On Mon, 15 Oct 2001, Jon R. Kibler wrote: > > Are these new variants expecting the target system to send back a > certain response before they unload their payload? Web servers don't send anything before they get a request. So far, the only worm that I've personally taken apart that did any checking was CodeBlue. It looks for IIS by sending a HEAD request before it starts attacking. But it still has to send something. > > We have examined detailed packet traces of these connections (Solaris' > snoop) and can clearly see that the remote system is not attempting to > send ANY data -- so we think we have ruled out some sort of bug in our > honey pot (and packet rates to this system are so low that packet > drops are not an issue). [I should add that the honey pot still picks > up spiders, etc. without any problem.] In the packet traces, I assume it finishes the 3-way TCP handshake? Is your server advertising a funny sliding window or anything? > > We have also made a few other interesting observations: > 1) Sometimes the honey pot will send an IDENT request to the remote > system. At least one of the 'worms' in circulation recently will > immediately drop the port 80 connection when the IDENT probe is sent > (to port 113). I used to have this problem with firewalled mail servers. If one of the mail servers was configured to do ident lookups, and there was a firewall that just dropped ident attempts (no RST), then the mail servers would sit around for 2-5 minutes until the ident TCP connect timed out. Only then would the mail connection deliver any data. This could be related, and you should see if you can shut it off. > 2) When the honey pot sends data back to the remote system (be it an > HTML formatted 'go away' message, a null message, or seemingly > anything else), the remote system immediately drops the connection > upon receipt of the first packet. Once Nimda gets the first part of the response back, it will close the socket. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 15:36:19 PDT