[unisog] New worm or bot attack based on ASN1?

Malyn, Justin D. MalynJ at umkc.edu
Sat Mar 4 06:36:52 GMT 2006

     We have recently started noticing a new attack from several
different IP addresses towards multiple different IP addresses.  An IPS
device we are using lists the packets as 'HTTP: Microsoft NTLM ASN.1
Heap Corruption'.  The IPS collected packet captures match one of the
two signatures this device is using to detect this activity.  The
collected packets also show a repeated set of the string 'RERERERE' .
It appears that at least 1200 of the bytes is the 'RERE' text repeated.
Past that our IPS is killing the session, so I don't know what the
payload looks like beyond the heap corruption section.

     Are any other sites seeing new HTTP attacks similar to this?  I'm
curious if this is a new worm, or a new attack that some distributed
mal-ware/bot is now waging on selected networks.

     The first occurrence of this in the past 30 days was on February
27th from 5:41-5:44am CST.  At that time we recorded 6 such unique
attacks.  The rest of the packets started March 3rd at 2:35am and are
still occurring periodically in spurts.  So far there have been 1058
such unique source and destination IP pairs that we have recorded.
(This does not count what our firewall is deflecting for hosts that are
not offering public port 80 services.)

     I don't have confirmation yet that these are establishing real TCP
sessions, as the packet recording is only starting when the attack
packet is seen, and not before that.  Assuming the TCP sessions are
real, the source addresses appear to be scattered all over the globe
based on about 15 random checks, and mostly seem to be DSL or cable

     My only guess right now is that this is being sent by a bot-net,
targeting un-patched Windows machines with IIS running.  Since this is a
two year old bug, I doubt they will find many additional victims, but I
guess you never know.


Justin D. Malyn
System Security Analyst
GSLC Certified by GIAC
Information Services
University of Missouri - Kansas City

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20060304/5600f373/attachment.htm

More information about the unisog mailing list