[Snort-sigs] Unknown IIS Worm Sigs

John Nagro john.nagro at ...2420...
Thu Jun 24 22:14:01 EDT 2004


Possible rules given my blabbering above...

alert tcp any any -> any any (msg:"Possible Unknown IIS Exploint In
Transit"; content:"mms:://"; nocase; content:"ADODB.Stream"; nocase;
sid:9900014; rev:1;)

alert tcp any any -> any any (msg:"Possible Unknown IIS Exploint In
Transit"; content:"%6D"; nocase; content:"%53%74%72%65%61%6D"; nocase;
content:"%41%44%4F%44%42%2E"; nocase; sid:9900015; rev:1;)

On Fri, 25 Jun 2004 01:05:47 -0400, John Nagro <john.nagro at ...2420...> wrote:
> 
> Alright, its late and i'm bored (and quite tire) so excuse me if i am
> repeating someone already mentioned... the exploit grabs a few
> different pages, all of which contain obscured data, which is
> generally decoded and used to make up url's to get other data...
> 
> poking around in the site i found this:
> 
> http_://_217.107.218.147_/_shellscript.js
> 
> this page contains the actual code that works up a url to exploit
> something in the browser. there is probably enough content here to
> script a sig that looks for the particular URL. I took the jscript and
> removed certain lines and printed the variables out and it looks like
> the code scirpts up a url starting with mms:// which saves a file
> (probably the misfits.exe) to C:\\Program Files\Windows Media
> Player\wmplayer.exe. granted a lot of this is done via jscript so who
> knows what we can/cannot catch in transit to the browser but maybe
> someone else can poke at this script too and let us all know what they
> think?
> 
> i think the best bet is to search for the strings that are used to
> make up the mms::// which would be these lines.:
> 
> var szM = unescape("%6D");
> var szMMS = szM + szM + "s://";
> 
> so we'll wanna search for %6D
> 
> (szMMS = "mms:://")
> 
> because it looks to be that the exploit centers around some sort of
> weakness with whatever handles mms:// url's. That (%6D) alone isnt
> enough to work up something that wont set off a ton of FP's so lets
> also look for content later on, like the ADO.Stream it tries to make
> so maybe these lines too:
> 
> var szSTR  =  unescape("%53%74%72%65%61%6D");
> var szADO  = unescape("%41%44%4F%44%42%2E")    + szSTR;
> 
> (search for %53%74%72%65%61%6D and %41%44%4F%44%42%2E)
> 
> (szADO = "ADODB.Stream")
> 
> What do people think? I figure any document that has both mms:// and
> ADO.Stream in it is probably something to do with this exploit.
> Looking for those strings is probably good, and looking for those
> obscured ones will find this particular variant??
> 
> I'm new to this whole "make custom signatures" thing so please let me
> know if i'm going down the wrong path or if you have other ideas.
> 
> -John
> 
> 
> 
> On Fri, 25 Jun 2004 00:03:55 -0400, John Nagro <john.nagro at ...2420...> wrote:
> >
> > Thanks for the rules. Its probably wise to also alert on *any* traffic
> > to/from those IP's untill we can figure out a better signature (based
> > on the actual exploit or a portion of the jscript that doesnt change).
> >
> > If anyone figures out something they even *think* could be used to
> > track it, please post to this thread.
> >
> > -John
> >
> >
> >
> > On Thu, 24 Jun 2004 19:04:50 -0500, Matthew Jonkman <matt at ...2436...> wrote:
> > >
> > > Reports of a potential 0-day IIS exploit are coming in, best documented
> > > at isc.sans.org.
> > >
> > > Here are a couple VERY crude rules to hopefully detect the infectious
> > > code. These are posted on bleedingsnort.com in the bleeding.rules.
> > >
> > > Suggestions are MORE than welcome if you're seeing anything. These are
> > > just looking for a couple unique strings in the smal bit of code we have.
> > >
> > > alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in
> > > Transit"; content:"217.107.218.147"; classtype:trojan-activity;
> > > sid:2000311; rev:1;)
> > > alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in
> > > Transit"; content:"function gc099"; classtype:trojan-activity;
> > > sid:2000312; rev:1;)
> > >
> > > Yes, I know it'll be very prone to false positives (this email will kick
> > > them both off). Better than nothing till we know more.
> > >
> > > Suggestions and more informaiton VERY welcome.
> > >
> > > Matt
> > >
> > > --------------------------------------------
> > > Matthew Jonkman, CISSP
> > > Senior Security Engineer
> > >
> > > -------------------------------------------------------
> > > This SF.Net email sponsored by Black Hat Briefings & Training.
> > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> > > digital self defense, top technical experts, no vendor pitches,
> > > unmatched networking opportunities. Visit www.blackhat.com
> > > _______________________________________________
> > > Snort-sigs mailing list
> > > Snort-sigs at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > >
> >
>




More information about the Snort-sigs mailing list