[unisog] New worm or bot attack based on ASN1?
c-chow at md.northwestern.edu
Mon Mar 6 15:15:58 GMT 2006
Rameses is correct. The payload you describe takes advantage of the
MS04-007 vulnerability which was reported via Microsoft Security
bulletin on February 10, 2004. It is also known as CAN-2003-0818 as its
More information can be found and patches can be found here. Patches
have been available since Feb 2004:
Martinez, Ramses wrote:
> The exploit payload you are seeing has actually being in use by over 500
> bots for the last year. Should not be a problem if your systems are
> patched for this vulnerability. Hope this information helps.
> Ramses Martinez
> Director, Malicious Code Operations Group
> IDEFENSE a VeriSign Company
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Malyn, Justin D.
> Sent: Saturday, March 04, 2006 1:37 AM
> To: unisog at lists.sans.org
> Subject: [unisog] New worm or bot attack based on ASN1?
> We have recently started noticing a new attack from several
> different IP addresses towards multiple different IP addresses. An IPS
> device we are using lists the packets as 'HTTP: Microsoft NTLM ASN.1
> Heap Corruption'. The IPS collected packet captures match one of the
> two signatures this device is using to detect this activity. The
> collected packets also show a repeated set of the string 'RERERERE' .
> It appears that at least 1200 of the bytes is the 'RERE' text repeated.
> Past that our IPS is killing the session, so I don't know what the
> payload looks like beyond the heap corruption section.
> Are any other sites seeing new HTTP attacks similar to this? I'm
> curious if this is a new worm, or a new attack that some distributed
> mal-ware/bot is now waging on selected networks.
> The first occurrence of this in the past 30 days was on February
> 27th from 5:41-5:44am CST. At that time we recorded 6 such unique
> attacks. The rest of the packets started March 3rd at 2:35am and are
> still occurring periodically in spurts. So far there have been 1058
> such unique source and destination IP pairs that we have recorded.
> (This does not count what our firewall is deflecting for hosts that are
> not offering public port 80 services.)
> I don't have confirmation yet that these are establishing real TCP
> sessions, as the packet recording is only starting when the attack
> packet is seen, and not before that. Assuming the TCP sessions are
> real, the source addresses appear to be scattered all over the globe
> based on about 15 random checks, and mostly seem to be DSL or cable
> My only guess right now is that this is being sent by a bot-net,
> targeting un-patched Windows machines with IIS running. Since this is a
> two year old bug, I doubt they will find many additional victims, but I
> guess you never know.
> Justin D. Malyn
> System Security Analyst
> GSLC Certified by GIAC
> Information Services
> University of Missouri - Kansas City
> unisog mailing list
> unisog at lists.sans.org
More information about the unisog