Parent class: Malware
Malicious tools are malicious programs designed to automatically create viruses, worms, or Trojans, conduct DoS attacks on remote servers, hack other computers, etc. Unlike viruses, worms, and Trojans, malware in this subclass does not present a direct threat to the computer it runs on, and the program’s malicious payload is only delivered on the direct order of the user.Read more
Class: Exploit
Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes. Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user. Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.Read more
Platform: IIS
No platform descriptionDescription
Technical Details
Beavuh is a malware exploit of the so-called MS IIS ".printer" vulnerability, which is described by Microsoft in the "Security Bulletin MS01-23",released May 1, 2001.
The MS01-23 Security Bulletin can be viewed at the following location:
www.microsoft.com/technet/security/bulletin/ms01-023.asp
This exploit program gives remote access to a simple Windows NT command shell on the target machine. Beavuh was recently reported (on March 2nd, 2002) to have been used in a large number of hacking attempts.
The exploit program has the following parameters:
The remote exploit code gets executed on the target machine if the IIS vulnerability was not previously patched. The code is encrypted so it will first proceed to decrypt itself, and then it will scan the system memory for the Windows NT library ("kernel32.dll"). From there it will acquire the 'offset' of the 'GetProcAddress' function and will further use it to obtain a couple of other API addresses, both from "kernel32.dll" and "wsock32.dll".
Next Beavuh connects to the address specified by the attacker, launches the executable "cmd.exe" and links the input and output of the command shell to the socket opened to the attacker's control machine.
Recommendations
Due to the prevalence of this exploit, we recommend system administrators patch any vulnerable IIS servers as soon as possible. Also, installing the KL ISAPI AV filter provides a generic means of blocking IIS buffer overflow exploits, including this one. For more details, please check:
www.kasperskey.com/support.html?chapter=47
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com