Security Incidents mailing list archives
RE: New http attack? (sdbot/rbot/other)
From: Jason Falciola <falciola () us ibm com>
Date: Wed, 8 Jun 2005 19:11:40 -0400
On Wednesday, June 08, 2005 3:59 PM, "Keith T. Morgan" keith.morgan () terradon com wrote: ] Ok, thanks for the info. Someone else pointed out off-list that it appears to be an rbot or SDBot variant, and pointed to a diary entry at SANS that google apparently hadn't indexed yet. We haven't yet seen the volume that others are reporting, but I'm sure the graph will get steeper over time. You're welcome Keith. When we saw the SANS diary post last Friday night it was good to note that others were observing similar things as we had and were drawing the same conclusions. We have seen the volume continue to rise over the past week. The relationship between sources and destinations we've seen does not point to a worm that has an IP-selection algorithm weighted in favor of the local and/or nearby networks. The traffic has been indiscriminate - not even bothering to check if the destination is running IIS or even listening on port 80. It's important to realize that there are several possible exploitation vectors (Kerberos, Exchange, IIS, and SMB), and as George Bakos said you should disable unused services/authentication methods. This is especially true in this case as it may come as a surprise to some that IIS supports NTLM authentication over HTTP. It's unfortunate, but not surprising to note that there appear to be many machines that are still not patched for this vulnerability over one year after it was fixed. ] Of course, since it's just an "AAAAAAAAAAAAAA" buffer in base64, we can't rule out a human driven attack. We'll continue to monitor as always and see what pops up. It could be a person manually sending the GET request by hand using netcat or somesuch. However, our evidence (including temporal analysis) suggests that this is much more likely to be caused by: a) the exploit by Solar Eclipse, who should not to be confused with SolarWinds, a company that writes code of a different variety. :-) b) the direct port of a) that was recently included in Metasploit. The functionality is essentially the same except for the extra ease of use and multiple payloads the Metasploit framework offers. Note that the smtp option is "currently non-functional" c) a bot (or other malware) that incorporates this exploit into an automated scan-and-sploit capability ] Anyone have strings that can be plugged into IDS signatures that differentiate between the SolarWinds exploit, the Metasploit exploit, and the sdbot/rbot exploits? I suppose I could analyze them myself, but if someone's already done it.... While I can't speak to every possible bot variant, the GET requests generated by a) - c) above will all be largely the same since they're all based on the same code. If possible, an IDS signature should be written to the vulnerability, not a particular exploit. The string of AAAAs after "Authorization: Negotiate" could just as easily be something else, so you shouldn't simply look for that pattern or else the IDS could be easily evaded. Jason Falciola Security Intelligence Analyst IBM Managed Security Services +1(845) 759-4253 [tl 248-4253] falciola () us ibm com
Current thread:
- RE: New http attack? (sdbot/rbot/other) Jason Falciola (Jun 09)
- <Possible follow-ups>
- Re: RE: New http attack? (sdbot/rbot/other) jesse . williams (Jun 10)