[Emerging-Sigs] favicon's as executables

RPG inittab at jtan.com
Fri Jan 16 07:46:32 EST 2009


Interesting, yes I should have looked a little closer at the file, it
does "advertise" itself as aspnet_isapi.dll

$ strings favicon.ico  | head
aspnet_isapi.dll
GetExtensionVersion
HttpExtensionProc
InstallStateService
RegisterISAPI
RegisterISAPIEx
TerminateExtension
UnregisterISAPI
Y__^[
t8WVS

However, and FWIW, the one aspnet_isapi.dll file that I do have doesn't
look similar.  Perhaps it's a different version.

$ strings aspnet_isapi.dll  | head
CRequestEntry
zFtmHelper
g_AspTypelibLock
ActivitiesPoolLock
AspDispatchHelper
zCFreeBufferList::g_lLock
CCPUEntry


None the less, if this truly is a "misconfiguration" of IIS/ASP.NET, I
wonder what it would take to have it serve up other binaries in this
fashion.


CunningPike wrote:
> I have noticed quite a few of these as well. In all our cases, the
> executable turned out to be a copy of aspnet_isapi.dll.
> 
> I have a feeling that there is some misconfiguration in IIS/ASP.NET that
> causes this behavior.
> 
> CP
> 
> On Wed, 2009-01-14 at 16:53 -0500, RPG wrote:
>> We have seen a few instances of favicon.ico's coming down as executable 
>> files.     In all instances so far the server reports "404 Not Found" 
>> when the browser requests the favicon.ico file yet it serves this little 
>> binary instead
>>
>> DST: HTTP/1.1 404 Not Found
>> DST: Content-Length: 17416
>> DST: Content-Type: application/x-msdownload
>> DST: Server: Microsoft-IIS/6.0
>> DST: X-Powered-By: ASP.NET
>> DST: Date: Wed, 14 Jan 2009 21:20:27 GMT
>> DST:
>> DST: 
>> MZ...................... at ...............................................!..L.!Th
>>
>> $ file favicon.ico
>> favicon.ico: PE executable for MS Windows (DLL) (console) Intel 80386 32-bit
>>
>> $ md5sum favicon.ico
>> 74e81a65879ffe881a7af525a0254ad8  favicon.ico
>>
>> Here's an example URL if you're curious:
>> http://wwwDOTnjcarbuyerDOTcom/favicon.ico
>> Donwload it safely and of course replace the DOT's.  :)
>>
>> Virustotal comes up empty and so does threatexpert.com
>> http://www.virustotal.com/analisis/4257c88c85ff4c4ef4fb495e06c7661a
>> http://threatexpert.com/report.aspx?md5=74e81a65879ffe881a7af525a0254ad8
>>
>> Can someone shed light on this little mystery?  TIA
>>
>> RPG
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


More information about the Emerging-sigs mailing list