stop the exploit. block the bot.

vectorblog  about  contact

 

 

 

 

 

 

 

 


Dipnet Alert

infectionvectors.com

January 2005

 

Vector:       LSASS (MS04-011) & RPC/DCOM (MS04-012) Overflows; shares

Impact:       High (Performs DoS routines, downloads remote code, opens shell)

In the tradition of Agobot, a new bot net agent, Dipnet hit the Internet during the last week of 2004. Dipnet was released in at least three flavors in late December 2004. Each variant used slightly different file names, however, all iterations carry similar functionality. The worm infects Windows machines by copying itself to all reachable network shares, exploiting the LSASS overflow from April 2004, or the RPC DCOM overflow from August of 2003 (originally MS03-039, superceded by MS04-012) on TCP 445. The initial version copied itself only via accessible file shares, later the author added the overflow exploits. If the exploit is successful, Dipnet issues a command to the remote device forcing it to retrieve and execute a copy of the worm. 

Once running on a device, Dipnet checks for Internet connectivity by attempting to connect to ebay.com, yahoo.com, and google.com. The worm allows the author to connect to compromised boxes via a command shell it opens on a seemingly random port. This shell allows the controller to download and execute additional code and launch DoS routines. 

One report (so far, unverified) shows the program issuing the following while running on an infected machine, which may help detect infections (if added to an IDS signature, i.e.: alert tcp $INTERNAL any -> $EXTERNAL any (msg:"Possible Dipnet Infection"; content:"50 41 53 53 20 73 6F 6D 6F 73 6C 6F 73 6D 75 63 68 61 63 68 6F 73 0D 0A";):

 

      50 41 53 53 20 73 6F 6D 6F 73 6C 6F     PASS somoslo

      73 6D 75 63 68 61 63 68 6F 73 0D 0A     smuchachos..


Which, for the curious is Spanish for (roughly) "we are the boys."

 

Of special note is the use of TCP 11768 by one of the variants. This port shows numerous spikes in traffic since December 28, 2004, the original release date of Dipnet. Check sources such as the Internet Storm Center or Dshield for more information on that activity:

                          http://isc.sans.org/port_details.php?port=11768 

Additional analysis of the worm in operation is available at LURHQ's site:

                                   http://www.lurhq.com/dipnet.html 

 

Copyright Ó 2005 infectionvectors.com. All rights reserved.