W2K UDP Based DDoS Trojan

["Daniel G. Epstein" <depstein () uchicago edu>]

Hey all,

We're seeing a small number of Windows 2000/IIS5 machines launching a UDP 
based DDoS against several sites.  The machines all seem to be receiving 
brief instructions on UDP 1080 and then launching the attacks.  Inspection 
of the system reveals the file C:\WINNT\System32\leaf2k.exe and a registry 
entry, 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BrowserSave:REG_SZ:C:\WINNT\System32\leaf2k.exe 
(or, in one case, "BrowserSave:REG_SZ:leaf2k").  Running netstat, killing 
the leaf2k.exe process, and rerunning netstat confirms that it is the one 
opening UDP 1080.  Further, killing the process also stops the DoS, so I'm 
pretty sure we have found the culprit.

Neither our network flow logs, nor the IIS logs show an obvious compromise, 
and we don't have sufficient Eventlog information from the compromised 
machines to reliably check any other vectors of infection.  It seems as if 
the file creation times are on the morning of 2001.07.11.  Is anyone else 
seeing this sort of thing?  Any ideas?

Cheers,

Dan


A boast of "I have been's,"   | Daniel G. Epstein
quoted from foolscap tomes,   | Network Security Officer,
is a shadow brushed away      | Network Security & Enterprise
by an acorn from an oak tree, |  Network Systems Administration
or a salmon in a pool.        | NSIT, The University of Chicago
                              | depstein () uchicago edu

For PGP key see http://security.uchicago.edu/centerinfo/pgpkeys.shtml


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com