Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: New backdoor - Trojan.Kaht - exploits WebDav vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New backdoor - Trojan.Kaht - exploits WebDav vulnerability
Trojan.Kaht is a Hacktool used by its creator to scan for and exploit
the vulnerability of the Microsoft WebDAV server, running IIS 5.0. An individual who successfully exploits this vulnerability may completely control an affected Web server.

The IIS WebDAV uses a core Windows system component, ntdll.dll,
containing an unchecked buffer when processing the incoming WebDAV requests. Trojan.Kaht scans for the vulnerable Microsoft WebDAV (IIS 5.0) server, by sending a specially formatted WebDAV HTTP request to the server.

If the server is vulnerable, the Trojan creates a script file, kaht.html, on the compromised system. Then, the Trojan adds a user, "KaHT," to the administrator group and spawns a shell. This action gives the Trojan's creator complete control of the system.

-----

contributed by Deborah Hale. haled@pionet.net

feedback please to isc@sans.org


Handlers

76 Posts

Sign Up for Free or Log In to start participating in the conversation!