Security Incidents mailing list archives

RE: Unicode worm?

From: "Turner, Keith (Contractor)" <TurnerL () tea-emh1 army mil>
Date: Thu, 22 Aug 2002 12:12:06 -0400


  Based on each analysis I've seen on the Nimda worm, this is not the Nimda
worm.  The Nimda worm targets ip addresses semi-randomly, different subnet
masks get different probabilities.  This looks like an incremental scan.
Also, it's only a single Unicode request.  It doesn't include the other
tidbits which Nimda does, like checking for code red leftovers (root.exe),
/c or /d.

Keith



-----Original Message-----
From: Dean White [mailto:dean () achillean com au]
Sent: Thursday, August 22, 2002 1:09 AM
To: Larsen, Colin
Cc: incidents () securityfocus com
Subject: Re: Unicode worm?


This is most likely the Nimda worm. The vulnerability the worm is attemting
to
exploit is called the Unicode Web transversal exploit. 

The worm is issuing a command to retrieve the directory listing of the C:
drive.
It does this to determine if it can successfully execute the cmd.exe shell
with
privledge.

This worm copies itself to the server as admin.dll via TFTP. The source of
the
attack has a listening TFTP server to transmit the worm to the new system.

Hope this clears this up.

Cheers,
Dean


----------------------------------------------------------------------------
----
Dean White
dean () achillean com au
Technical Director
http://www.achillean.com.au
Achillean Pty. Ltd. 
"The integrity of your business is our business"
----------------------------------------------------------------------------
----


On Thu, Aug 22, 2002 at 02:26:50PM +1000, Larsen, Colin wrote:

I get this every day. Usually in batches of 8 to 16 probes. Mostly from
China, Korea (even 2 nights of a couple of hundred probes from an Asian IT
university!)I figure its a fact of life that anything attached to the big
wide world is gonna get shot at.

Colin.

-----Original Message-----
From: John Sage [mailto:jsage () finchhaven com]
Sent: Thursday, 22 August 2002 4:01 p.m.
To: incidents () securityfocus com
Subject: Re: Unicode worm?


Soeren, Keith:

On Wed, Aug 21, 2002 at 07:43:00PM +0200, Soeren Ziehe wrote:

In article <51F912F2A6CDD111810A00600811BA42024D8BE9@TEA05> [21 Aug 02]
   Turner, Keith (Contractor)  <TurnerL () tea-emh1 army mil> wrote:

[08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was
not complete after one pass. Request will be rejected.  Site
Instance='1', Raw URL='/scripts/..%255c%255c../winnt/system32/cmd.e
xe'


I'm seeing the same requests.


I've recently seen several single-payload packet probes of the form:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

 08/11-02:27:44.357277 216.181.16.2:4723 -> 12.82.129.71:80
TCP TTL:110 TOS:0x0 ID:26376 IpLen:20 DgmLen:99 DF
***AP*** Seq: 0x36AEB784  Ack: 0x71FD0774  Win: 0x2238  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79  5c%5c../winnt/sy
73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F  stem32/cmd.exe?/
63 2B 64 69 72 0D 0A 69 72 0D 0A                 c+dir..ir..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

These have source IP's _not_ within my class B, or A; very quick,
typically six to nine packets for the total transaction, and they're gone.


- John
-- 
"You are in a little maze of twisty passages, all different."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Unicode worm? Turner, Keith (Contractor) (Aug 21)
- Re: Unicode worm? Soeren Ziehe (Aug 21)
  - Re: Unicode worm? John Sage (Aug 21)
- Re: Unicode worm? Kurt Seifried (Aug 22)
  - Re: Unicode worm? Jonathan Rickman (Aug 23)
- <Possible follow-ups>
- RE: Unicode worm? Larsen, Colin (Aug 21)
  - Re: Unicode worm? Dean White (Aug 22)
- RE: Unicode worm? Deus, Attonbitus (Aug 22)
- RE: Unicode worm? Turner, Keith (Contractor) (Aug 22)
- Re: Unicode worm? pj (Aug 23)