Re: "Worm" behavior -- port 80 honey pots

From: Ryan Russell (ryanat_private)
Date: Mon Oct 15 2001 - 14:08:39 PDT

  • Next message: Russell Fulton: "original code red resurgence..."

    On Mon, 15 Oct 2001, Jon R. Kibler wrote:
    > Are these new variants expecting the target system to send back a
    > certain response before they unload their payload?
    Web servers don't send anything before they get a request.  So far, the
    only worm that I've personally taken apart that did any checking was
    CodeBlue.  It looks for IIS by sending a HEAD request before it starts
    attacking.  But it still has to send something.
    > We have examined detailed packet traces of these connections (Solaris'
    > snoop) and can clearly see that the remote system is not attempting to
    > send ANY data -- so we think we have ruled out some sort of bug in our
    > honey pot (and packet rates to this system are so low that packet
    > drops are not an issue). [I should add that the honey pot still picks
    > up spiders, etc. without any problem.]
    In the packet traces, I assume it finishes the 3-way TCP handshake?  Is
    your server advertising a funny sliding window or anything?
    > We have also made a few other interesting observations:
    >   1) Sometimes the honey pot will send an IDENT request to the remote
    > system. At least one of the 'worms' in circulation recently will
    > immediately drop the port 80 connection when the IDENT probe is sent
    > (to port 113).
    I used to have this problem with firewalled mail servers.  If one of the
    mail servers was configured to do ident lookups, and there was a firewall
    that just dropped ident attempts (no RST), then the mail servers would sit
    around for 2-5 minutes until the ident TCP connect timed out.  Only then
    would the mail connection deliver any data.  This could be related, and
    you should see if you can shut it off.
    >   2) When the honey pot sends data back to the remote system (be it an
    > HTML formatted 'go away' message, a null message, or seemingly
    > anything else), the remote system immediately drops the connection
    > upon receipt of the first packet.
    Once Nimda gets the first part of the response back, it will close the
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 15:36:19 PDT