Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-03-06 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New LAND Attack on Windows XP and 2003 Server; Instant Messenger Malware

Published: 2005-03-06
Last Updated: 2005-03-07 17:19:36 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
New LAND Attack on Windows XP and 2003 Server. A late yesterday suggested that a single crafted packet could cause Windows XP SP2 and Windows 2003 Server to become unstable. Our initial tests show that Windows XP Professional seems to be vulnerable, but Windows XP Home Edition is not. We have not been able to test a Windows 2003 Server yet, and are interested in any results that others may have. Any host-based firewall on the target must be turned off to verify the attack.

To test the vulnerability, use a packet crafting tool such as hping to send a single forged packet at a target system. Set the source IP and port to be the same as the target's IP and port, and set the SYN bit. Using hping2 the command would be

hping -V -c 100 -d 40 -S -s 110 -p 110 -a

hping2 <options> target

-V for verbose

-c # of packets

-d bytes of data


-s source port

-p destination port

-a spoof address

(Handler Dan Goldberg contributed to these tests, thanks Dan!)

According to the posting on Bugtraq, Microsoft has been notified about this potential vulnerability. If you do run the tests, please tell us what tool you used to craft the packets, the command you used, the target operating system with SP level, and the results. We'll publish a summary in tomorrow's diary.

UPDATE, 7 MAR 05 1715 GMT. After receiving several postings from readers, we have learned that the hping command above needs a bit of tweaking. To verify this vulnerability, you have to send the packets at a listening port, and you have to keep the source port constant. Verify the target computer is listening on a port by running netstat or tcpview, then choose an open (listening) port for the test. Also, include the "-k" (keep) option in the hping command:

hping -V -k -c 100 -d 40 -S -s 110 -p 110 -a

(assumes that tcp/110 is listening)

Instant Messenger Malware. We received several reports today of a piece of malware that circulates via Instant Messenger programs. The malware appears as a message from another person with a teaser such as "hot pic!!" or "OMG look at this!!!" Following that line is a URL pointing to a PIF file such as



These files are detected by some anti-virus engines as




If a user clicks the link (executes the .pif) then the infected machine will send copies of the link to the user's IM buddies, and could cause additional damage to the user's computer. Removal instructions are available on several AV vendor's web sites.

Marcus H. Sachs

Handler of the Day

0 comment(s)
Diary Archives