Re: New malware to infect IIS and from there jump to clients

[Matt Power <mhpower () bos bindview com>]

> From: insecure <insecure () ameritech net>
> To: full-disclosure () lists netsys com
> Date: Fri, 25 Jun 2004 12:36:41 -0500
...
> Berbew/Webber/Padodor Trojan, according to Lurhq.
>
> http://www.lurhq.com/berbew.html

This web page mentions:

  content:"id=crutop|26|vvpupkin0="

The upload is in an encoded format that consists of records that
specify a machine name, a user name, and a web site that includes an
HTML form. For example, if the machine name were BINDVIEW-LAB-17, the
user name were labuser, and the form were on http://www.example.com/,
then the uploaded data would be sent via HTTP POST, and consist of:

id=crutop&vvpupkin0=asadaeafbeabanbzceclcbbncecabmdocjbwbzdocmcs&vvpupkin1=asadaeafbeabanbdaqataeacauad&vvpupkin2=asadaeafbeabanazafafabcxdqdqagagagdrauajaqbcabbdaudrasbebcdqddcdckbjcibucn

The POST data is sent to one of the web sites specified in

  http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerReports.pdf

The data can be decoded with the following perl script:

#!/usr/bin/perl
use bytes;
$i = <STDIN>;
chomp($i);
@r = split /\&/, $i;
for ($i = 0; $i <= $#r; ++$i)
{
    next if ($r[$i] !~ /^vvpupkin/);
    @p = split /=/, $r[$i];
    for ($j = 0; $j < length($p[1]) / 2; ++$j)
    {
        $c1 = substr($p[1], 2 * $j, 1);
        $c2 = substr($p[1], (2 * $j) + 1, 1);
        $o1 = ord($c1) - ord("a");
        $o2 = ord($c2) - ord("a");
        print chr(((26 * $o1) + $o2) ^ 113);
    }
    print "\n";
}


The output of the perl script is:

crutop|BINDVIEW-LAB-17
crutop|labuser
crutop|http://www.example.com/ FORM_0


Matt Power
BindView Corporation, RAZOR Team
mhpower () bos bindview com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html