Security Incidents: RE: Code red variants?

From: Korkmaz, Murat <Murat_Korkmaz_at_nai.com>
Date: Wed, 5 Sep 2001 18:06:36 -0700

Hi,
i suppose it is a trojan which uses ack tunneling method. I dont know what
type of firewall you are using but there are some firewalls doesnt check out
the ack packets.
anyway, here is the tool for it, ACKCMD that you can find it at
http://ntsecurity.nu/toolbox/ackcmd/
there you are gonna find some information as well.
cheers
Murat-

-----Original Message-----
From: Russell Fulton [mailto:r.fulton_at_auckland.ac.nz]
Sent: Wednesday, September 05, 2001 4:14 PM
To: incidents_at_securityfocus.com
Subject: Code red variants?

Snort logged a bunch of somewhat anomolous packets. At first glance
they appear to be standard cmd.exe packets from code red.

[**] WEB-IIS cmd.exe access [**]
09/06-07:10:23.613276 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x5EA
130.67.240.225:1450 -> 130.216.223.150:80 TCP TTL:101 TOS:0x0 ID:24351
IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE68E61F7 Ack: 0xE5C99396 Win: 0x2238 TcpLen: 20
00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C
6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U
F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat
00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_
6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E.
E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u.
FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy
73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U..
45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL

[ snip ]

however what puzzeled me is that the destination (130.216.223.150) is
firewalled. I then looked at the argus logs:

06 Sep 01 07:10:23 tcp 130.67.240.225.1450 ?>
130.216.223.150.80 1 1 1460 0 A_RPA

Which shows a single incoming packet with ACK set and payload.

This suggests that the source is simply firing out packets without
waiting for the handshake to complete. This is not standard code red
behaviour otherwise snort would be logging far more code red alerts.

Also there was no ida alert for this address.

I then used argus do dump all traffic from 130.67/16 (online.no) and found
that there is a steady trickle of such packets.

06 Sep 01 00:02:34 tcp 130.67.216.237.3339 ?> 130.216.246.91.80
1 0 1460 0 A_
06 Sep 01 00:04:27 tcp 130.67.216.237.3955 ?> 130.216.145.172.80
2 0 2920 0 A_
06 Sep 01 00:06:58 tcp 130.67.216.237.3339 ?> 130.216.246.91.80
1 0 2920 0 A_
06 Sep 01 00:17:00 tcp 130.67.114.61.2124 ?> 130.216.213.213.80
1 0 1460 0 A_
06 Sep 01 00:58:01 tcp 130.67.10.87.1922 ?> 130.216.78.223.80
1 0 1460 0 A_
06 Sep 01 01:08:47 tcp 130.67.240.131.3281 ?> 130.216.185.75.80
1 1 1460 0 A_R
06 Sep 01 01:23:10 tcp 130.67.58.251.3371 ?> 130.216.187.210.80
1 0 1460 0 A_
06 Sep 01 01:28:38 tcp 130.67.118.172.4396 ?> 130.216.149.34.80
2 0 2920 0 A_
06 Sep 01 01:28:59 tcp 130.67.229.89.2904 ?> 130.216.51.74.80
1 0 1460 0 A_
06 Sep 01 01:33:50 tcp 130.67.118.172.3032 ?> 130.216.72.91.80
1 0 1460 0 A_

This explains one thing: I had noticed that the snort cmd.exe count
was consistantly higher than the .ida count but I could not find any
packets other than appearantly ordinary code red ones.

For comparision I dumped all traffic for another 130/8 which I know
has a whole bunch of code red compromised machine and saw none of the
bare ACK packets.

Any idea what is going on?

Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com