[unisog] New worm or bot attack based on ASN1?

Christopher Chow c-chow at md.northwestern.edu
Mon Mar 6 15:15:58 GMT 2006


Rameses is correct. The payload you describe takes advantage of the 
MS04-007 vulnerability which was reported via Microsoft Security 
bulletin on February 10, 2004. It is also known as CAN-2003-0818 as its 
CVE identifier.



More information can be found and patches can be found here. Patches 
have been available since Feb 2004:


http://www.microsoft.com/technet/security/Bulletin/MS04-007.mspx






christopher chow



Martinez, Ramses wrote:
> Justin,
> 
>  
> 
> The exploit payload you are seeing has actually being in use by over 500
> bots for the last year. Should not be a problem if your systems are
> patched for this vulnerability. Hope this information helps.
> 
>  
> 
> Cheers,
> 
>  
> 
> Ramses Martinez
> 
> Director, Malicious Code Operations Group  
> 
> IDEFENSE a VeriSign Company
> 
>  
> 
> ________________________________
> 
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Malyn, Justin D.
> Sent: Saturday, March 04, 2006 1:37 AM
> To: unisog at lists.sans.org
> Subject: [unisog] New worm or bot attack based on ASN1?
> 
>  
> 
>      We have recently started noticing a new attack from several
> different IP addresses towards multiple different IP addresses.  An IPS
> device we are using lists the packets as 'HTTP: Microsoft NTLM ASN.1
> Heap Corruption'.  The IPS collected packet captures match one of the
> two signatures this device is using to detect this activity.  The
> collected packets also show a repeated set of the string 'RERERERE' .
> It appears that at least 1200 of the bytes is the 'RERE' text repeated.
> Past that our IPS is killing the session, so I don't know what the
> payload looks like beyond the heap corruption section.
> 
>      Are any other sites seeing new HTTP attacks similar to this?  I'm
> curious if this is a new worm, or a new attack that some distributed
> mal-ware/bot is now waging on selected networks.
> 
>      The first occurrence of this in the past 30 days was on February
> 27th from 5:41-5:44am CST.  At that time we recorded 6 such unique
> attacks.  The rest of the packets started March 3rd at 2:35am and are
> still occurring periodically in spurts.  So far there have been 1058
> such unique source and destination IP pairs that we have recorded.
> (This does not count what our firewall is deflecting for hosts that are
> not offering public port 80 services.)
> 
>      I don't have confirmation yet that these are establishing real TCP
> sessions, as the packet recording is only starting when the attack
> packet is seen, and not before that.  Assuming the TCP sessions are
> real, the source addresses appear to be scattered all over the globe
> based on about 15 random checks, and mostly seem to be DSL or cable
> users. 
> 
>      My only guess right now is that this is being sent by a bot-net,
> targeting un-patched Windows machines with IIS running.  Since this is a
> two year old bug, I doubt they will find many additional victims, but I
> guess you never know.
> 
> -Justin
> 
> Justin D. Malyn
> System Security Analyst
> GSLC Certified by GIAC
> 
> Information Services
> University of Missouri - Kansas City
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog


More information about the unisog mailing list