Security Incidents mailing list archives

Re: new iis worm: seeking signature

From: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
Date: Wed, 13 Jun 2001 17:04:58 -0400 (EDT)

Best signature we've found for catching any variety of these worms is
keying on system32/cmd.exe to any web port.  No matter what variation of
the directory traversal bug the script or hacker uses, they invariably
access cmd.exe for their first access.

There are just too many variations of unicode for / and other characters
and ways to combine them to try to catch them all with a simple IDS
signature.  An extremely intelligent IDS would have to either translate the
unicode (even ones technically out of spec-which is the whole problem in
the first place) to determine if a directory traversal is being attempted,
and that's just not practical in an environment with as much data as many
networks see.  Generic unicode signatures work miserably for obvious
reasons; false-positives until the sun comes up.  

In other words, a simple cmd.exe signature has been our most effective tool
in catching these worms.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Wed, 13 Jun 2001, Jose Nazario wrote:


hi all,

i found these in my apache logs after a quick check:

209.250.131.60 - - [10/Jun/2001:17:50:29 -0400] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 231
209.250.131.60 - - [10/Jun/2001:17:50:30 -0400] "GET
/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 246

in a nutshell, plain old unicode directory traversal attempts. (failed,
obviously.)

normally i would have dismissed these as 'kids', but these reports on a
new IIS worm have me wondering if anyone has a signature for the scans it
does:

http://www.symantec.com/avcenter/venc/data/dos.storm.worm.html
http://www.security-informer.com/ic_620113_3494_1-3283.html

thanks.

____________________________
jose nazario                                               jose () cwru edu
                   PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                     PGP key ID 0xFD37F4E5 (pgp.mit.edu)

Current thread:

new iis worm: seeking signature Jose Nazario (Jun 13)
- Re: new iis worm: seeking signature Jordan K Wiens (Jun 13)
  - Re: new iis worm: seeking signature H C (Jun 14)
- <Possible follow-ups>
- RE: new iis worm: seeking signature Jordan K Wiens (Jun 14)