Help
MS04-011: Bobax (Sasser-like Internet worm)
http://www.f-secure.com/v-descs/bobax.shtml
Bobax is a new, Sasser-like worm that uses the MS04-011 (LSASS.EXE) vulnerability to propagate. The worm scans random IP addresses for vulnerable computers. When Bobax infects a host, the exploit uses HTTP to download the worm from a webserver which listens on a random port on the attacker host. The data is downloaded into a dropper file called 'svc.exe'. The dropper drops the actual worm body, which is a DLL, to the temporary directory with a random name. The worm is launched by injecting it to Explorer with a technique called DLL Injection. Because the worm runs as a thread in Explorer it's not visible as a separate process.
Page 1 of 1
MS04-011: Bobax (Sasser-like Internet worm)
#1
- Security Reporter
-
- Group: Members
- Posts: 509
- Joined: 10-April 04
- Gender:Male
- Location:Roanoke, Virginia
Posted 16 May 2004 - 12:36 PM
Back to top
#2
- Security Reporter
-
- Group: Members
- Posts: 509
- Joined: 10-April 04
- Gender:Male
- Location:Roanoke, Virginia
Posted 18 May 2004 - 09:21 AM
MS04-011: Port 5000 increase by Bobax and Kibuv worms
http://www.incidents.org/diary.php?date=2004-05-17
Two very different worms are currently responsible for the rapid increase in port 5000 scans. The first, 'Bobax', uses port 5000 to identify Windows XP systems. Windows XP uses port 5000 (TCP) for 'Universal Plug and Play (UPnP)'. By default, UPnP is enabled. The second worm, 'Kibuv', will use an old vulnerability in Windows XP's UPnP implementation to exploit systems. This vulnerability was one of the first discovered in Windows XP and patches have been available.
None of the vulnerabilities used by these two worms is new. Unpatched systems are likely infected with other worms and do as such not provide a significant new threat. So far, we only count about 500,000 infected systems with either worm, which is just about on the same level as Sasser and Blaster.
Bobax
http://secunia.com/virus_information/9458/bobax.a/
Joe Stewart (LURHQ Corp.) compiled an analysis of this worm:
http://www.lurhq.com/bobax.html
Installs an HTTP listener on a random port ( 2000-62000). This HTTP server is used to deliver the trojan to infected systems.
Scans port 5000 (tcp). If port 5000 responds, the LSASS exploit will be used to compromise the host and download the trojan from the infecting system's http server. Contacts one of a number of web servers to notify them of the successful infection
Kibuv.B
http://secunia.com/virus_information/9471/kibuv.a/
http://secunia.com/virus_information/9490/
Kibuv.B will start and FTP server on port 7955. Any username / password combination will work. The FTP server will always send a copy of the worm, regardless of the file requested. This is similar to other malware ftp serves.
Kibuv.B uses 7 different mechanisms to spread:
1. Messenger Service Buffer Overrun
2. IIS 5.0 WebDav vulnerability
3. UPnP Buffer Overflow
4 .RPC DCOM Buffer Overflow
5. LSASS vulnerability
6. Backdoors created by Weird and Beagle
7. Sasser FTP server overflow
http://www.incidents.org/diary.php?date=2004-05-17
Two very different worms are currently responsible for the rapid increase in port 5000 scans. The first, 'Bobax', uses port 5000 to identify Windows XP systems. Windows XP uses port 5000 (TCP) for 'Universal Plug and Play (UPnP)'. By default, UPnP is enabled. The second worm, 'Kibuv', will use an old vulnerability in Windows XP's UPnP implementation to exploit systems. This vulnerability was one of the first discovered in Windows XP and patches have been available.
None of the vulnerabilities used by these two worms is new. Unpatched systems are likely infected with other worms and do as such not provide a significant new threat. So far, we only count about 500,000 infected systems with either worm, which is just about on the same level as Sasser and Blaster.
Bobax
http://secunia.com/virus_information/9458/bobax.a/
Joe Stewart (LURHQ Corp.) compiled an analysis of this worm:
http://www.lurhq.com/bobax.html
Installs an HTTP listener on a random port ( 2000-62000). This HTTP server is used to deliver the trojan to infected systems.
Scans port 5000 (tcp). If port 5000 responds, the LSASS exploit will be used to compromise the host and download the trojan from the infecting system's http server. Contacts one of a number of web servers to notify them of the successful infection
Kibuv.B
http://secunia.com/virus_information/9471/kibuv.a/
http://secunia.com/virus_information/9490/
Kibuv.B will start and FTP server on port 7955. Any username / password combination will work. The FTP server will always send a copy of the worm, regardless of the file requested. This is similar to other malware ftp serves.
Kibuv.B uses 7 different mechanisms to spread:
1. Messenger Service Buffer Overrun
2. IIS 5.0 WebDav vulnerability
3. UPnP Buffer Overflow
4 .RPC DCOM Buffer Overflow
5. LSASS vulnerability
6. Backdoors created by Weird and Beagle
7. Sasser FTP server overflow
#3
- Member
-
- Group: Members
- Posts: 33
- Joined: 11-April 04
- Location:United States
Posted 18 May 2004 - 09:39 AM
Thanks for the heads up Harry!!!
Magic
Magic
Have a Great Day!!!
Share this topic:
Page 1 of 1