BINDVIEW-LAB-17, the user name were labuser, and the form were on http://www.example.com/, then the uploaded data would be sent via HTTP POST, and consist of: id=crutop&vvpupkin0=asadaeafbeabanbzceclcbbncecabmdocjbwbzdocmcs&vvpupkin1=asadaeafbeabanbdaqataeacauad&vvpupkin2=asadaeafbeabanazafafabcxdqdqagagagdrauajaqbcabbdaudrasbebcdqddcdckbjcibucn The POST data is sent to one of the web sites specified in http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerReports.pdf The data can be decoded with the following perl script: #!/usr/bin/perl use bytes; $i = <STDIN>; chomp($i); @r = split /\&/, $i; for ($i = 0; $i <= $#r; ++$i) { next if ($r[$i] !~ /^vvpupkin/); @p = split /=/, $r[$i]; for ($j = 0; $j < length($p[1]) / 2; ++$j) { $c1 = substr($p[1], 2 * $j, 1); $c2 = substr($p[1], (2 * $j) + 1, 1); $o1 = ord($c1) - ord("a"); $o2 = ord($c2) - ord("a"); print chr(((26 * $o1) + $o2) ^ 113); } print "\n"; } The output of the perl script is: crutop|BINDVIEW-LAB-17 crutop|labuser crutop|http://www.example.com/ FORM_0 Matt Power BindView Corporation, RAZOR Team mhpower () bos bindview com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [FD] Evidence of a ISC being hacked?, (continued)
- Re: [FD] Evidence of a ISC being hacked? Thomas Binder (Jun 24)
- Re: Evidence of a ISC being hacked? Eric Paynter (Jun 24)
- New malware to infect IIS and from there jump to clients Peter Kruse (Jun 24)
- Re: New malware to infect IIS and from there jump to clients Nick FitzGerald (Jun 24)
- SV: New malware to infect IIS and from there jump to clients Peter Kruse (Jun 24)
- Re: SV: New malware to infect IIS and from there jump to clients Duncan Hill (Jun 25)
- Re: SV: New malware to infect IIS and from there jump to clients Nasir Ghaznavi (Jun 25)
- Re: New malware to infect IIS and from there jump to clients Gary Flynn (Jun 25)
- RE: New malware to infect IIS and from there jump to clients joe (Jun 25)
- Re: New malware to infect IIS and from there jump to clients insecure (Jun 25)
- Re: New malware to infect IIS and from there jump to clients Matt Power (Jun 27)
- Re: Evidence of a ISC being hacked? VX Dude (Jun 24)
- Re: Evidence of a ISC being hacked? Valdis . Kletnieks (Jun 25)
- IE exploit runs code from graphics? Larry Seltzer (Jun 24)
- RE: IE exploit runs code from graphics? Heather M. Guse Bryan (Jun 24)
- Re: IE exploit runs code from graphics? Nick FitzGerald (Jun 24)
- RE: IE exploit runs code from graphics? Larry Seltzer (Jun 24)
- Re: IE exploit runs code from graphics? Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 26)
- Re: IE exploit runs code from graphics? Jimmy Mitchener (Jun 26)
- Re: IE exploit runs code from graphics? st3ng4h (Jun 26)