Mark, I agree that this is not a new technique. My original post [1] referenced the iis-kabom script and noted that it had 69 GET requests (many of which are similar to what you saw here). These tools are easily (and continually) being changed, and we regularly see GETs that start with /PBserver, /iisadmpwd, /Rpc, /adsamples, etc. I also agree that the attackers have likely moved from scripted IIS-scan tools (using PHP, Perl, etc.) to using C or C++ to achieve significant speed increases. We have seen individual sources perform huge scans in a very brief period of time. Thanks also for the info on shell.exe - it made sense. What's interesting to me is that this (exact?) pattern was seen by James last summer [2] from a Korean source and this User Agent string has known connections to a Chinese spam bot. Now there are several reports within days of eachother of the identical footprint being seen from US cable ranges. Is this a coincidence? Simply due to the circulation of tools/code in the underground? Or are we seeing more spammers (from Asia? or all over?) compromising boxes in the consumer broadband ranges and then using them as launching points for further attacks/spamming? [3]. [1] http://www.securityfocus.com/archive/75/319878/2003-04-27/2003-05-03/2 [2] http://cert.uni-stuttgart.de/archive/intrusions/2002/07/msg00119.html [3] http://www.securityfocus.com/news/4217 Jason Falciola Information Security Analyst IBM Managed Security Services falciolaat_private Mark Embrich <mark_embrichat_private> 04/30/2003 12:24 PM To: Jason Falciola/Sterling Forest/IBM@IBMUS, incidentsat_private cc: Subject: Re: New attack or old Vulnerability Scanner? Hello Jason, I think Reinhard Handwerker is correct: from: http://www.securityfocus.com/archive/75/319846/2003-04-27/2003-05-03/0 ----------------------- This is a slightly modified version of the old MS IIS-Unicode exploit, see here: http://downloads.securityfocus.com/vulnerabilities/exploits/iis-kabom.php Reinhard Handwerker Internet Security Systems Atlanta, GA ----------------------- Taking a look at the link he provided, you can see that many of the GET attempts are different, but the overall method looks correct. Meaning that it doesn't bother to identify the web server, just mindlessly launches every attack against anything that responds to a SYN to TCP 80. It also contains many of the similar GETs that I haven't seen in other IIS attacks, like the PBServer stuff and adsamples stuff. However, the Indy.Library is new, meaning the attackers probably ported the iis-kaboom attacks to C++ or something. -------- about shell.exe, generally, it looks like they're looking for someone else's backdoor. Some googling got me several answers: http://archives.neohapsis.com/archives/incidents/2001-04/0260.html antoine Bour says: Hi I thing that this file is a copy of cmd.exe. The methodology used by kids to deface NT web sites is to use the unicode exploit, to do a copy of cmd.exe in the directory scripts or other executable directory before defacing the site. So even you patch the unicode bug, they can continue defacing your site. regards -------- From Symantec http://securityresponse.symantec.com/avcenter/venc/data/w32.lovit.html When W32.Lovit runs, it does the following: If the file C:\Windows\Winhlp32.exe exists, the virus renames this file to C:\Windows\Essdrv.exe and then copies itself as C:\Windows\Winhlp32.exe. The virus copies itself as C:\Windows\Sys32.exe C:\Windows\System\Shell.exe C:\Windows\Command\Deltree.exe C:\Windows\Help\Live.hlp ---------- http://www.commodon.com/threat/threat-bo.htm says: Provided below are several screen shots exemplifying a modified Back Orifice. It's been configured to install the server portion as "shell.exe", enter the name of "Windows Explorer Shell" in the registry, as well as listen on UDP port 4000. Thanks again, Mark Embrich > I found it interesting that it doesn't look like > what you're seeing is > unique, nor is this a new attack pattern. As I > mentioned, [1] the > identical traffic was seen from a cable source and > posted in a webmaster's > forum [2] as recently as 4/21/03. It seems like the > questions James > raised when he saw this last July [3] were not > answered. As he pointed > out [4], the attack was *very* similar, if not > identical, right down to > the TCP connect to port 80, the 65 GET requests, and > even the odd request > for shell.exe. ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Apr 30 2003 - 11:16:57 PDT