Security Incidents mailing list archives

Re: New attack or old Vulnerability Scanner?

From: Jason Falciola <falciola () us ibm com>
Date: Wed, 30 Apr 2003 13:41:05 -0400

Mark,

I agree that this is not a new technique.  My original post [1] referenced 
the iis-kabom script and noted that it had 69 GET requests (many of which 
are similar to what you saw here).  These tools are easily (and 
continually) being changed, and we regularly see GETs that start with 
/PBserver, /iisadmpwd, /Rpc, /adsamples, etc. 

I also agree that the attackers have likely moved from scripted IIS-scan 
tools (using PHP, Perl, etc.) to using C or C++ to achieve significant 
speed increases.  We have seen individual sources perform huge scans in a 
very brief period of time.  Thanks also for the info on shell.exe - it 
made sense.

What's interesting to me is that this (exact?) pattern was seen by James 
last summer [2] from a Korean source and this User Agent string has known 
connections to a Chinese spam bot.  Now there are several reports within 
days of eachother of the identical footprint being seen from US cable 
ranges.  Is this a coincidence?  Simply due to the circulation of 
tools/code in the underground?  Or are we seeing more spammers (from Asia? 
 or all over?) compromising boxes in the consumer broadband ranges and 
then using them as launching points for further attacks/spamming? [3].

[1] http://www.securityfocus.com/archive/75/319878/2003-04-27/2003-05-03/2
[2] http://cert.uni-stuttgart.de/archive/intrusions/2002/07/msg00119.html
[3] http://www.securityfocus.com/news/4217

Jason Falciola
Information Security Analyst
IBM Managed Security Services
falciola () us ibm com






Mark Embrich <mark_embrich () yahoo com>
04/30/2003 12:24 PM

 
        To:     Jason Falciola/Sterling Forest/IBM@IBMUS, incidents () securityfocus com
        cc: 
        Subject:        Re: New attack or old Vulnerability Scanner?



Hello Jason,

I think Reinhard Handwerker is correct:
from:
http://www.securityfocus.com/archive/75/319846/2003-04-27/2003-05-03/0


-----------------------
This is a slightly modified version of the old MS
IIS-Unicode exploit, see 
here:
http://downloads.securityfocus.com/vulnerabilities/exploits/iis-kabom.php


Reinhard Handwerker
Internet Security Systems
Atlanta, GA
-----------------------

Taking a look at the link he provided, you can see
that many of the GET attempts are different, but the
overall method looks correct.  Meaning that it doesn't
bother to identify the web server, just mindlessly
launches every attack against anything that responds
to a SYN to TCP 80.

It also contains many of the similar GETs that I
haven't seen in other IIS attacks, like the PBServer
stuff and adsamples stuff.

However, the Indy.Library is new, meaning the
attackers probably ported the iis-kaboom attacks to
C++ or something.

--------

about shell.exe, generally, it looks like they're
looking for someone else's backdoor.  Some googling
got me several answers:

http://archives.neohapsis.com/archives/incidents/2001-04/0260.html
antoine Bour says:
Hi 
        I thing that this file is a copy of cmd.exe. 
        The methodology used by kids to deface NT web
sites is to use the unicode 
exploit, to do a copy of cmd.exe in the directory
scripts or other 
executable directory before defacing the site. So even
you patch the unicode 
bug, they can continue defacing your site. 
regards 

--------

From Symantec

http://securityresponse.symantec.com/avcenter/venc/data/w32.lovit.html

When W32.Lovit runs, it does the following:

If the file C:\Windows\Winhlp32.exe exists, the virus
renames this file to C:\Windows\Essdrv.exe and then
copies itself as C:\Windows\Winhlp32.exe.

The virus copies itself as

C:\Windows\Sys32.exe
C:\Windows\System\Shell.exe
C:\Windows\Command\Deltree.exe
C:\Windows\Help\Live.hlp

----------

http://www.commodon.com/threat/threat-bo.htm

says:
Provided below are several screen shots exemplifying a
modified Back Orifice. It's been configured to install
the server portion as "shell.exe", enter the name of
"Windows Explorer Shell" in the registry, as well as
listen on UDP port 4000.


Thanks again,
Mark Embrich

I found it interesting that it doesn't look like
what you're seeing is 
unique, nor is this a new attack pattern.  As I
mentioned, [1] the 
identical traffic was seen from a cable source and
posted in a webmaster's 
forum [2] as recently as 4/21/03.  It seems like the
questions James 
raised when he saw this last July [3] were not
answered.  As he pointed 
out [4], the attack was *very* similar, if not
identical, right down to 
the TCP connect to port 80, the 65 GET requests, and
even the odd request 
for shell.exe.




----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Current thread:

New attack or old Vulnerability Scanner? Mark Embrich (Apr 25)
- RE: New attack or old Vulnerability Scanner? Keith (Apr 28)
- <Possible follow-ups>
- RE: New attack or old Vulnerability Scanner? James C. Slora, Jr. (Apr 28)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 28)
- Re: New attack or old Vulnerability Scanner? rhandwerker (Apr 28)
- Re: New attack or old Vulnerability Scanner? jac (Apr 29)
- Re: New attack or old Vulnerability Scanner? Mark Embrich (Apr 29)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)