lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200406272136.i5RLa6NJ015541@bos.bindview.com>
From: mhpower at bos.bindview.com (Matt Power)
Subject: New malware to infect IIS and from there jump to clients

>From: insecure <insecure@...ritech.net>
>To: full-disclosure@...ts.netsys.com
>Date: Fri, 25 Jun 2004 12:36:41 -0500
...
>Berbew/Webber/Padodor Trojan, according to Lurhq.
>
>http://www.lurhq.com/berbew.html

This web page mentions:

  content:"id=crutop|26|vvpupkin0="

The upload is in an encoded format that consists of records that
specify a machine name, a user name, and a web site that includes an
HTML form. For example, if the machine name were BINDVIEW-LAB-17, the
user name were labuser, and the form were on http://www.example.com/,
then the uploaded data would be sent via HTTP POST, and consist of:

id=crutop&vvpupkin0=asadaeafbeabanbzceclcbbncecabmdocjbwbzdocmcs&vvpupkin1=asadaeafbeabanbdaqataeacauad&vvpupkin2=asadaeafbeabanazafafabcxdqdqagagagdrauajaqbcabbdaudrasbebcdqddcdckbjcibucn

The POST data is sent to one of the web sites specified in

  http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerReports.pdf

The data can be decoded with the following perl script:

#!/usr/bin/perl
use bytes;
$i = <STDIN>;
chomp($i);
@r = split /\&/, $i;
for ($i = 0; $i <= $#r; ++$i)
{
    next if ($r[$i] !~ /^vvpupkin/);
    @p = split /=/, $r[$i];
    for ($j = 0; $j < length($p[1]) / 2; ++$j)
    {
        $c1 = substr($p[1], 2 * $j, 1);
        $c2 = substr($p[1], (2 * $j) + 1, 1);
        $o1 = ord($c1) - ord("a");
        $o2 = ord($c2) - ord("a");
        print chr(((26 * $o1) + $o2) ^ 113);
    }
    print "\n";
}


The output of the perl script is:

crutop|BINDVIEW-LAB-17
crutop|labuser
crutop|http://www.example.com/ FORM_0


Matt Power
BindView Corporation, RAZOR Team
mhpower@....bindview.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ