new attack tool combining SMB and WebDAV?

From: Matt Power (mhpowerat_private)
Date: Sun Mar 30 2003 - 14:49:41 PST

Next message: John S. Pitts: "RE: strange DNS behavior over the last 2 days"

Previous message: Wilson, Aaron J.: "SQL Slammer Variant?"
Next in thread: James C Slora Jr: "RE: new attack tool combining SMB and WebDAV?"
Reply: James C Slora Jr: "RE: new attack tool combining SMB and WebDAV?"
Reply: Bill McCarty: "Re: new attack tool combining SMB and WebDAV?"
Reply: Toby Miller: "RE: new attack tool combining SMB and WebDAV?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A possibly new attack tool is being used in the wild that sends
traffic to a set of nearby IP addresses, using tcp ports 445 and 80.
The observed traffic on port 80 (first noticed around 2200 GMT on 30
March) consisted of:

  OPTIONS / HTTP/1.1
  translate: f
  User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600
  Host: a.b.c.d
  Content-Length: 0
  Connection: Keep-Alive

where a.b.c.d is the destination IP address. The traffic on port 445
looked like the usual attack traffic described at, for example,
http://www.cert.org/advisories/CA-2003-08.html

In many cases, packets on both port 445 and 80 were sent to the same
destination IP address.

By "set of nearby IP addresses", I mean that the attacking machine was
apparently trying to send data to all machines within an IP address
range (rather than, for example, send data to IP addresses selected at
random). It wasn't immediately clear why some IP addresses were
skipped. A possibility is that the attacker had access to earlier
reconnaissance data about which IP addresses were in use.

The third type of traffic from the attacking machine consisted of very
large ICMP echo-request packets, all going to the same destination IP
address. The ICMP packet contents consisted entirely of the lowercase
letters 'a' through 'w' repeated many times, e.g.,

  abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvw...

Anyway, this may mean that some type of WebDAV data-gathering or
exploit capability has been incorporated into a software package that
also compromises machines via SMB. There wasn't direct evidence that
the software package was associated with planned exploitation of the
CA-2003-09 vulnerability via WebDAV, although it may have been. The
ICMP traffic suggests that the software package may have a DoS
capability that's separate from the SMB and WebDAV traffic.

Matt Power
BindView Corporation, RAZOR Team
mhpowerat_private

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfihl1

Next message: John S. Pitts: "RE: strange DNS behavior over the last 2 days"
Previous message: Wilson, Aaron J.: "SQL Slammer Variant?"
Next in thread: James C Slora Jr: "RE: new attack tool combining SMB and WebDAV?"
Reply: James C Slora Jr: "RE: new attack tool combining SMB and WebDAV?"
Reply: Bill McCarty: "Re: new attack tool combining SMB and WebDAV?"
Reply: Toby Miller: "RE: new attack tool combining SMB and WebDAV?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 31 2003 - 13:50:18 PST