Best signature we've found for catching any variety of these worms is keying on system32/cmd.exe to any web port. No matter what variation of the directory traversal bug the script or hacker uses, they invariably access cmd.exe for their first access. There are just too many variations of unicode for / and other characters and ways to combine them to try to catch them all with a simple IDS signature. An extremely intelligent IDS would have to either translate the unicode (even ones technically out of spec-which is the whole problem in the first place) to determine if a directory traversal is being attempted, and that's just not practical in an environment with as much data as many networks see. Generic unicode signatures work miserably for obvious reasons; false-positives until the sun comes up. In other words, a simple cmd.exe signature has been our most effective tool in catching these worms. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Wed, 13 Jun 2001, Jose Nazario wrote: > > hi all, > > i found these in my apache logs after a quick check: > > 209.250.131.60 - - [10/Jun/2001:17:50:29 -0400] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 231 > 209.250.131.60 - - [10/Jun/2001:17:50:30 -0400] "GET > /msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 246 > > in a nutshell, plain old unicode directory traversal attempts. (failed, > obviously.) > > normally i would have dismissed these as 'kids', but these reports on a > new IIS worm have me wondering if anyone has a signature for the scans it > does: > > http://www.symantec.com/avcenter/venc/data/dos.storm.worm.html > http://www.security-informer.com/ic_620113_3494_1-3283.html > > thanks. > > ____________________________ > jose nazario joseat_private > PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 > PGP key ID 0xFD37F4E5 (pgp.mit.edu) > >
This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 22:27:49 PDT