[Snort-sigs] Unknown IIS Worm Sigs

John Nagro john.nagro at ...2420...
Thu Jun 24 22:23:00 EDT 2004


these actually work... sorry about that (too tired)..

alert tcp any any -> any any (msg:"Possible Unknown IIS Exploint In
Transit"; content:"mms\://"; nocase; content:"ADODB.Stream"; nocase;
classtype: trojan-activity; sid:9900014; rev:1;)

alert tcp any any -> any any (msg:"Possible Unknown IIS Exploint In
Transit"; content:"%6D"; nocase; content:"%53%74%72%65%61%6D"; nocase;
content:"%41%44%4F%44%42%2E"; nocase; classtype: trojan-activity;
sid:9900015; rev:1;)

off to bed, let me know what you think

-John

On Fri, 25 Jun 2004 01:13:17 -0400, John Nagro <john.nagro at ...2420...> wrote:
> 
> Possible rules given my blabbering above...
> 
> alert tcp any any -> any any (msg:"Possible Unknown IIS Exploint In
> Transit"; content:"mms:://"; nocase; content:"ADODB.Stream"; nocase;
> sid:9900014; rev:1;)
> 
> alert tcp any any -> any any (msg:"Possible Unknown IIS Exploint In
> Transit"; content:"%6D"; nocase; content:"%53%74%72%65%61%6D"; nocase;
> content:"%41%44%4F%44%42%2E"; nocase; sid:9900015; rev:1;)
> 
> 
> On Fri, 25 Jun 2004 01:05:47 -0400, John Nagro <john.nagro at ...2420...> wrote:
> >
> > Alright, its late and i'm bored (and quite tire) so excuse me if i am
> > repeating someone already mentioned... the exploit grabs a few
> > different pages, all of which contain obscured data, which is
> > generally decoded and used to make up url's to get other data...
> >
> > poking around in the site i found this:
> >
> > http_://_217.107.218.147_/_shellscript.js
> >
> > this page contains the actual code that works up a url to exploit
> > something in the browser. there is probably enough content here to
> > script a sig that looks for the particular URL. I took the jscript and
> > removed certain lines and printed the variables out and it looks like
> > the code scirpts up a url starting with mms:// which saves a file
> > (probably the misfits.exe) to C:\\Program Files\Windows Media
> > Player\wmplayer.exe. granted a lot of this is done via jscript so who
> > knows what we can/cannot catch in transit to the browser but maybe
> > someone else can poke at this script too and let us all know what they
> > think?
> >
> > i think the best bet is to search for the strings that are used to
> > make up the mms::// which would be these lines.:
> >
> > var szM = unescape("%6D");
> > var szMMS = szM + szM + "s://";
> >
> > so we'll wanna search for %6D
> >
> > (szMMS = "mms:://")
> >
> > because it looks to be that the exploit centers around some sort of
> > weakness with whatever handles mms:// url's. That (%6D) alone isnt
> > enough to work up something that wont set off a ton of FP's so lets
> > also look for content later on, like the ADO.Stream it tries to make
> > so maybe these lines too:
> >
> > var szSTR  =  unescape("%53%74%72%65%61%6D");
> > var szADO  = unescape("%41%44%4F%44%42%2E")    + szSTR;
> >
> > (search for %53%74%72%65%61%6D and %41%44%4F%44%42%2E)
> >
> > (szADO = "ADODB.Stream")
> >
> > What do people think? I figure any document that has both mms:// and
> > ADO.Stream in it is probably something to do with this exploit.
> > Looking for those strings is probably good, and looking for those
> > obscured ones will find this particular variant??
> >
> > I'm new to this whole "make custom signatures" thing so please let me
> > know if i'm going down the wrong path or if you have other ideas.
> >
> > -John
> >
> >
> >
> > On Fri, 25 Jun 2004 00:03:55 -0400, John Nagro <john.nagro at ...2420...> wrote:
> > >
> > > Thanks for the rules. Its probably wise to also alert on *any* traffic
> > > to/from those IP's untill we can figure out a better signature (based
> > > on the actual exploit or a portion of the jscript that doesnt change).
> > >
> > > If anyone figures out something they even *think* could be used to
> > > track it, please post to this thread.
> > >
> > > -John
> > >
> > >
> > >
> > > On Thu, 24 Jun 2004 19:04:50 -0500, Matthew Jonkman <matt at ...2436...> wrote:
> > > >
> > > > Reports of a potential 0-day IIS exploit are coming in, best documented
> > > > at isc.sans.org.
> > > >
> > > > Here are a couple VERY crude rules to hopefully detect the infectious
> > > > code. These are posted on bleedingsnort.com in the bleeding.rules.
> > > >
> > > > Suggestions are MORE than welcome if you're seeing anything. These are
> > > > just looking for a couple unique strings in the smal bit of code we have.
> > > >
> > > > alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in
> > > > Transit"; content:"217.107.218.147"; classtype:trojan-activity;
> > > > sid:2000311; rev:1;)
> > > > alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in
> > > > Transit"; content:"function gc099"; classtype:trojan-activity;
> > > > sid:2000312; rev:1;)
> > > >
> > > > Yes, I know it'll be very prone to false positives (this email will kick
> > > > them both off). Better than nothing till we know more.
> > > >
> > > > Suggestions and more informaiton VERY welcome.
> > > >
> > > > Matt
> > > >
> > > > --------------------------------------------
> > > > Matthew Jonkman, CISSP
> > > > Senior Security Engineer
> > > >
> > > > -------------------------------------------------------
> > > > This SF.Net email sponsored by Black Hat Briefings & Training.
> > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> > > > digital self defense, top technical experts, no vendor pitches,
> > > > unmatched networking opportunities. Visit www.blackhat.com
> > > > _______________________________________________
> > > > Snort-sigs mailing list
> > > > Snort-sigs at lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > > >
> > >
> >
>




More information about the Snort-sigs mailing list