[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200406272136.i5RLa6NJ015541@bos.bindview.com>
From: mhpower at bos.bindview.com (Matt Power)
Subject: New malware to infect IIS and from there jump to clients
>From: insecure <insecure@...ritech.net>
>To: full-disclosure@...ts.netsys.com
>Date: Fri, 25 Jun 2004 12:36:41 -0500
...
>Berbew/Webber/Padodor Trojan, according to Lurhq.
>
>http://www.lurhq.com/berbew.html
This web page mentions:
content:"id=crutop|26|vvpupkin0="
The upload is in an encoded format that consists of records that
specify a machine name, a user name, and a web site that includes an
HTML form. For example, if the machine name were BINDVIEW-LAB-17, the
user name were labuser, and the form were on http://www.example.com/,
then the uploaded data would be sent via HTTP POST, and consist of:
id=crutop&vvpupkin0=asadaeafbeabanbzceclcbbncecabmdocjbwbzdocmcs&vvpupkin1=asadaeafbeabanbdaqataeacauad&vvpupkin2=asadaeafbeabanazafafabcxdqdqagagagdrauajaqbcabbdaudrasbebcdqddcdckbjcibucn
The POST data is sent to one of the web sites specified in
http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerReports.pdf
The data can be decoded with the following perl script:
#!/usr/bin/perl
use bytes;
$i = <STDIN>;
chomp($i);
@r = split /\&/, $i;
for ($i = 0; $i <= $#r; ++$i)
{
next if ($r[$i] !~ /^vvpupkin/);
@p = split /=/, $r[$i];
for ($j = 0; $j < length($p[1]) / 2; ++$j)
{
$c1 = substr($p[1], 2 * $j, 1);
$c2 = substr($p[1], (2 * $j) + 1, 1);
$o1 = ord($c1) - ord("a");
$o2 = ord($c2) - ord("a");
print chr(((26 * $o1) + $o2) ^ 113);
}
print "\n";
}
The output of the perl script is:
crutop|BINDVIEW-LAB-17
crutop|labuser
crutop|http://www.example.com/ FORM_0
Matt Power
BindView Corporation, RAZOR Team
mhpower@....bindview.com
Powered by blists - more mailing lists