Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Phatbot/Agobot/Gaobot; More on MS SSL exploit; Mailbag - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Phatbot/Agobot/Gaobot; More on MS SSL exploit; Mailbag
Phatbot/Agobot/Gaobot; More on MS SSL exploit; Mailbag

Phatbot/Agobot/Gaobot

On yesterday diary on "Possible New Virus", it was identified to be W32.HLLW.Gaobot.gen (Symantec) or w32/sdbot.worm.gen (Mcafee).

According to Symantec, the worm can exploit systems using various vulnerabilities, including:

* Weak passwords on network shares.

* The DCOM RPC vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

* The WebDav vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

* The Workstation service buffer overrun vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

* The Microsoft Messenger Service Buffer Overrun vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx

* The Locator service vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-001.mspx

* The UPnP vulnerability: http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

* The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit: http://www.microsoft.com/technet/security/bulletin/MS02-061.mspx

* The backdoor ports that the Beagle and Mydoom families of worms open.

It also opens backdoors to the infected computers through IRC.
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.gen.html
More on MS SSL exploit



Microsoft has issued information about code that attempts to exploit PCT in SSL:
http://www.microsoft.com/security/incident/pctdisable.asp

"All programs that use SSL could be affected. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. These services include, but are not limited to, Microsoft Internet Information Services 4.0, Microsoft Internet Information Services 5.0, Microsoft Internet Information Services 5.1, Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000, Microsoft Exchange Server 2003, Microsoft Analysis Services 2000 (included with SQL Server? 2000), and any third-party programs that use PCT. SQL Server 2000 is not vulnerable because it specifically blocks PCT connections."

"Windows 2000 domain controllers that are installed in an Active Directory domain that also has an Enterprise Root certification authority installed are affected by this vulnerability because they automatically listen for secure SSL connections."

There is a chance of using the exploit against IIS running Microsoft SSL to get inside a network. Once inside the network, it could use the same technique to compromise other systems running Microsoft SSL which may be supposely protected by the firewall.
Mailbag

We received an email on the use of MS SSL exploit. From the report, after the successful K-OTIK exploit via port 443, the victims called back a shell to another host via port 53. Commands such as net start, net stop, net view, ipconfig, net share, ftp, dir, del were seen to be executed. One of the victims also initiated with another host on port 80 to get some backdoors. From the filename, one of them is the stealthy backdoor hxdef084.exe:

http://www.pestpatrol.com/pestinfo%5Cb%5Cbackdoor_hackdef_084.asp
We also received an email on the seeing Phatbot/Agobot/Gaobot variants spreading:
http://www.lurhq.com/phatbot.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.adv.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.adw.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.adx.html

Kevin

32 Posts

Sign Up for Free or Log In to start participating in the conversation!