Re: "Worm" behavior -- port 80 honey pots

From: Ryan Russell (ryanat_private)
Date: Mon Oct 15 2001 - 14:08:39 PDT

Next message: Russell Fulton: "original code red resurgence..."

Previous message: Rich Puhek: "Re: "Worm" behavior -- port 80 honey pots"
In reply to: Jon R. Kibler: ""Worm" behavior -- port 80 honey pots"
Next in thread: Alexander Bochmann: "Re: "Worm" behavior -- port 80 honey pots"
Reply: Alexander Bochmann: "Re: "Worm" behavior -- port 80 honey pots"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 15 Oct 2001, Jon R. Kibler wrote:

>
> Are these new variants expecting the target system to send back a
> certain response before they unload their payload?

Web servers don't send anything before they get a request.  So far, the
only worm that I've personally taken apart that did any checking was
CodeBlue.  It looks for IIS by sending a HEAD request before it starts
attacking.  But it still has to send something.

>
> We have examined detailed packet traces of these connections (Solaris'
> snoop) and can clearly see that the remote system is not attempting to
> send ANY data -- so we think we have ruled out some sort of bug in our
> honey pot (and packet rates to this system are so low that packet
> drops are not an issue). [I should add that the honey pot still picks
> up spiders, etc. without any problem.]

In the packet traces, I assume it finishes the 3-way TCP handshake?  Is
your server advertising a funny sliding window or anything?

>
> We have also made a few other interesting observations:
>   1) Sometimes the honey pot will send an IDENT request to the remote
> system. At least one of the 'worms' in circulation recently will
> immediately drop the port 80 connection when the IDENT probe is sent
> (to port 113).

I used to have this problem with firewalled mail servers.  If one of the
mail servers was configured to do ident lookups, and there was a firewall
that just dropped ident attempts (no RST), then the mail servers would sit
around for 2-5 minutes until the ident TCP connect timed out.  Only then
would the mail connection deliver any data.  This could be related, and
you should see if you can shut it off.

>   2) When the honey pot sends data back to the remote system (be it an
> HTML formatted 'go away' message, a null message, or seemingly
> anything else), the remote system immediately drops the connection
> upon receipt of the first packet.

Once Nimda gets the first part of the response back, it will close the
socket.

					Ryan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Russell Fulton: "original code red resurgence..."
Previous message: Rich Puhek: "Re: "Worm" behavior -- port 80 honey pots"
In reply to: Jon R. Kibler: ""Worm" behavior -- port 80 honey pots"
Next in thread: Alexander Bochmann: "Re: "Worm" behavior -- port 80 honey pots"
Reply: Alexander Bochmann: "Re: "Worm" behavior -- port 80 honey pots"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 15:36:19 PDT