SANS ISC: Port 5000 increase due to two worms: Bobax and Kibuv - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Two very different worms are currently responsible for the rapid increase in
port 5000 scans. The first, 'Bobax', uses port 5000 to identify Windows XP
systems. Windows XP uses port 5000 (TCP) for 'Universal Plug and Play (UPnP)'. By
default, UPnP is enabled. The second worm, 'Kibuv', will use an old vulnerability

in Windows XP's UPnP implementation to exploit systems. This vulnerability was one
of the first discovered in Windows XP and patches have been available.

Bobax

Joe Stewart (LURHQ Corp.) compiled an analysis of this worm:

http://www.lurhq.com/bobax.html
. Short summary for the inpatient:
Installs an HTTP listener on a random port ( 2000-62000). This HTTP server
is used to deliver the trojan to infected systems.

Scans port 5000 (tcp). If port 5000 responds, the LSASS exploit will be used
to compromise the host and download the trojan from the infecting system's http server

Contacts one of a number of web servers to notify them of the successful
infection
Kibuv.B

Kibuv.B will start and FTP server on port 7955. Any username / password combination will work. The FTP server will always send a copy of the worm,
regardless of the file requested. This is similar to other malware ftp serves.

Kibuv.B uses 7 different mechanisms to spread:

Messenger Service Buffer Overrun

IIS 5.0 WebDav vulnerability

UPnP Buffer Overflow

RPC DCOM Buffer Overflow

LSASS vulnerability

backdoors created by Weird and Beagle

Sasser FTP server overflow

<P>
The IRC server used to control Kibuv.B infected systems is no longer accepting
connections.
<P>
Kibuv will open a backdoor on port 420 (tcp).
<P>
More details: http://securityresponse.symantec.com/avcenter/venc/data/w32.kibuv.b.html
Summary/Impact

None of the vulnerabilities used by these two worms is new. Unpatched systems are likely infected with other worms and do as such not provide a significant new threat. So far, we only count about 500,000 infected systems with either worm, which is just about on the same level as Sasser and Blaster.
--------------

Johannes Ullrich, jullrich_AT_sans.org
I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022