[Emerging-Sigs] favicon's as executables

CunningPike cunningpike at gmail.com
Thu Jan 15 18:58:17 EST 2009


I have noticed quite a few of these as well. In all our cases, the
executable turned out to be a copy of aspnet_isapi.dll.

I have a feeling that there is some misconfiguration in IIS/ASP.NET that
causes this behavior.

CP

On Wed, 2009-01-14 at 16:53 -0500, RPG wrote:
> We have seen a few instances of favicon.ico's coming down as executable 
> files.     In all instances so far the server reports "404 Not Found" 
> when the browser requests the favicon.ico file yet it serves this little 
> binary instead
> 
> DST: HTTP/1.1 404 Not Found
> DST: Content-Length: 17416
> DST: Content-Type: application/x-msdownload
> DST: Server: Microsoft-IIS/6.0
> DST: X-Powered-By: ASP.NET
> DST: Date: Wed, 14 Jan 2009 21:20:27 GMT
> DST:
> DST: 
> MZ...................... at ...............................................!..L.!Th
> 
> $ file favicon.ico
> favicon.ico: PE executable for MS Windows (DLL) (console) Intel 80386 32-bit
> 
> $ md5sum favicon.ico
> 74e81a65879ffe881a7af525a0254ad8  favicon.ico
> 
> Here's an example URL if you're curious:
> http://wwwDOTnjcarbuyerDOTcom/favicon.ico
> Donwload it safely and of course replace the DOT's.  :)
> 
> Virustotal comes up empty and so does threatexpert.com
> http://www.virustotal.com/analisis/4257c88c85ff4c4ef4fb495e06c7661a
> http://threatexpert.com/report.aspx?md5=74e81a65879ffe881a7af525a0254ad8
> 
> Can someone shed light on this little mystery?  TIA
> 
> RPG
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090115/4a795a9b/attachment.bin


More information about the Emerging-sigs mailing list