[Dshield] Widespread IIS Worm

Johannes B. Ullrich jullrich at euclidian.com
Tue Jul 17 15:21:30 GMT 2001


Over the last couple of days, two large DShield submitters have been
hit with a horrendous number of Port 80 scans. We think we got now
enough of a 'handle' on this to post this advisory. Ken Eichman, whose
system got hit hardest, compiled the following summary of what we
know so far.

A quick note: These attacks are directed against port 80. Port 80 is a
hard port for this kind of analysis. As it is used for web servers, a
lot of traffic is directed and often misdirected at this port. However,
the increase we see is significant. Also, the responses we got so far
based on Fightback messages support the worm theory.

  Johannes.

----------------------------------------------------------------------------
   Advisory
----------------------------------------------------------------------------

Widespread IIS Worm

I believe there is apparently a new IIS worm on the Internet. Starting
Friday, 07/13 when my IDS first detected it, I have logged the tell-tale
probes of this worm from 8122 unique IP addresses, which I believe
approximates the number of hosts compromised by this worm.

I'm basing a lot of my conclusion on the analysis of TCP traffic at my
little class-b corner of the internet, although I have received a number of
confirmations from compromised sites, with their additional details
included. I'm writing this because I'm amazed that some sort of public
advisory has yet to be issued.

The worm apparently involves an exploit of the "Microsoft Index Server and
Indexing Service ISAPI Extension Buffer Overflow Vulnerability" described at:
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D2880


Worm's Spread:
--------------

On 07/13 I detected 611 worm probes from 27 unique IP addresses.
On 07/14 I detected 36273 worm probes from 1076 unique IP addresses.
On 07/15 I detected 215020 worm probes from 3498 unique IP addresses.
On 07/16 I detected 316828 worm probes from 6137 unique IP addresses.
On 07/17, for just the first 7.5 hours, I have detected 108428 worm
probes from 4712 unique IP addresses.


Worm's IIS Signature:
---------------------

/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a


Worm's Observable Actions:
--------------------------

o It apparently attempts to contact www.worm.com:80 (216.99.52.100:80).
o At some point it apparently begins "random" http portscanning, which appears
  to be its method of propagation.
o I do not have a copy of the worm therefore I have no idea what else it
  might do. Marc Maiffret is working on disassembly.


Ground Zero (or at least reasonably close to it):
-------------------------------------------------

My IDS first detected the tell-tale portscanning at 08:54:30 EDT on 07/13
from 202.192.168.145, followed within 15 minutes by additional scans from
210.77.157.171, 202.204.193.2 and 210.68.172.1.


Worm Reporting:
---------------

I've been reporting the worm to the source organizations via Johannes
Ullrich's DShield collective intrusion detection service.  I have received
5 detailed confirmations, approximately 20 vague confirmations, and
countless smart-ass responses ("attack? http? get real!", etc.)


Regards
Ken Eichman                  Senior Security Engineer
Chemical Abstracts Service   Tel:   (614) 447-3838 ext 3230
2540 Olentangy River Road    Fax:   (614) 447-3855
Columbus, OH 43210           Email: keichman at cas.org





More information about the list mailing list