[Emerging-Sigs] favicon's as executables

Matt Jonkman jonkman at jonkmans.com
Sat Jan 17 22:56:52 EST 2009


OK, so I see two good sigs out of this idea.

1. favicon requested and an exe returned
Unfortunately to do that we'd have to set a flowbit I think to flag a
request for favico, then look for the return. Might be too high load for
the benefit?


2. 404 with an exe in it....

This we can do:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET MALWARE
404 Response with an EXE Attached - Likely Malware Drop";
flow:established,from_server; content:"HTTP/1.1 404 Not Found|0d 0a|";
depth:24; content:"|0d 0a 0d 0a|MZ"; distance:0;
classtype:attempted-admin; sid:2009028; rev:1;)

Look good to all?

Matt

RPG wrote:
> Interesting, yes I should have looked a little closer at the file, it
> does "advertise" itself as aspnet_isapi.dll
> 
> $ strings favicon.ico  | head
> aspnet_isapi.dll
> GetExtensionVersion
> HttpExtensionProc
> InstallStateService
> RegisterISAPI
> RegisterISAPIEx
> TerminateExtension
> UnregisterISAPI
> Y__^[
> t8WVS
> 
> However, and FWIW, the one aspnet_isapi.dll file that I do have doesn't
> look similar.  Perhaps it's a different version.
> 
> $ strings aspnet_isapi.dll  | head
> CRequestEntry
> zFtmHelper
> g_AspTypelibLock
> ActivitiesPoolLock
> AspDispatchHelper
> zCFreeBufferList::g_lLock
> CCPUEntry
> 
> 
> None the less, if this truly is a "misconfiguration" of IIS/ASP.NET, I
> wonder what it would take to have it serve up other binaries in this
> fashion.
> 
> 
> CunningPike wrote:
>> I have noticed quite a few of these as well. In all our cases, the
>> executable turned out to be a copy of aspnet_isapi.dll.
>>
>> I have a feeling that there is some misconfiguration in IIS/ASP.NET that
>> causes this behavior.
>>
>> CP
>>
>> On Wed, 2009-01-14 at 16:53 -0500, RPG wrote:
>>> We have seen a few instances of favicon.ico's coming down as executable 
>>> files.     In all instances so far the server reports "404 Not Found" 
>>> when the browser requests the favicon.ico file yet it serves this little 
>>> binary instead
>>>
>>> DST: HTTP/1.1 404 Not Found
>>> DST: Content-Length: 17416
>>> DST: Content-Type: application/x-msdownload
>>> DST: Server: Microsoft-IIS/6.0
>>> DST: X-Powered-By: ASP.NET
>>> DST: Date: Wed, 14 Jan 2009 21:20:27 GMT
>>> DST:
>>> DST: 
>>> MZ...................... at ...............................................!..L.!Th
>>>
>>> $ file favicon.ico
>>> favicon.ico: PE executable for MS Windows (DLL) (console) Intel 80386 32-bit
>>>
>>> $ md5sum favicon.ico
>>> 74e81a65879ffe881a7af525a0254ad8  favicon.ico
>>>
>>> Here's an example URL if you're curious:
>>> http://wwwDOTnjcarbuyerDOTcom/favicon.ico
>>> Donwload it safely and of course replace the DOT's.  :)
>>>
>>> Virustotal comes up empty and so does threatexpert.com
>>> http://www.virustotal.com/analisis/4257c88c85ff4c4ef4fb495e06c7661a
>>> http://threatexpert.com/report.aspx?md5=74e81a65879ffe881a7af525a0254ad8
>>>
>>> Can someone shed light on this little mystery?  TIA
>>>
>>> RPG
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list