Security Incidents mailing list archives

Re: "Worm" behavior -- port 80 honey pots

From: Ryan Russell <ryan () securityfocus com>
Date: Mon, 15 Oct 2001 15:08:39 -0600 (MDT)

On Mon, 15 Oct 2001, Jon R. Kibler wrote:


Are these new variants expecting the target system to send back a
certain response before they unload their payload?


Web servers don't send anything before they get a request.  So far, the
only worm that I've personally taken apart that did any checking was
CodeBlue.  It looks for IIS by sending a HEAD request before it starts
attacking.  But it still has to send something.


We have examined detailed packet traces of these connections (Solaris'
snoop) and can clearly see that the remote system is not attempting to
send ANY data -- so we think we have ruled out some sort of bug in our
honey pot (and packet rates to this system are so low that packet
drops are not an issue). [I should add that the honey pot still picks
up spiders, etc. without any problem.]


In the packet traces, I assume it finishes the 3-way TCP handshake?  Is
your server advertising a funny sliding window or anything?


We have also made a few other interesting observations:
  1) Sometimes the honey pot will send an IDENT request to the remote
system. At least one of the 'worms' in circulation recently will
immediately drop the port 80 connection when the IDENT probe is sent
(to port 113).


I used to have this problem with firewalled mail servers.  If one of the
mail servers was configured to do ident lookups, and there was a firewall
that just dropped ident attempts (no RST), then the mail servers would sit
around for 2-5 minutes until the ident TCP connect timed out.  Only then
would the mail connection deliver any data.  This could be related, and
you should see if you can shut it off.

  2) When the honey pot sends data back to the remote system (be it an
HTML formatted 'go away' message, a null message, or seemingly
anything else), the remote system immediately drops the connection
upon receipt of the first packet.


Once Nimda gets the first part of the response back, it will close the
socket.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

"Worm" behavior -- port 80 honey pots Jon R. Kibler (Oct 15)
- Re: "Worm" behavior -- port 80 honey pots Rich Puhek (Oct 15)
- Re: "Worm" behavior -- port 80 honey pots Ryan Russell (Oct 15)
  - Re: "Worm" behavior -- port 80 honey pots Alexander Bochmann (Oct 22)