[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] New usages of the RPC exploit (was: quit the dumd chat man!!)

To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] New usages of the RPC exploit (was: quit the dumd chat man!!)
From: malware@t-online.de (Michael Mueller)
Date: Fri, 22 Aug 2003 02:28:27 +0200

Hi Robin,

you wrote:
> We had a honey pot hit by some canny FTP kiddies using the RPC flaw to load
> up an FTP server that ran as a service and also then execute a predifned
> further attack on some specific IP's any one else seen this. very similar
> exploit to nachia "whatever its called" worm

Got something new here too. It used a passworded FTP account leading
into the root directory of a Windows machine and tried to download a
winupdate.exe there. Does not look like another worm, more like a manned
attack, since the exploit did not come from the FTP server, but some
slovakian university. It used the open port 4444 of the machine for the
command connection as the Blaster worm did. Sending the commands was
tried twice since my machine only accepts the commands but does not
perform them. 

My virus scanner (Kaspersky Anti-Virus) does tell me:
winupdate.exe archive: Astrum
winupdate.exe/data0001 infected: Trojan.BAT.Passer.a
winupdate.exe/data0002 infected: Worm.Win32.Randon.r
winupdate.exe/data0004 packed: UPX
winupdate.exe/data0006 infected: Worm.Win32.Randon.q
winupdate.exe/data0007 packed: UPX
winupdate.exe/data0008 packed: UPX
winupdate.exe/data0008 infected: Trojan.PSW.VB.aq
winupdate.exe/data0009 packed: UPX
winupdate.exe/data0011 packed: UPX
winupdate.exe/data0012 infected: Backdoor.IRC.Zcrew
winupdate.exe/data0013 packed: UPX
winupdate.exe/data0016 packed: UPX
winupdate.exe/data0016 infected: Trojan.Win32.Killav.aj
winupdate.exe/data0020 packed: UPX

The exploit code shows only a minor change from the blaster worm in the
RPC request:

--- exploit0186.dmp     Fri Aug 22 02:24:49 2003
+++ exploit0595.dmp     Fri Aug 22 02:24:30 2003
@@ -57,7 +57,7 @@
 00003a0 0000 0000 0000 0000 0186 0000 0000 0000
 00003b0 0186 0000 005c 005c 0046 0058 004e 0042
 00003c0 0046 0058 0046 0058 004e 0042 0046 0058
-00003d0 0046 0058 0046 0058 0046 0058 139d 0100
+00003d0 0046 0058 0046 0058 0046 0058 16c6 0100
 00003e0 e0cc 7ffd e0cc 7ffd 9090 9090 9090 9090
 00003f0 9090 9090 9090 9090 9090 9090 9090 9090
 *

Michael

-- 
Linux@TekXpress
http://www-users.rwth-aachen.de/Michael.Mueller4/tekxp/tekxp.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] quit the dumd chat man!!
  - From: "Ferris, Robin" <R.Ferris@napier.ac.uk>

Prev by Date: [Full-Disclosure] RE: Popular Net anonymity service back-doored
Next by Date: RE: [Full-Disclosure] Pinging... And lots of it..
Prev by thread: [Full-Disclosure] quit the dumd chat man!!
Next by thread: RE: [Full-Disclosure] quit the dumd chat man!!
Index(es):
- Date
- Thread