Handler on Duty: Xavier Mertens
Threat Level: green
Published: 2003-05-30
Microsoft Security Bulletins
Microsoft has released patches for Windows 2000, NT 4.0 and XP.
Item 1
Title: Flaw in ISAPI Extension for Windows Media Services
Could Cause Denial of Service (817772)
Date: 28 May 2003
Software: Microsoft(r) Windows NT(r) 4.0, and Windows(r) 2000
Impact: Allow an attacker to execute code of their choice
Max Risk: Moderate
Bulletin: MS03-019
There is a flaw in the way in which nsiislog.dll processes incoming requests. A vulnerability exists because an attacker could send specially formed communications to the server that could cause IIS to stop responding to Internet requests.
Item 2
Title: Cumulative Patch for Internet Information Service
(811114)
Date: 28 May 2003
Software: Microsoft(r) Windows NT(r) 4.0, Windows(r) 2000, or
Windows(r) XP
Impact: Allow an attacker to execute code of their choice
Max Risk: Important
Bulletin: MS03-018
Redirection Cross Site Scripting CAN-2003-0223
Server Side Include Web Pages Buffer Overrun CAN-2003-0224
ASP Headers Denial of Service CAN-2003-0225
WebDAV Denial of Service CAN-2003-0226
Item 3 - Update to previous bulletin
Title: Unchecked Buffer In Windows Component Could Cause
Server Compromise (815021)
Released: 17 Mar 2003
Revised: 28 May 2003 (version 3.0)
Software: Microsoft (r) Windows (r) NT 4.0, Windows 2000 and
Windows XP
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-007
An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS). The request could cause the server to fail or to execute code of the attacker’s choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context).
Item 4 - Update to previous bulletin
Title: Buffer Overrun in Windows Kernel Message Handling could
Lead to Elevated Privileges (811493)
Released: 16 April 2003
Revised: 28 May 2003 (version 2.0)
Software: Microsoft(r) Windows NT(r) 4.0, Windows(r) 2000 and
Windows(r) XP
Impact: Local Elevation of Privilege
Max Risk: Important
Bulletin: MS03-013
There is a flaw in the way the kernel passes error messages to a debugger. A vulnerability results because an attacker could write a program to exploit this flaw and run code of their choice. An attacker could exploit this vulnerability to take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system.
References:
-----------
SPI Security Alert regarding IIS webdav Denial Of Service:
http://www.spidynamics.com/iis_alert.html
NSFOCUS Security Alert regarding SSI IIS 5.0 buffer overflow:
http://www.nsfocus.com/english/homepage/sa2003-05.htm
Microsoft Security Bulletins:
http://www.microsoft.com/technet/security/bulletin/MS03-018.asp
http://www.microsoft.com/technet/security/bulletin/MS03-013.asp
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
http://www.microsoft.com/technet/security/bulletin/MS03-019.asp
contributed by:
Deborah Hale. haled@pionet.net
Pedro Bueno. bueno@ieee.org
Feedback please to isc@sans.org
Item 1
Title: Flaw in ISAPI Extension for Windows Media Services
Could Cause Denial of Service (817772)
Date: 28 May 2003
Software: Microsoft(r) Windows NT(r) 4.0, and Windows(r) 2000
Impact: Allow an attacker to execute code of their choice
Max Risk: Moderate
Bulletin: MS03-019
There is a flaw in the way in which nsiislog.dll processes incoming requests. A vulnerability exists because an attacker could send specially formed communications to the server that could cause IIS to stop responding to Internet requests.
Item 2
Title: Cumulative Patch for Internet Information Service
(811114)
Date: 28 May 2003
Software: Microsoft(r) Windows NT(r) 4.0, Windows(r) 2000, or
Windows(r) XP
Impact: Allow an attacker to execute code of their choice
Max Risk: Important
Bulletin: MS03-018
Redirection Cross Site Scripting CAN-2003-0223
Server Side Include Web Pages Buffer Overrun CAN-2003-0224
ASP Headers Denial of Service CAN-2003-0225
WebDAV Denial of Service CAN-2003-0226
Item 3 - Update to previous bulletin
Title: Unchecked Buffer In Windows Component Could Cause
Server Compromise (815021)
Released: 17 Mar 2003
Revised: 28 May 2003 (version 3.0)
Software: Microsoft (r) Windows (r) NT 4.0, Windows 2000 and
Windows XP
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-007
An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS). The request could cause the server to fail or to execute code of the attacker’s choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context).
Item 4 - Update to previous bulletin
Title: Buffer Overrun in Windows Kernel Message Handling could
Lead to Elevated Privileges (811493)
Released: 16 April 2003
Revised: 28 May 2003 (version 2.0)
Software: Microsoft(r) Windows NT(r) 4.0, Windows(r) 2000 and
Windows(r) XP
Impact: Local Elevation of Privilege
Max Risk: Important
Bulletin: MS03-013
There is a flaw in the way the kernel passes error messages to a debugger. A vulnerability results because an attacker could write a program to exploit this flaw and run code of their choice. An attacker could exploit this vulnerability to take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system.
References:
-----------
SPI Security Alert regarding IIS webdav Denial Of Service:
http://www.spidynamics.com/iis_alert.html
NSFOCUS Security Alert regarding SSI IIS 5.0 buffer overflow:
http://www.nsfocus.com/english/homepage/sa2003-05.htm
Microsoft Security Bulletins:
http://www.microsoft.com/technet/security/bulletin/MS03-018.asp
http://www.microsoft.com/technet/security/bulletin/MS03-013.asp
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
http://www.microsoft.com/technet/security/bulletin/MS03-019.asp
contributed by:
Deborah Hale. haled@pionet.net
Pedro Bueno. bueno@ieee.org
Feedback please to isc@sans.org
Published: 2003-05-29
Microsoft Security Bulletins
Microsoft has released patches for Windows 2000, NT 4.0 and XP.
Item 1
Title: Flaw in ISAPI Extension for Windows Media Services
Could Cause Denial of Service (817772)
Date: 28 May 2003
Software: Microsoft(r) Windows NT(r) 4.0, and Windows(r) 2000
Impact: Allow an attacker to execute code of their choice
Max Risk: Moderate
Bulletin: MS03-019
There is a flaw in the way in which nsiislog.dll processes incoming requests. A vulnerability exists because an attacker could send specially formed communications to the server that could cause IIS to stop responding to Internet requests.
Item 2
Title: Cumulative Patch for Internet Information Service
(811114)
Date: 28 May 2003
Software: Microsoft(r) Windows NT(r) 4.0, Windows(r) 2000, or
Windows(r) XP
Impact: Allow an attacker to execute code of their choice
Max Risk: Important
Bulletin: MS03-018
Redirection Cross Site Scripting CAN-2003-0223
Server Side Include Web Pages Buffer Overrun CAN-2003-0224
ASP Headers Denial of Service CAN-2003-0225
WebDAV Denial of Service CAN-2003-0226
Item 3 - Update to previous bulletin
Title: Unchecked Buffer In Windows Component Could Cause
Server Compromise (815021)
Released: 17 Mar 2003
Revised: 28 May 2003 (version 3.0)
Software: Microsoft (r) Windows (r) NT 4.0, Windows 2000 and
Windows XP
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-007
An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS). The request could cause the server to fail or to execute code of the attacker’s choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context).
Item 4 - Update to previous bulletin
Title: Buffer Overrun in Windows Kernel Message Handling could
Lead to Elevated Privileges (811493)
Released: 16 April 2003
Revised: 28 May 2003 (version 2.0)
Software: Microsoft(r) Windows NT(r) 4.0, Windows(r) 2000 and
Windows(r) XP
Impact: Local Elevation of Privilege
Max Risk: Important
Bulletin: MS03-013
There is a flaw in the way the kernel passes error messages to a debugger. A vulnerability results because an attacker could write a program to exploit this flaw and run code of their choice. An attacker could exploit this vulnerability to take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system.
References:
-----------
SPI Security Alert regarding IIS webdav Denial Of Service:
http://www.spidynamics.com/iis_alert.html
NSFOCUS Security Alert regarding SSI IIS 5.0 buffer overflow:
http://www.nsfocus.com/english/homepage/sa2003-05.htm
Microsoft Security Bulletins:
http://www.microsoft.com/technet/security/bulletin/MS03-018.asp
http://www.microsoft.com/technet/security/bulletin/MS03-013.asp
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
http://www.microsoft.com/technet/security/bulletin/MS03-019.asp
contributed by:
Deborah Hale. haled@pionet.net
Pedro Bueno. bueno@ieee.org
Feedback please to isc@sans.org
Item 1
Title: Flaw in ISAPI Extension for Windows Media Services
Could Cause Denial of Service (817772)
Date: 28 May 2003
Software: Microsoft(r) Windows NT(r) 4.0, and Windows(r) 2000
Impact: Allow an attacker to execute code of their choice
Max Risk: Moderate
Bulletin: MS03-019
There is a flaw in the way in which nsiislog.dll processes incoming requests. A vulnerability exists because an attacker could send specially formed communications to the server that could cause IIS to stop responding to Internet requests.
Item 2
Title: Cumulative Patch for Internet Information Service
(811114)
Date: 28 May 2003
Software: Microsoft(r) Windows NT(r) 4.0, Windows(r) 2000, or
Windows(r) XP
Impact: Allow an attacker to execute code of their choice
Max Risk: Important
Bulletin: MS03-018
Redirection Cross Site Scripting CAN-2003-0223
Server Side Include Web Pages Buffer Overrun CAN-2003-0224
ASP Headers Denial of Service CAN-2003-0225
WebDAV Denial of Service CAN-2003-0226
Item 3 - Update to previous bulletin
Title: Unchecked Buffer In Windows Component Could Cause
Server Compromise (815021)
Released: 17 Mar 2003
Revised: 28 May 2003 (version 3.0)
Software: Microsoft (r) Windows (r) NT 4.0, Windows 2000 and
Windows XP
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-007
An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS). The request could cause the server to fail or to execute code of the attacker’s choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context).
Item 4 - Update to previous bulletin
Title: Buffer Overrun in Windows Kernel Message Handling could
Lead to Elevated Privileges (811493)
Released: 16 April 2003
Revised: 28 May 2003 (version 2.0)
Software: Microsoft(r) Windows NT(r) 4.0, Windows(r) 2000 and
Windows(r) XP
Impact: Local Elevation of Privilege
Max Risk: Important
Bulletin: MS03-013
There is a flaw in the way the kernel passes error messages to a debugger. A vulnerability results because an attacker could write a program to exploit this flaw and run code of their choice. An attacker could exploit this vulnerability to take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system.
References:
-----------
SPI Security Alert regarding IIS webdav Denial Of Service:
http://www.spidynamics.com/iis_alert.html
NSFOCUS Security Alert regarding SSI IIS 5.0 buffer overflow:
http://www.nsfocus.com/english/homepage/sa2003-05.htm
Microsoft Security Bulletins:
http://www.microsoft.com/technet/security/bulletin/MS03-018.asp
http://www.microsoft.com/technet/security/bulletin/MS03-013.asp
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
http://www.microsoft.com/technet/security/bulletin/MS03-019.asp
contributed by:
Deborah Hale. haled@pionet.net
Pedro Bueno. bueno@ieee.org
Feedback please to isc@sans.org
0 Comments
Published: 2003-05-18
New Virus Masquerades as Microsoft Support (Palyh)
We have received a copy of yet another worm / virus that masquerades itself as an e-mail from support@microsoft.com. The virus propagates via network shares and uses several web sites to download updates.
Aliases: W32/Palyh@MM (McAfee), W32.HLLM.Ccn (Dialogue Sci), W32.HLLW.Mankx@mm (Symantec), W32/Palyh-A (Sophos)
Virus Characteristics:
From:
support@microsoft.com
Subject:
Re: My application
Re: Movie
Cool screensaver
Screensavers
Re: My details
Your password
Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Body:
All information is in the attached file.
Attachment:
Typically the attachment has a .pif extension, but this could be truncated to a .pi extension. Some possible attachment names include:
approved.pif
_approved.pif
password.pif
application.pif
screen_doc.pif
screen_temp.pif
movie28.pif
doc_details.pif
ref-394755.pif
Other Details:
Palyh will send itself to all e-mail addresses it finds in files with the following extensions:
.wab
.dbx
.htm
.html
.eml
.txt
The worm also creates a file called "hnks.ini" in the WINDOWS directory. This contains all the e-mail addresses that were collected by the worm.
The following Windows Registry items have been modified:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
References:
http://www.symantec.com/avcenter/venc/data/w32.hllw.mankx@mm.html
http://www.f-secure.com/v-descs/palyh.shtml
http://www.sophos.com/virusinfo/analyses/w32palyha.html
http://vil.mcafee.com/dispVirus.asp?virus_k=100307
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_PALYH.A
http://www.viruslist.com/eng/viruslist.html?id=60521
http://www.microsoft.com/technet/security/virus/alerts/palyh.asp
Other News:
http://news.bbc.co.uk/1/hi/technology/3040247.stm
------------------------------------------------
Contact: isc@sans.org
Aliases: W32/Palyh@MM (McAfee), W32.HLLM.Ccn (Dialogue Sci), W32.HLLW.Mankx@mm (Symantec), W32/Palyh-A (Sophos)
Virus Characteristics:
From:
support@microsoft.com
Subject:
Re: My application
Re: Movie
Cool screensaver
Screensavers
Re: My details
Your password
Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Body:
All information is in the attached file.
Attachment:
Typically the attachment has a .pif extension, but this could be truncated to a .pi extension. Some possible attachment names include:
approved.pif
_approved.pif
password.pif
application.pif
screen_doc.pif
screen_temp.pif
movie28.pif
doc_details.pif
ref-394755.pif
Other Details:
Palyh will send itself to all e-mail addresses it finds in files with the following extensions:
.wab
.dbx
.htm
.html
.eml
.txt
The worm also creates a file called "hnks.ini" in the WINDOWS directory. This contains all the e-mail addresses that were collected by the worm.
The following Windows Registry items have been modified:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
References:
http://www.symantec.com/avcenter/venc/data/w32.hllw.mankx@mm.html
http://www.f-secure.com/v-descs/palyh.shtml
http://www.sophos.com/virusinfo/analyses/w32palyha.html
http://vil.mcafee.com/dispVirus.asp?virus_k=100307
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_PALYH.A
http://www.viruslist.com/eng/viruslist.html?id=60521
http://www.microsoft.com/technet/security/virus/alerts/palyh.asp
Other News:
http://news.bbc.co.uk/1/hi/technology/3040247.stm
------------------------------------------------
Contact: isc@sans.org
0 Comments
Published: 2003-05-13
Fizzer Virus / Backdoor
A new mass mailing virus, currently labeled "Win32.Fizzer.A" is spreading for the last few days. The payload of this virus contains a few interesting features:
- In addition to e-mail, the virus uses the P2P system Kazaa to spread.
- it will try to terminate anti virus scanners.
- The virus includes a key stroke logger
- In addition to permitting remote control via AOL Instant Messenger or IRC.
The IRC component is in particular interesting. It includes a long list of
IRC servers. The infected system will join a password protected channel on one
of these systems to wait for commands.
"Fizzer" attempts to hide its bot-nature in this IRC channel, by using regular
looking name. Occasionally, the bots will "chat" by sending a random string to the channel.
A summary from an IRC operator's perspective can be found in this mailing list
post:
http://www.dshield.org/pipermail/list/2003-May/008165.php
Counter Measures:
Current Anti Virus filters will detect 'Fizzer'. Stripping executable attachments will work as well.
Detection:
The virus will create the files "iservc.exe" and "initbak.dat" in the infected machine's Windows directory. See the Anti Virus vendor links below for a more complete list.
Removal:
According to BullGuard antivirus, create an empty file 'UNINSTALL.PKY' in your Windows folder, wait one minute and then delete the file progOp.exe from the Windows folder.
More details:
http://www.dshield.org/pipermail/list/2003-May/008165.php
http://www.bullguard.com/antivirus/vit_fizzer_a.aspx
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html
http://vil.mcafee.com/dispVirus.asp?virus_k=100295
http://www.kaspersky.com/news.html?id=977151
http://www.microsoft.com/technet/security/virus/alerts/fizzer.asp
--------------------------------------------------------
please send any observations to isc@sans.org
- In addition to e-mail, the virus uses the P2P system Kazaa to spread.
- it will try to terminate anti virus scanners.
- The virus includes a key stroke logger
- In addition to permitting remote control via AOL Instant Messenger or IRC.
The IRC component is in particular interesting. It includes a long list of
IRC servers. The infected system will join a password protected channel on one
of these systems to wait for commands.
"Fizzer" attempts to hide its bot-nature in this IRC channel, by using regular
looking name. Occasionally, the bots will "chat" by sending a random string to the channel.
A summary from an IRC operator's perspective can be found in this mailing list
post:
http://www.dshield.org/pipermail/list/2003-May/008165.php
Counter Measures:
Current Anti Virus filters will detect 'Fizzer'. Stripping executable attachments will work as well.
Detection:
The virus will create the files "iservc.exe" and "initbak.dat" in the infected machine's Windows directory. See the Anti Virus vendor links below for a more complete list.
Removal:
According to BullGuard antivirus, create an empty file 'UNINSTALL.PKY' in your Windows folder, wait one minute and then delete the file progOp.exe from the Windows folder.
More details:
http://www.dshield.org/pipermail/list/2003-May/008165.php
http://www.bullguard.com/antivirus/vit_fizzer_a.aspx
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html
http://vil.mcafee.com/dispVirus.asp?virus_k=100295
http://www.kaspersky.com/news.html?id=977151
http://www.microsoft.com/technet/security/virus/alerts/fizzer.asp
--------------------------------------------------------
please send any observations to isc@sans.org
0 Comments
Published: 2003-05-12
We received a few reports of e-mails advertising the 'quick launch' spyware as
an anti virus tool. A typical e-mail reads:
--------------------------------------------------------------------------------
Subject: Windows Update Notification
WINDOWS SECURITY WARNING!!
A VIRUS HAS BEEN DETECTED ON YOUR COMPUTER. IN ORDER FOR YOUR COMPUTER
NOT
TO CRASH YOU WILL NEED TO GO TO:
HTTP://WWW.WINDOWSUPDATENOW.COM
AND IT WILL AUTOMATICALLY UPDATE YOUR COMPUTERS SECURITY PATCHES.
SIMPLY TYPE IN HTTP://WWW.WINDOWSUPDATENOW.COM INTO YOUR BROWSER. OTHERWISE
YOU WILL KEEP RECEIVING THIS SECURITY ALERT EMAIL EVERY DAY
---------------------------------------------------------------------------------
Note the use of a 'plausible' domainname: windowsupdatenow.com
**This domain does not belong to Microsoft:
( This Domain is For Sale )
Joshuathan Investments, Inc.
62 Cleghorn Street
Belize City, Belize none
US
Domain Name: WINDOWSUPDATENOW.COM
Administrative Contact -
This Domain Is For Sale - joshuathaninvest@aol.com
( This Domain is For Sale ) Joshuathan Investments, Inc.
62 Cleghorn Street
Belize City, Belize none
US
Phone - 501-2-31244
Fax - 501-2-34222
Technical Contact -
This Domain Is For Sale - joshuathaninvest@aol.com
( This Domain is For Sale ) Joshuathan Investments, Inc.
62 Cleghorn Street
Belize City, Belize none
US
Phone - 501-2-31244
Fax - 501-2-34222
Once you enter on this page it will redirect you to another
URL (http://www.quicklaunch.com/perl/detection.pl).
When visiting the URL, it will attempt to install the
quicklaunch toolbar ( http://download.quicklaunch.com/quicklaunch154.cab ),
a known spyware program.
Removal instructions are available here:
http://www.doxdesk.com/parasite/BrowserAid.html
Quick Launch toolbar spyware
We received a few reports of e-mails advertising the 'quick launch' spyware as
an anti virus tool. A typical e-mail reads:
--------------------------------------------------------------------------------
Subject: Windows Update Notification
WINDOWS SECURITY WARNING!!
A VIRUS HAS BEEN DETECTED ON YOUR COMPUTER. IN ORDER FOR YOUR COMPUTER
NOT
TO CRASH YOU WILL NEED TO GO TO:
HTTP://WWW.WINDOWSUPDATENOW.COM
AND IT WILL AUTOMATICALLY UPDATE YOUR COMPUTERS SECURITY PATCHES.
SIMPLY TYPE IN HTTP://WWW.WINDOWSUPDATENOW.COM INTO YOUR BROWSER. OTHERWISE
YOU WILL KEEP RECEIVING THIS SECURITY ALERT EMAIL EVERY DAY
---------------------------------------------------------------------------------
Note the use of a 'plausible' domainname: windowsupdatenow.com
**This domain does not belong to Microsoft:
( This Domain is For Sale )
Joshuathan Investments, Inc.
62 Cleghorn Street
Belize City, Belize none
US
Domain Name: WINDOWSUPDATENOW.COM
Administrative Contact -
This Domain Is For Sale - joshuathaninvest@aol.com
( This Domain is For Sale ) Joshuathan Investments, Inc.
62 Cleghorn Street
Belize City, Belize none
US
Phone - 501-2-31244
Fax - 501-2-34222
Technical Contact -
This Domain Is For Sale - joshuathaninvest@aol.com
( This Domain is For Sale ) Joshuathan Investments, Inc.
62 Cleghorn Street
Belize City, Belize none
US
Phone - 501-2-31244
Fax - 501-2-34222
Once you enter on this page it will redirect you to another
URL (http://www.quicklaunch.com/perl/detection.pl).
When visiting the URL, it will attempt to install the
quicklaunch toolbar ( http://download.quicklaunch.com/quicklaunch154.cab ),
a known spyware program.
Removal instructions are available here:
http://www.doxdesk.com/parasite/BrowserAid.html
1 Comments
Published: 2003-05-08
New backdoor - Trojan.Kaht - exploits WebDav vulnerability
Trojan.Kaht is a Hacktool used by its creator to scan for and exploit
the vulnerability of the Microsoft WebDAV server, running IIS 5.0. An individual who successfully exploits this vulnerability may completely control an affected Web server.
The IIS WebDAV uses a core Windows system component, ntdll.dll,
containing an unchecked buffer when processing the incoming WebDAV requests. Trojan.Kaht scans for the vulnerable Microsoft WebDAV (IIS 5.0) server, by sending a specially formatted WebDAV HTTP request to the server.
If the server is vulnerable, the Trojan creates a script file, kaht.html, on the compromised system. Then, the Trojan adds a user, "KaHT," to the administrator group and spawns a shell. This action gives the Trojan's creator complete control of the system.
-----
contributed by Deborah Hale. haled@pionet.net
feedback please to isc@sans.org
the vulnerability of the Microsoft WebDAV server, running IIS 5.0. An individual who successfully exploits this vulnerability may completely control an affected Web server.
The IIS WebDAV uses a core Windows system component, ntdll.dll,
containing an unchecked buffer when processing the incoming WebDAV requests. Trojan.Kaht scans for the vulnerable Microsoft WebDAV (IIS 5.0) server, by sending a specially formatted WebDAV HTTP request to the server.
If the server is vulnerable, the Trojan creates a script file, kaht.html, on the compromised system. Then, the Trojan adds a user, "KaHT," to the administrator group and spawns a shell. This action gives the Trojan's creator complete control of the system.
-----
contributed by Deborah Hale. haled@pionet.net
feedback please to isc@sans.org
0 Comments
Published: 2003-05-06
WEBDAV Exploits on the rise
On May 7th 2003, a post to the intrustions list noted an increase in attacks using the 'WEBDAV' exploit.
While we do not have any evidence of self replication at this point, the
tool used is very aggressive and at least some of the attacked hosts where reported to be used in scanning for other vulnerable hosts.
The WEBDAV vulnerability, officially announced in March but available in the
underground before that, has been used for a while by various tools. The goal
of these tools has been so far to either deface websites, or to upload various
backdoors or 'irc bots'.
This latest outbreak seems to be using a more aggressive tool, probably scanning
large number of hosts. While this tool may have the ability to replicate, we
have not seen any evidence. In particular for botnets, it is unusual to have the
tool copy itself to the vulnerable host. Instead, a remote control agent is used
to gain control of the host for various purposes (DDOS, port scanning).
We do not have any exploit code available for this particular tool. Based on
a post to the Intrusions list by Michael Scheidell, the following request can be found in weblogs of scanned systems:
SEARCH / HTTP/1.1\r\n", "Host: nnnnnn"
Apache logs from older WEBDAV tools:
1.2.3.4 - - [25/Mar/2003:15:07:28 -0500] "SEARCH /\x90\x04H\x04H
(the characters \x04H are repeated many times, followed by many repeats of \x90
" 414 271 "-" "-"
Relevant Links:
MSFT Announcement regarding WEBDAV:
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
ISC Analysis of WEBDAV Vulnerability:
http://isc.incidents.org/analysis.html?id=183
--------------
Please report any further details to isc@sans.org . Please submit code sample
as an encrypted zip file with password 'isc'.
While we do not have any evidence of self replication at this point, the
tool used is very aggressive and at least some of the attacked hosts where reported to be used in scanning for other vulnerable hosts.
The WEBDAV vulnerability, officially announced in March but available in the
underground before that, has been used for a while by various tools. The goal
of these tools has been so far to either deface websites, or to upload various
backdoors or 'irc bots'.
This latest outbreak seems to be using a more aggressive tool, probably scanning
large number of hosts. While this tool may have the ability to replicate, we
have not seen any evidence. In particular for botnets, it is unusual to have the
tool copy itself to the vulnerable host. Instead, a remote control agent is used
to gain control of the host for various purposes (DDOS, port scanning).
We do not have any exploit code available for this particular tool. Based on
a post to the Intrusions list by Michael Scheidell, the following request can be found in weblogs of scanned systems:
SEARCH / HTTP/1.1\r\n", "Host: nnnnnn"
Apache logs from older WEBDAV tools:
1.2.3.4 - - [25/Mar/2003:15:07:28 -0500] "SEARCH /\x90\x04H\x04H
(the characters \x04H are repeated many times, followed by many repeats of \x90
" 414 271 "-" "-"
Relevant Links:
MSFT Announcement regarding WEBDAV:
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
ISC Analysis of WEBDAV Vulnerability:
http://isc.incidents.org/analysis.html?id=183
--------------
Please report any further details to isc@sans.org . Please submit code sample
as an encrypted zip file with password 'isc'.
0 Comments
Published: 2003-05-05
ICQ/MSN Messenger Fraud
We received notice about fraudulent messages sent via ICQ and MSN Messanger,
urging users to visit various websites to download Windows patches. While these
websites resemble 'official' Microsoft sites, the patch is in fact a trojan
horse. If installed, the trojan horse will connect to an IRC server and
participate in a "botnet" which could be used to portscan or to launch DDOS
attacks.
It has become a common tactic to impersonate well known web sites to either
trick the user into revealing personal information or to download and install
trojans. This class of attacks, commonly known as "cognitive hacking" represent
a variation of social engineering attacks and are not easily defeated by
technical means. User education is the number one defense. We do urge system
administrators to educate users about commonly used techniques.
In this case, a number of hints indicate that the site is not authentic:
The message arrives via MSN or ICQ. Microsoft will never use either service to notify users of patches. Either instant messanger service should not be considered
"secure". One has to understand that neither service uses encryption to transmit
messages, and authentication is weak.
The URL does not use a domain name, but an IP address. The site is not using
https, but plain http. While https can be used to make a 'fake' site look more
authentic, it adds an extra layer of complexity most malware authors avoid.
The url includes javascript code to maximize the window. Likely, this is done
to conceal the fact that the site is not using http (the 'lock' icon moves off
the screen). More sophisticated impostures will move the actual task bar of the
screen and replace it with its own image of a 'secure' task bar.
Immediate measures:
We do recommend blocking access to the following IPs and sites used in this
scam:
200.152.5.119
212.78.206.150
209.126.216.36
upon joining the IRC channel, the 'bots' are currently instructed to 27374 and
1243. The installed binary is 'scan.exe'. While scan.exe is not currently
detected as a virus, it will uncompress itself and extract several components
which are detected by virus scanners.
Just a reminder: there are likely variations of this basic scheme. Please do
NOT take these instructions too specific. More generic, outbound IRC traffic,
and outbound scans of port 27374 and 1243 are always suspicious.
------
Matt Scarborough contributed to this report.
Please send feedback to isc@sans.org
urging users to visit various websites to download Windows patches. While these
websites resemble 'official' Microsoft sites, the patch is in fact a trojan
horse. If installed, the trojan horse will connect to an IRC server and
participate in a "botnet" which could be used to portscan or to launch DDOS
attacks.
It has become a common tactic to impersonate well known web sites to either
trick the user into revealing personal information or to download and install
trojans. This class of attacks, commonly known as "cognitive hacking" represent
a variation of social engineering attacks and are not easily defeated by
technical means. User education is the number one defense. We do urge system
administrators to educate users about commonly used techniques.
In this case, a number of hints indicate that the site is not authentic:
The message arrives via MSN or ICQ. Microsoft will never use either service to notify users of patches. Either instant messanger service should not be considered
"secure". One has to understand that neither service uses encryption to transmit
messages, and authentication is weak.
The URL does not use a domain name, but an IP address. The site is not using
https, but plain http. While https can be used to make a 'fake' site look more
authentic, it adds an extra layer of complexity most malware authors avoid.
The url includes javascript code to maximize the window. Likely, this is done
to conceal the fact that the site is not using http (the 'lock' icon moves off
the screen). More sophisticated impostures will move the actual task bar of the
screen and replace it with its own image of a 'secure' task bar.
Immediate measures:
We do recommend blocking access to the following IPs and sites used in this
scam:
200.152.5.119
212.78.206.150
209.126.216.36
upon joining the IRC channel, the 'bots' are currently instructed to 27374 and
1243. The installed binary is 'scan.exe'. While scan.exe is not currently
detected as a virus, it will uncompress itself and extract several components
which are detected by virus scanners.
Just a reminder: there are likely variations of this basic scheme. Please do
NOT take these instructions too specific. More generic, outbound IRC traffic,
and outbound scans of port 27374 and 1243 are always suspicious.
------
Matt Scarborough contributed to this report.
Please send feedback to isc@sans.org
0 Comments
0 Comments