SANS ISC: New Snort signature for SSL Bomb DoS; Continued MS Exploit Development; Port 905 Slight Increase

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

New Snort signature for Microsoft SSL Bomb DoS

The following Snort signature may have better detection for the
Microsoft SSL Bomb DoS attack than the ones previously published. This
was contributed by an external organization, where the signature has
been running without false positives for the duration of the day.
Please report any successful detections and/or false positives.

There is also an indication that attackers may be changing the
published exploit code to avoid detection. The below signature is
designed to alert on the root cause of the vulnerability, not a
specific trait of the published exploit.

alert tcp any any -> $HOME_NET 443 (msg: "SSL Bomb DoS Attempt"; \

content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; distance:2; \

within:1; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; \

flow:to_server,established; classtype:attempted-dos; \

reference:cve,CAN-2004-0120; \

reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \

sid:999999; rev:1;) \


Functional remote LSASS exploit available in CANVAS

It has been reported that the LSASS exploit developed by Immunity, Inc.
( http://www.immunitysec.com/ ) is functional against Windows 2000 SP4.
The vulnerability is fixed by MS-04-011.

There was a posting to the "Full Disclosure" mailing list with the
claim of a different exploit, but this was false.

Local Exploit Released for Windows 2000 Utility Manager Vulnerability

A functional local exploit has been released for CAN-2003-0908. This
vulnerability was released on April 13, 2004. The vulnerability is
patched with MS-04-011 (835732).

The exploit was successful against Windows 2000 SP4. No log entries
were found in the system logs. At this time, it appears the exploit is
NOT successful against Terminal Server logins because the utility
manager program cannot be run remotely. If you have additional
information about this vulnerability or exploit, please send it to
handlers@sans.org.

http://www.k-otik.com/exploits/04152004.UtilManExploit.c.php

Port 905 Increase

There has been a small surge of scanning for port 905. It appears to
be an attempt to find the Netdevil.B backdoor/trojan that listens on
this port. If you have packet captures of this activity, please submit
them.

http://isc.sans.org/port_details.php?port=905
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.netdevil.b.html
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.netdevil.html