new attack tool combining SMB and WebDAV?
From: Matt Power (mhpower@bos.bindview.com)
Date: 03/31/03
- Previous message: Wilson, Aaron J.: "SQL Slammer Variant?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 30 Mar 2003 17:49:41 -0500 From: Matt Power <mhpower@bos.bindview.com> To: incidents@securityfocus.com, intrusions@incidents.org
A possibly new attack tool is being used in the wild that sends
traffic to a set of nearby IP addresses, using tcp ports 445 and 80.
The observed traffic on port 80 (first noticed around 2200 GMT on 30
March) consisted of:
OPTIONS / HTTP/1.1
translate: f
User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600
Host: a.b.c.d
Content-Length: 0
Connection: Keep-Alive
where a.b.c.d is the destination IP address. The traffic on port 445
looked like the usual attack traffic described at, for example,
http://www.cert.org/advisories/CA-2003-08.html
In many cases, packets on both port 445 and 80 were sent to the same
destination IP address.
By "set of nearby IP addresses", I mean that the attacking machine was
apparently trying to send data to all machines within an IP address
range (rather than, for example, send data to IP addresses selected at
random). It wasn't immediately clear why some IP addresses were
skipped. A possibility is that the attacker had access to earlier
reconnaissance data about which IP addresses were in use.
The third type of traffic from the attacking machine consisted of very
large ICMP echo-request packets, all going to the same destination IP
address. The ICMP packet contents consisted entirely of the lowercase
letters 'a' through 'w' repeated many times, e.g.,
abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvw...
Anyway, this may mean that some type of WebDAV data-gathering or
exploit capability has been incorporated into a software package that
also compromises machines via SMB. There wasn't direct evidence that
the software package was associated with planned exploitation of the
CA-2003-09 vulnerability via WebDAV, although it may have been. The
ICMP traffic suggests that the software package may have a DoS
capability that's separate from the SMB and WebDAV traffic.
Matt Power
BindView Corporation, RAZOR Team
mhpower@bos.bindview.com
----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfihl1
- Previous message: Wilson, Aaron J.: "SQL Slammer Variant?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
