Dameware and MyDoom, attack detection

The page describes how to configure KFSensor to detect attacks on Dameware and MyDoom and what to watch out for.

MyDoom

Updated 6 Feb 2004

The MyDoom virus has made headlines around the world and is well documented for its DDOS attacks on sco.com and microsoft.com.

What is less well know is that it installs a back door on the infected system and listens on port TCP 3127. According to reports it allows files to be uploaded and executed on the host machine and provides a proxy service. Other reports suggest over 1 million machines infected.

We had a look at the code ourselves. Its a neat 2 part system, one exe and one dll. The dll is installed via a registry entry in Explorer, not a common trick and is compressed with UPX to make cracking it much harder. The coding is compact and uses the APIs directly, no VB scripting here.

Starting on the 6 Feb 2004, attackers have begun to exploit this worm to upload their own malicious code onto infected machines.
An example is given below.

The following configuration is enough to fool an NMAP scan and tell the difference between a simple scan and a probe.
It is also good enough to allow an attacker to upload an executable and safely capture the code.

Configuration

Select the Scenario->Edit Sim Servers... menu and select Add.
Fill in the fields so it is identical to this:

The full banner test is:
[04 5B 00 00 00 00 00 00]
Press OK twice.
Select the Scenario->Edit Active Scenario menu.
If you have a listen defined on port 3127 then delete it.
Press the Add button and set up a listen definition.
Select Action Type: Sim Banner and Sim Name: MyDoom.
Press OK twice.

Events

KFSensor began picking up the following attack on the 6 Feb 2004.

It looks like an attempt to upload and run an executable on the target machine via the backdoor opened by the MyDoom virus.

The uploaded data is 55813 bytes long.

A hex dump of the first part of the data is given below.

The first 5 bytes "85 13 3C 9E A2" look like a command byte sequence to MyDoom.

The rest of the message starting with MZ looks like a Windows console app.

000000 | 85 13 3C 9E A2 4D 5A 90 00 03 00 00 00 04 00 00 | ..<..MZ......... 000010 | 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 | .............@.. 000020 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 000040 | 00 E0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 | .............!.. 000050 | 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 | L.!This program 000060 | 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E | cannot be run in 000070 | 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 | DOS mode....$.. 000080 | 00 00 00 00 00 2C 99 81 7C 68 F8 EF 2F 68 F8 EF | .....,..|h../h.. 000090 | 2F 68 F8 EF 2F 13 E4 E3 2F 6A F8 EF 2F EB E4 E1 | /h../.../j../... 0000A0 | 2F 7A F8 EF 2F 07 E7 E5 2F 3A F8 EF 2F 36 DA E4 | /z../.../:../6.. 0000B0 | 2F 6B F8 EF 2F 07 E7 E4 2F 61 F8 EF 2F EB F0 B2 | /k../.../a../... 0000C0 | 2F 65 F8 EF 2F 68 F8 EE 2F 10 F8 EF 2F 68 F8 EF | /e../h../.../h.. 0000D0 | 2F 6C F8 EF 2F 52 69 63 68 68 F8 EF 2F 00 00 00 | /l../Richh../... 0000E0 | 00 00 00 00 00 50 45 00 00 4C 01 05 00 CF A2 3F | .....PE..L.....? 0000F0 | 3E 00 00 00 00 00 00 00 00 E0 00 0F 01 0B 01 06 | >...............

Dameware

Dameware is a remote control application similar to VNC and MS RDS. A recently discovered buffer overflow that allows remote code injection has led it to become a hacker favorite.

The following configuration is enough to tell the difference between a simple scan and an attack.

Configuration

Select the Scenario->Edit Sim Servers... menu and select Add.
Fill in the fields so it is identical to this:

The full banner test is:
0[11 00 00 D8]|[02 01 D7 A3]p=[0A] [D7 0D]@[00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 07 00 00 00]
Press OK twice.
Select the Scenario->Edit Active Scenario menu.
If you have a listen defined on port 6129 then delete it.
Press the Add button and set up a listen definition.
Select Action Type: Sim Banner and Sim Name: Dameware.
Press OK twice.

Events

Most Dameware connections are scan will will show as an even with 0 bytes received.
Dameware identifies itself with a binary banner, which is enough for a vulnerability check.

At attack on Dameware sends a binary block like this:
0[11 00 00 D8]|[02 01 D7 A3]p= [D7]@[00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00]