Security Incidents mailing list archives

Re: new iis worm: seeking signature

From: H C <keydet89 () yahoo com>
Date: Wed, 13 Jun 2001 22:51:47 -0700 (PDT)

Makes sense to me, due to it's simplicity.  Most
admins running an IIS web server probably don't want
cmd.exe accessed anyway.

It would seem to me that if you check the snort rules
databases at snort.org or whitehats.com, you'll see
that this very signature was written quite some time
ago...probably before Microsoft released their patch
in Nov '00.


--- Jordan K Wiens <jwiens () nersp nerdc ufl edu> wrote:

Best signature we've found for catching any variety
of these worms is
keying on system32/cmd.exe to any web port.  No
matter what variation of
the directory traversal bug the script or hacker
uses, they invariably
access cmd.exe for their first access.

There are just too many variations of unicode for /
and other characters
and ways to combine them to try to catch them all
with a simple IDS
signature.  An extremely intelligent IDS would have
to either translate the
unicode (even ones technically out of spec-which is
the whole problem in
the first place) to determine if a directory
traversal is being attempted,
and that's just not practical in an environment with
as much data as many
networks see.  Generic unicode signatures work
miserably for obvious
reasons; false-positives until the sun comes up.  

In other words, a simple cmd.exe signature has been
our most effective tool
in catching these worms.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Wed, 13 Jun 2001, Jose Nazario wrote:


hi all,

i found these in my apache logs after a quick

check:


209.250.131.60 - - [10/Jun/2001:17:50:29 -0400]

"GET

/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:
HTTP/1.0" 404 231

209.250.131.60 - - [10/Jun/2001:17:50:30 -0400]

"GET

/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:

HTTP/1.0" 404 246


in a nutshell, plain old unicode directory

traversal attempts. (failed,

obviously.)

normally i would have dismissed these as 'kids',

but these reports on a

new IIS worm have me wondering if anyone has a

signature for the scans it

does:

http://www.symantec.com/avcenter/venc/data/dos.storm.worm.html

http://www.security-informer.com/ic_620113_3494_1-3283.html


thanks.

____________________________
jose nazario                                                     jose () cwru edu
                 PGP: 89 B0 81 DA 5B FD 7E 00  99 C3

B2 CD 48 A0 07 80

                                   PGP key ID 0xFD37F4E5 (pgp.mit.edu)



__________________________________________________
Do You Yahoo!?
Spot the hottest trends in music, movies, and more.
http://buzz.yahoo.com/

Current thread:

new iis worm: seeking signature Jose Nazario (Jun 13)
- Re: new iis worm: seeking signature Jordan K Wiens (Jun 13)
  - Re: new iis worm: seeking signature H C (Jun 14)
- <Possible follow-ups>
- RE: new iis worm: seeking signature Jordan K Wiens (Jun 14)