[Snort-sigs] Unknown IIS Worm Sigs

John Nagro john.nagro at ...2420...
Thu Jun 24 22:06:01 EDT 2004

Alright, its late and i'm bored (and quite tire) so excuse me if i am
repeating someone already mentioned... the exploit grabs a few
different pages, all of which contain obscured data, which is
generally decoded and used to make up url's to get other data...

poking around in the site i found this:


this page contains the actual code that works up a url to exploit
something in the browser. there is probably enough content here to
script a sig that looks for the particular URL. I took the jscript and
removed certain lines and printed the variables out and it looks like
the code scirpts up a url starting with mms:// which saves a file
(probably the misfits.exe) to C:\\Program Files\Windows Media
Player\wmplayer.exe. granted a lot of this is done via jscript so who
knows what we can/cannot catch in transit to the browser but maybe
someone else can poke at this script too and let us all know what they

i think the best bet is to search for the strings that are used to
make up the mms::// which would be these lines.:

var szM = unescape("%6D");
var szMMS = szM + szM + "s://";

so we'll wanna search for %6D

(szMMS = "mms:://") 

because it looks to be that the exploit centers around some sort of
weakness with whatever handles mms:// url's. That (%6D) alone isnt
enough to work up something that wont set off a ton of FP's so lets
also look for content later on, like the ADO.Stream it tries to make
so maybe these lines too:

var szSTR  =  unescape("%53%74%72%65%61%6D");
var szADO  = unescape("%41%44%4F%44%42%2E")    + szSTR;

(search for %53%74%72%65%61%6D and %41%44%4F%44%42%2E)

(szADO = "ADODB.Stream")

What do people think? I figure any document that has both mms:// and
ADO.Stream in it is probably something to do with this exploit.
Looking for those strings is probably good, and looking for those
obscured ones will find this particular variant??

I'm new to this whole "make custom signatures" thing so please let me
know if i'm going down the wrong path or if you have other ideas.


On Fri, 25 Jun 2004 00:03:55 -0400, John Nagro <john.nagro at ...2420...> wrote:
> Thanks for the rules. Its probably wise to also alert on *any* traffic
> to/from those IP's untill we can figure out a better signature (based
> on the actual exploit or a portion of the jscript that doesnt change).
> If anyone figures out something they even *think* could be used to
> track it, please post to this thread.
> -John
> On Thu, 24 Jun 2004 19:04:50 -0500, Matthew Jonkman <matt at ...2436...> wrote:
> >
> > Reports of a potential 0-day IIS exploit are coming in, best documented
> > at isc.sans.org.
> >
> > Here are a couple VERY crude rules to hopefully detect the infectious
> > code. These are posted on bleedingsnort.com in the bleeding.rules.
> >
> > Suggestions are MORE than welcome if you're seeing anything. These are
> > just looking for a couple unique strings in the smal bit of code we have.
> >
> > alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in
> > Transit"; content:""; classtype:trojan-activity;
> > sid:2000311; rev:1;)
> > alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in
> > Transit"; content:"function gc099"; classtype:trojan-activity;
> > sid:2000312; rev:1;)
> >
> > Yes, I know it'll be very prone to false positives (this email will kick
> > them both off). Better than nothing till we know more.
> >
> > Suggestions and more informaiton VERY welcome.
> >
> > Matt
> >
> > --------------------------------------------
> > Matthew Jonkman, CISSP
> > Senior Security Engineer
> >
> > -------------------------------------------------------
> > This SF.Net email sponsored by Black Hat Briefings & Training.
> > Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> > digital self defense, top technical experts, no vendor pitches,
> > unmatched networking opportunities. Visit www.blackhat.com
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >

More information about the Snort-sigs mailing list