[Snort-sigs] MS05-039 Worm in the wild - Snort sigs attached (they are not mine)

Harper, Patrick Patrick.Harper at ...1819...
Sun Aug 14 09:38:12 EDT 2005


http://isc.sans.org/diary.php?date=2005-08-14

MS05-039 Worm
Starting around 11:30 UTC, we've received several reports on a new worm
variant that makes use of MS05-039 to spread. If you're not patched yet,
this is your last call.

F-Secure named the critter "Zotob.A",http://www.f-secure.com/weblog/

We've also received a submission of a binary called "pnpsrv.exe", which
is
recognized by ClamAV as Trojan.Spybot-123. Another reader has
contributed
evidence that a successful exploit by Zotob.A (or variant)

The worm will download the main payload from the infecting machine. Once
a
machine is infected, it will become an ftp server itself. It will scan
for
open port 445/tcp. Once it finds a system with port 445 listening, it
will
try to use the PnP exploit to download and execute the main payload via
ftp.

Important facts so far:
- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as
the
worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected
systems)
- The FTP server does not run on port 21. It appears to pick a random
high
port.


Quick FTP log:

open aaa.bbb.ccc.ddd 31656
user 1 1
get winpnp.exe
quit

(IP address obfuscated).

We'll keep adding to this diary as new information becomes available.

Thanks so far to Johnathan Norman from Alert Logic for a lot of the
details.
Other good information can be found at the F-Sececure weblog
athttp://www.f-secure.com/weblog/
Also see the Microsoft MS05-039 bulletin from last
week:http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

Please submit any new code captures via our contact page:
http://isc.sans.org/contact.php
If possible, do not pack/encrypt the uploads, maybe provide an md5 sum
to
preserve the code in its original beauty.

Shown below are Snort rules, submitted by the members of the Alert Logic
Security Research Team:
Jeremy Hewlett, Technical Director of Security Research
Johnathan Norman, Sr. Security Analyst
Chris Baker, Technical Director of Security Operations


alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000
Plug and Play Vulnerability"; flow:to_server,established;
content:"|FF|SMB%"; dept h:5; offset:4; nocase; content:"|2600|";
depth:2;
offset:65;
content:"|67157a76|";reference:url,www.microsoft.com/technet/security/Bu
llet
in/MS05-039.mspx; classtype:attempted-admin; sid:1000130; rev:1;)

alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows
2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%";
depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65;
content:"|3600|"; offset:110; within:5;
content:"|F6387A76|";reference:url,www.microsoft.com/technet/security
/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000131; rev:1;)

alert tcp any any -> any 445 (msg:"EXPLOIT NETBIOS SMB-DS Microsoft
Windows
2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%";
depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65;
content:"|3600|"; offset:110; within:5;
content:"|F6387A76|";reference:url,www.microsoft.com/technet/secur
ity/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000132;
rev:1;)

-----------------------------------------
Disclaimer:
This electronic message, including any attachments, is confidential and
intended solely for use of the intended recipient(s). This message may
contain information that is privileged or otherwise protected from
disclosure by applicable law. Any unauthorized disclosure,
dissemination, use or reproduction is strictly prohibited. If you have
received this message in error, please delete it and notify the sender
immediately.





More information about the Snort-sigs mailing list