[Snort-sigs] Unknown IIS Worm Sigs

Matthew Jonkman matt at ...2436...
Thu Jun 24 22:28:02 EDT 2004


Put these both up on bleedingsnort.

Thanks John.

Matt

John Nagro wrote:
> these actually work... sorry about that (too tired)..
> 
> alert tcp any any -> any any (msg:"Possible Unknown IIS Exploint In
> Transit"; content:"mms\://"; nocase; content:"ADODB.Stream"; nocase;
> classtype: trojan-activity; sid:9900014; rev:1;)
> 
> alert tcp any any -> any any (msg:"Possible Unknown IIS Exploint In
> Transit"; content:"%6D"; nocase; content:"%53%74%72%65%61%6D"; nocase;
> content:"%41%44%4F%44%42%2E"; nocase; classtype: trojan-activity;
> sid:9900015; rev:1;)
> 
> off to bed, let me know what you think
> 
> -John
> 
> On Fri, 25 Jun 2004 01:13:17 -0400, John Nagro <john.nagro at ...2420...> wrote:
> 
>>Possible rules given my blabbering above...
>>
>>alert tcp any any -> any any (msg:"Possible Unknown IIS Exploint In
>>Transit"; content:"mms:://"; nocase; content:"ADODB.Stream"; nocase;
>>sid:9900014; rev:1;)
>>
>>alert tcp any any -> any any (msg:"Possible Unknown IIS Exploint In
>>Transit"; content:"%6D"; nocase; content:"%53%74%72%65%61%6D"; nocase;
>>content:"%41%44%4F%44%42%2E"; nocase; sid:9900015; rev:1;)
>>
>>
>>On Fri, 25 Jun 2004 01:05:47 -0400, John Nagro <john.nagro at ...2420...> wrote:
>>
>>>Alright, its late and i'm bored (and quite tire) so excuse me if i am
>>>repeating someone already mentioned... the exploit grabs a few
>>>different pages, all of which contain obscured data, which is
>>>generally decoded and used to make up url's to get other data...
>>>
>>>poking around in the site i found this:
>>>
>>>http_://_217.107.218.147_/_shellscript.js
>>>
>>>this page contains the actual code that works up a url to exploit
>>>something in the browser. there is probably enough content here to
>>>script a sig that looks for the particular URL. I took the jscript and
>>>removed certain lines and printed the variables out and it looks like
>>>the code scirpts up a url starting with mms:// which saves a file
>>>(probably the misfits.exe) to C:\\Program Files\Windows Media
>>>Player\wmplayer.exe. granted a lot of this is done via jscript so who
>>>knows what we can/cannot catch in transit to the browser but maybe
>>>someone else can poke at this script too and let us all know what they
>>>think?
>>>
>>>i think the best bet is to search for the strings that are used to
>>>make up the mms::// which would be these lines.:
>>>
>>>var szM = unescape("%6D");
>>>var szMMS = szM + szM + "s://";
>>>
>>>so we'll wanna search for %6D
>>>
>>>(szMMS = "mms:://")
>>>
>>>because it looks to be that the exploit centers around some sort of
>>>weakness with whatever handles mms:// url's. That (%6D) alone isnt
>>>enough to work up something that wont set off a ton of FP's so lets
>>>also look for content later on, like the ADO.Stream it tries to make
>>>so maybe these lines too:
>>>
>>>var szSTR  =  unescape("%53%74%72%65%61%6D");
>>>var szADO  = unescape("%41%44%4F%44%42%2E")    + szSTR;
>>>
>>>(search for %53%74%72%65%61%6D and %41%44%4F%44%42%2E)
>>>
>>>(szADO = "ADODB.Stream")
>>>
>>>What do people think? I figure any document that has both mms:// and
>>>ADO.Stream in it is probably something to do with this exploit.
>>>Looking for those strings is probably good, and looking for those
>>>obscured ones will find this particular variant??
>>>
>>>I'm new to this whole "make custom signatures" thing so please let me
>>>know if i'm going down the wrong path or if you have other ideas.
>>>
>>>-John
>>>
>>>
>>>
>>>On Fri, 25 Jun 2004 00:03:55 -0400, John Nagro <john.nagro at ...2420...> wrote:
>>>
>>>>Thanks for the rules. Its probably wise to also alert on *any* traffic
>>>>to/from those IP's untill we can figure out a better signature (based
>>>>on the actual exploit or a portion of the jscript that doesnt change).
>>>>
>>>>If anyone figures out something they even *think* could be used to
>>>>track it, please post to this thread.
>>>>
>>>>-John
>>>>
>>>>
>>>>
>>>>On Thu, 24 Jun 2004 19:04:50 -0500, Matthew Jonkman <matt at ...2436...> wrote:
>>>>
>>>>>Reports of a potential 0-day IIS exploit are coming in, best documented
>>>>>at isc.sans.org.
>>>>>
>>>>>Here are a couple VERY crude rules to hopefully detect the infectious
>>>>>code. These are posted on bleedingsnort.com in the bleeding.rules.
>>>>>
>>>>>Suggestions are MORE than welcome if you're seeing anything. These are
>>>>>just looking for a couple unique strings in the smal bit of code we have.
>>>>>
>>>>>alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in
>>>>>Transit"; content:"217.107.218.147"; classtype:trojan-activity;
>>>>>sid:2000311; rev:1;)
>>>>>alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in
>>>>>Transit"; content:"function gc099"; classtype:trojan-activity;
>>>>>sid:2000312; rev:1;)
>>>>>
>>>>>Yes, I know it'll be very prone to false positives (this email will kick
>>>>>them both off). Better than nothing till we know more.
>>>>>
>>>>>Suggestions and more informaiton VERY welcome.
>>>>>
>>>>>Matt
>>>>>
>>>>>--------------------------------------------
>>>>>Matthew Jonkman, CISSP
>>>>>Senior Security Engineer
>>>>>
>>>>>-------------------------------------------------------
>>>>>This SF.Net email sponsored by Black Hat Briefings & Training.
>>>>>Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
>>>>>digital self defense, top technical experts, no vendor pitches,
>>>>>unmatched networking opportunities. Visit www.blackhat.com
>>>>>_______________________________________________
>>>>>Snort-sigs mailing list
>>>>>Snort-sigs at lists.sourceforge.net
>>>>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>>
>>>>

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list