RE: New http attack? (sdbot/rbot/other)

[Jason Falciola <falciola () us ibm com>]

On Wednesday, June 08, 2005 3:59 PM, "Keith T. Morgan"
keith.morgan () terradon com wrote:

] Ok, thanks for the info.  Someone else pointed out off-list that it
appears to be an rbot or SDBot variant, and pointed to a diary entry at
SANS that google apparently hadn't indexed yet.  We haven't yet seen the
volume that others are reporting, but I'm sure the graph will get steeper
over time.

You're welcome Keith.  When we saw the SANS diary post last Friday night it
was good to note that others were observing similar things as we had and
were drawing the same conclusions.  We have seen the volume continue to
rise over the past week.  The relationship between sources and destinations
we've seen does not point to a worm that has an IP-selection algorithm
weighted in favor of the local and/or nearby networks.  The traffic has
been indiscriminate - not even bothering to check if the destination is
running IIS or even listening on port 80.

It's important to realize that there are several possible exploitation
vectors (Kerberos, Exchange, IIS, and SMB), and as George Bakos said you
should disable unused services/authentication methods.  This is especially
true in this case as it may come as a surprise to some that IIS supports
NTLM authentication over HTTP.  It's unfortunate, but not surprising to
note that there appear to be many machines that are still not patched for
this vulnerability over one year after it was fixed.

] Of course, since it's just an "AAAAAAAAAAAAAA" buffer in base64, we can't
rule out a human driven attack.  We'll continue to monitor as always and
see what pops up.

It could be a person manually sending the GET request by hand using netcat
or somesuch.  However, our evidence (including temporal analysis) suggests
that this is much more likely to be caused by:

a) the exploit by Solar Eclipse, who should not to be confused with
SolarWinds, a company that writes code of a different variety.  :-)
b) the direct port of a) that was recently included in Metasploit.  The
functionality is essentially the same except for the extra ease of use and
multiple payloads the Metasploit framework offers.  Note that the smtp
option is "currently non-functional"
c) a bot (or other malware) that incorporates this exploit into an
automated scan-and-sploit capability

] Anyone have strings that can be plugged into IDS signatures that
differentiate between the SolarWinds exploit, the Metasploit exploit, and
the sdbot/rbot exploits?  I suppose I could analyze them myself, but if
someone's already done it....

While I can't speak to every possible bot variant, the GET requests
generated by a) - c) above will all be largely the same since they're all
based on the same code.  If possible, an IDS signature should be written to
the vulnerability, not a particular exploit.  The string of AAAAs after
"Authorization: Negotiate" could just as easily be something else, so you
shouldn't simply look for that pattern or else the IDS could be easily
evaded.

Jason Falciola
Security Intelligence Analyst
IBM Managed Security Services
+1(845) 759-4253 [tl 248-4253]
falciola () us ibm com