SID

157

message

BACKDOOR BackConstruction 2.1 Client FTP Open Request

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flags: A+; content:"FTPON"; sid:157; classtype:misc-activity; rev:3;)

Summary

Back Construction is a simple remote access trojan, which operates on a client/server model. Aside from the trojan, it opens an ftp server which anyone can use.

Impact

This trojan could be very damaging. Sites infected by this trojan could be used as "WAREZ" hosts, as well as a platform to serve files for a "hacker group"

Detailed Information

This trojan is fairly simple. It opens a FTP server on port 21, as well as listens for client connection on ports 5401,5402 and 666. Using this trojan, an attacker can send email using the victims email account, get cached passwords, start/stop the machine, and also use the file browser. The FTP server could be used to host "WAREZ" or exploits for access by others as well as the attacker. This signature detects the client request to activate the FTP server.

Attack Scenarios

After activation, the attacker could broadcast the server address, in order to serve whatever files he/she has placed there. This could impact both server resources and bandwidth resources.

Ease of Attack

False Positives

This signature could be triggered by casual, or legitimate use.

False Negatives

Corrective Action

http://www.dark-e.com/archive/trojans/backc/21/index.shtml offers the following removal instructions "Remove the Shell key located in the registry at: HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\. And the P23H located at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\. Which can be done with regedit or any other registry editing program. Reboot the computer or close the trojan. Delete the trojan file Cmctl32.exe in the windows directory. "

Contributors

Christopher Lubrecht chris_lubrecht@bigfoot.com Initial Research
Patrick Sarnacke pbsarnac@thoughtworks.com Packet Dumps
Josh Gray Edits

SID

255

message

DNS zone transfer TCP

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:7;)

Summary

Someone has requested a zone transfer from your DNS Server

Impact

Information leak, Reconnaisance. A malicious user can use this information to gain an understanding of your internal network structure.

Detailed Information

DNS Zone transfers are normally used between DNS Servers to replicate zone information. Zone transfers can also be used to gain information about a network.

Attack Scenarios

A malicious user may request a Zone Transfer to gather information before commencing an attack. This can give the user a list of hosts to target.

Ease of Attack

Tools such as nslookup and dig are part of commercial linux distributions, and may be used to perform zone transfers.

False Positives

DNS Zone transfers are part of day-to-day traffic for DNS servers. You may want to tailor this signature for your environment to limit false positives.

False Negatives

Corrective Action

Configure your DNS servers to only allow zone transfers from authorised hosts, limit the information available from publicly acessible DNS server by using Split Horizon DNS or separate DNS Servers for internal networks.

Contributors

References

cve,CAN-1999-0532
arachnids,212

SID

334

message

FTP .forward

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; content: ".forward"; flow:to_server,established; reference:arachnids,319; classtype:suspicious-filename-detect; sid:334; rev:4;)

Summary

An attempt to copy a specific file to an FTP server.

Impact

attacker might gain an ability to execute commands remotely as the affected user.

Detailed Information

The attack is an attempt to copy a ".forward" to a server. A ".forward"file is used to configure email forwarding on UNIX systems. Usually it contains the email addresses where the arriving email is forwarded. However, ".forward" file can also be used to forward email to programs (for example, "|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 anton") and thus cause program execution triggered by arriving email messages. The functionality can be used to activate a backdoor such as start a daemon on high port, launch an xterm on the attacker's machine or initiate a reverse shell session. Attack requires an established FTP session.

Attack Scenarios

an attacker uploads a ".forward" file with commands to launch an "xterm" window on his machine into the user's home directory. Then he sends an email to the user whose ".forward" file was modified. That triggers the command in ".forward" and causes the xterm terminal window to be open, providing shell access to a system with the privileges of the above user.

Ease of Attack

The attack requires an access to any user's home directory via FTP. That means that anonymous FTP access cannot be used for such attack and a valid username and password is required. Additionally, an ability to upload files via FTP is required for a successful attack.

False Positives

if the string ".forward" is contained within the filename that is being uploaded to a server or within other FTP client response, the signature will trigger.

False Negatives

Corrective Action

locate the uploaded ".forward" file and check it for signs of suspicious commands. Look for other suspicious events that might have occurred within the same FTP session

Contributors

Anton Chuvakin <http://www.chuvakin.org>

References

arachnids,319

SID

797

message

Virus - Possible Worm - jpg.vbs file

Signature

alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; content: "filename="; content:".jpg.vbs"; nocase; sid:797; classtype:misc-activity; rev:3;)

Summary

Using two or more windows file extensions, mail users have difficulties to determine the type of attachments an probably execute a file or script while thinking it is a harmless picture.

Impact

Mail worms may spread rapidly because users execute them.

Detailed Information

Windows systems are often configured not to display file extensions. By adding a second extension, users get confused and think that an executable is a picture - e.g. niceboy.jpg.vbs gets displayed as nicegboy.jpg but is a visual basic script and not a picture.

Attack Scenarios

Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method.

Ease of Attack

Very easy. One needs to attach a file and hope that it gets executed.

False Positives

Could be an error on sender's side.

False Negatives

-

Corrective Action

Use antivirus software. Configure mail clients securely, especially when using windows desktops. Educate your mail users. Deny all attachments at the gateway if you can.

Contributors

tobias.haecker@to.com

References

SID

1158

message

WEB-MISC windmail.exe access

Signature

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC windmail.exe access"; flow:to_server,established; uricontent:"/windmail.exe"; nocase; reference:cve,CAN-2000-0242; reference:bugtraq,1073; reference:arachnids,465; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:7;)

Summary

Someone attempted to access the WindMail commandline mailer over the web

Impact

Remote attackers could subvert the WindMail mailer to read or execute arbitrary files on the web server

Detailed Information

WindMail is a commandline mail program for Windows. It is sometimes deployed for scripting or for sending email through a web application. Some windmail deployments make webmail.exe a CGI application, which it was not designed to do. The result is that an attacker could read or execute arbitrary files on the system that the web server has access to. It should never be a CGI application itself, and instead should be called by another program that properly filters input.

Attack Scenarios

http://target/cgi-bin/windmail.exe?%20-n%20desired.file%20attacker_email_address

Ease of Attack

Simple crafting of a web GET request

False Positives

Users browsing for WindMail or security information on the web

False Negatives

If a CGI script calls windmail.exe, but windmail.exe itself is not a CGI application, then this signature is unlikely to notice anything. If the CGI application does not properly filter input, there is a possibility that the attack could still succeed.

Corrective Action

Look at the packet to determine whether a request was made via an HTTP GET for the windmail.exe application. If so, determine whether the attacked web server had windmail.exe on it.

Contributors

References

cve,CAN-2000-0242
bugtraq,1073
arachnids,465
nessus,10365

SID

1372

message

WEB-ATTACKS /etc/shadow access

Signature

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow access"; flow:to_server,established; content:"/etc/shadow";nocase; sid:1372; classtype:web-application-activity; rev:4;)

Summary

An attacker may have attempted to load the /etc/shadow password file through a web server.

Impact

An attacker may have gotten the /etc/shadow password file. This is unlikely to succeed with modern web servers, however.

Detailed Information

An older method of cracking web servers is to retrieve the /etc/passwd or /etc/shadow file and then running that file through a password cracker to obtain logins and passwords to the system.

Attack Scenarios

Attacker sends a hand-crafted URL, usually using a directory traversal attempt, to get the shadow password file. If the attack is successful, the attacker will mostly likely run the shadow file through a password cracker.

Ease of Attack

This attack is highly unlikely to work against any modern web server.

False Positives

False Negatives

Corrective Action

Examine the captured packet to determine whether the request was malicious or not. Determine whether the targetted web server was vulnerable to this kind of attack.

Contributors

References

SID

2003

message

MS-SQL Worm propagation attempt

Signature

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

Summary

The "Slammer" worm has attempted to compromise an MS SQL Server.

Impact

A worm targeting a vulnerability in the MS SQL Server 2000 Resolution Service was released on January 25th, 2003. The worm attempts to exploit a buffer overflow in the Resolution Service. Because of the nature of the vulnerability, the worm is able to attempt to compromise other machines very rapidly. This vulnerability is present in unpatched MS SQL Servers. The following unpatched services containing MS SQL or Microsoft Desktop Engine (MSDE) may potentially be compromised by this worm: * SQL Server 2000 (Developer, Standard, and Enterprise Editions) * Visual Studio .NET (Architect, Developer, and Professional Editions) * ASP.NET Web Matrix Tool * Office XP Developer Edition * MSDN Universal and Enterprise subscriptions

Detailed Information

The Monitor Service provided by MS SQL and MSDE uses unchecked client provided data in an SQL version check function. The worm attempts to exploit a buffer overflow in this version request. If the worm sends too many bytes in the request that triggers the version check, then a buffer overflow condition is triggered resulting in a potential compromise of the SQL Server.

Attack Scenarios

Ease of Attack

Exploits for this vulnerability have been publicly published. A worm has been written that automatically exploits this vulnerability.

False Positives

None known at this time.

False Negatives

None known at this time.

Corrective Action

Block external access to the MS SQL services on port 1433 and 1434 if possible. Patches from Microsoft are available that fix this vulnerability. The patches are available from www.microsoft.com/technet/security/bulletin/MS02-039.asp

Contributors

Brian Caswell <bmc@sourcefire.com>

References

url,vil.nai.com/vil/content/v_99992.htm
bugtraq,5311
bugtraq,5310