Beagle Virus Exploit
Versions of the 'Beagle' (aka Bagle) virus open a back door on port 2745
(TCP). We do monitor increased scanning activity
for this port. Today, a reader submitted a tool which is
used to scan for Beagle infected systems. If the tool finds
port 2745 open, it will send the 'magic string' to open the
backdoor. Next, a URL is send to the system. The Bagle infected system
will attempt to download the content of the URL and execute it.
Sample session (using a netcat listener):
1. Establish TCP connection to port 2745
2. Send "exploit buffer"
3. 'reply' from infected host (just 'CR' in this case)
4. send URL for download
Mailbag: Port 12345 scans
a user submitted logs showing large numbers of scans against
port 12345 (TCP). This port is commonly associated with the trojan
'Netbus' and other malware. The log did not indicate a new tool
but rather appears to be a number of sequential connect scans.
Ports in focus: 1026
scans for port 1026 appear to increase again over the last
couple weeks. According to some reports, this is due to popup
spam, which now relies more on compromised systems as origin.
In the past, only a small number of sources originated this
SSL "NULL" Encryption (Errata)
An earlier diary ( http://isc.sans.org/diary.html?date=04-03-04 )
quoted Dr. Neal Krawetz, from Secure Science Corporation as saying
that "One of the SSL encoding methods is "plain text". Most SSL servers
have this disabled by default, but most browsers support it. When plain
text is used, no central certificate authority is consulted and the user
never sees a message asking if a certificate should be accepted (because
"plain text" doesn't use certificates). Keeping that in mind, the little
lock icon may not even indicate an encrypted channel. The little lock
only indicates an SSL connection"
Prompted by reader feedback, we did our own experiments, limiting an
Apache 1.3 server to 'NULL' encryption. We were not able to reproduce
this issue with any recent browser.
Mozilla, in default configuration, will popup an error dialog stating
that no common cipher could be found. If the 'null'/'plain text'
encryption is specifically enabled, the page will load, but the
certificate will still be validated and any errors will be communicated
to the user
Microsoft Internet Explorer will show a generic error page. It does
not appear to be possible in MSIE 6 to enable 'NULL' encryption.
Johannes Ullrich, jullrich_AT_sans.org
I will be teaching next: Intrusion Detection In-Depth - SANS Baltimore Spring 2020
Mar 30th 2004
1 decade ago