Compromised NT box, sniffer and possible backdoor

[Ron Gula <rgula () NETWORK-DEFENSE COM>]

Hi there,

We recently observed an NT box being compromised through RFP's IIS
RDS exploit. The resulting session was grabbed by a Dragon Sensor
and contained a session with apparently three Trojan programs. The
first was a program renamed 'pbrush32' which when ran printed out
a list of system processes. The second was a program called 'print16'
which possibly effected one of the running processes. What I thought
was really interesting though was adding a sniffer to the wins.bat
log file named 'wins16.exe'.

We do not have physical access to the box and are providing advice
to one of our customers. Anyone with similar experience should feel
free to contact me or post to the list.

What I would like to know is if anyone on this list is familiar
with an NT backdoor program which uses these file names as common
replacements for system tools.

All of the IP addresses specified and ports (except for port 80) have
been sanitized. The IP address specified by the sniffer program in the
last line of the session resolved to an NT PDC.

Ron Gula
Dragon IDS
VP IDS Products
Enterasys Networks
http://www.enterasys.com
http://www.securitywizards.com


bash-2.03# sum_event -n -f 00Oct05/dragon.db | grep RDS
[IIS:RDS]                    27  ..............++........
[IIS:RDS-RFP]                12  ..............++........
[IIS:RDS3]                   12  ..............++........


bash-2.03# mksession -ip1 ********* -ip2 *********** -p1 **** -p2 80 -R
** Make Session Tool - Copyright 2000 Network Security Wizards
** http://www.securitywizards.com
** Watching for sessions on ***********
** Watching for sessions on ***********
** Watching for sessions on port ****
** Watching for sessions on port 80
** Replaying both sides of this session
** Date: Thursday October 05 2000
{A}
Microsoft(R) Windows NT(TM){D}{A}
(C) Copyright 1985-1996 Microsoft Corp.{D}{A}
{D}{A}
C:\WINNT\system32>{A}
{A}
{D}{A}
C:\WINNT\system32>{A}
pbrush32{A}
{D}{A}
C:\WINNT\system32>pbrush32{D}{A}
   0 System Process  {D}{A}
   2 System          {D}{A}
  25 SMSS.EXE        {D}{A}
  33 CSRSS.EXE       {D}{A}
  39 WINLOGON.EXE      Workstation Locked{D}{A}
  45 SERVICES.EXE    {D}{A}
  48 LSASS.EXE       {D}{A}
  69 SPOOLSS.EXE     {D}{A}
  92 RPCSS.EXE       {D}{A}
  95 msdtc.exe       {D}{A}
 114 cisvc.exe       {D}{A}
 117 defwatch.exe    {D}{A}
 121 LLSSRV.EXE      {D}{A}
 126 rtvscan.exe     {D}{A}
 149 PSTORES.EXE     {D}{A}
 147 mstask.exe      {D}{A}
 170 WinVNC.exe      {D}{A}
 161 WUSER32.EXE     {D}{A}
 182 inetinfo.exe    {D}{A}
 298 INVWIN32.EXE    {D}{A}
 101 PCMSVC32.EXE    {D}{A}
 307 CMD.EXE         {D}{A}
 309 websearch.exe   {D}{A}
 319 NDDEAGNT.EXE    {D}{A}
  77 EXPLORER.EXE      Program Manager{D}{A}
 205 LOADWC.EXE      {D}{A}
 322 vptray.exe      {D}{A}
 290 PCMWIN32.EXE    {D}{A}
 306 APPCTL32.EXE    {D}{A}
 327 CLIMONNT.EXE    {D}{A}
 320 CMD.EXE         {D}{A}
 238 websearch.exe   {D}{A}
 190 CMD.EXE         {D}{A}
  85 websearch.exe   {D}{A}
 174 CMD.EXE         {D}{A}
 330 websearch.exe   {D}{A}
 269 CMD.EXE         {D}{A}
 286 websearch.exe   {D}{A}
 323 CMD.EXE         {D}{A}
 204 pbrush32.exe    {D}{A}
{D}{A}
C:\WINNT\system32>print16 238{A}
cd ..{A}
cd ..{D}{A}
{D}{A}
C:\WINNT\system32>{A}
{D}{A}
C:\WINNT\system32>echo "wins16.exe "tcp[13] & 2 !=0 and dst ********** and por
t 139\> out.txt"> wins.bat{A}