Virus Blog

First Hit IBM Lotus Sametime

— Posted by zeroq @ 11:30 - 29 May, 2008

Yesterday our honeynet was hit by an attacker exploiting the IBM Lotus Sametime buffer overflow. The service is running on TCP port 1533 and is vulnerable to  oversized urls
(http://securityvulns.com/news/IBM/LotusSametime.html)

I set up the analyser modul of amun to listen on this port for incoming requests and yesterday we got first results:

exploit 85.214.79.120:3384 -> xxx.xxx.51.84:1533
(ANALYZER Vulnerability: cbacks://85.214.79.120:5559/)

Fortunatly the shellcode is already recognized. The attacker injected shellcode causing the victim to connect back to the attacker and spawn a shell. 

 (More)

More on Black Energy Bot

— Posted by zeroq @ 11:21 - 29 May, 2008

I modified my infiltrator script to monitor POST based HTTP Bots. I am currently monitoring the Black Energy Botnet i found yesterday.

Commands have changed since the last visit:

base64: ['10;2000;10;0;0;30;100;3;20;1000;2000#flood http
www.igra3k.ru,www.moneymakergroup.com,www.mycashforum.com,www.dreamteammoney.com,
www.invest-n-surf.net,www.autosurfnavigator.com,www.vip-globalmarketingsolutions.com#6#']

base64: ['10;2000;10;0;0;30;100;3;20;1000;2000#wait#8#']

base64: ['10;2000;10;0;0;30;100;3;20;1000;2000#flood http
www.moneymakergroup.com,www.mycashforum.com,www.dreamteammoney.com,
www.invest-n-surf.net,www.autosurfnavigator.com,www.vip-globalmarketingsolutions.com#6#']

base64: ['10;2000;10;0;0;30;100;3;20;1000;2000#flood http
www.russiancasino.ru,taxi-ufa.ru#8#']



FDOS BEnergy

— Posted by zeroq @ 14:31 - 28 May, 2008

I recently stumbled across some interesting log lines in our quarantine webserver logs:

15:49:19.348824 IP xxx.xxx.101.24.3989 > 124.217.249.240.80
POST /h0tbe1by/stat.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: activeprotect.cn
Content-Length: 38
Pragma: no-cache

id=xMAHAJANVA_33E529BB&build_id=2F5C73

This looks pretty interesting, a POST to a funny directory ... strange. Now lets see what the server replied:

15:49:19.729110 IP 124.217.249.240.80 > xxx.xxx.101.24.3989HTTP/1.1 200 OK
Date: Fri, 23 May 2008 13:49:19 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.5 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.5
Connection: close
Content-Type: text/html

MTA7MjAwMDsxMDswOzA7MzA7MTAwOzM7MjA7MTAwMDsyMDAwI2Zsb29kIGh0dHAgd3d3LjE0ZGF5cy1oaXRzLX
N1cmYubmV0LG1vbmV5bWFrZXJncm91cC5jb20sd3d3LnRhbGtnb2xkLmNvbSBmb3J1bS9p
bmRleC5waHAjOCM=

 (More)

HP OpenView Exploit

— Posted by zeroq @ 09:01 - 14 May, 2008

Yesterday evening our amun honeypots got hit by an attacker exploiting the HP OpenView vulnerability. The attack came from a host located in the netherlands.

Shellcode is about 1.5KByte in size and is encoded using ALPHA 2, some alphanumeric shellcode encoding mechanism, just like the one from the milworm exploit linked above.

Amun does not yet simulate that vulnerability but had the port added to the analyzer modul, thus i received all necessary information. 



Amun v0.1.4

— Posted by zeroq @ 17:52 - 13 May, 2008

Next release is ready to download. Changelog looks as follows:

Changes in v0.1.4:

  • fixed ftp download module to send requests one by one
  • fixed manual analysis option to work again after last update (missing parameter)
  • added new vulnerability modul for Helix server v11.0.1 exploit
  • modified ftp shellcode decoder to find all download files
  • modified submit modules to python new-class style
  • modified logfiles to rotate at midnight
  • added blocking of successfull exploit ips
  • added queue of last stored binaries to reduce disk io when checking for already stored files
  • added initial stage to iis vulnerability
  • moved broken download checking out of submit modules


Powered by kulando