RE: Can anyone identify this backdoor?

["Richard Bartlett" <richard () hackerimmunity demon co uk>]

Matt,

I've done a quick analysis on this and come up with the following;

(1) cc.exe is a self extracting executable which will write the following
files;
 C:\info.bat (uses info.exe to write to a.htm)
 C:\info.exe (writes system information including volume sizes, free space
etc.)
 C:\lol.bat  (runs iissrvs.exe, tries to delete the startup log and runs
info.bat)
 C:\recycler\CMD.EXE (possibley geniune cmd.exe from a version of NT/2K/XP,
source unknown)
 C:\recycler\hk.exe (detected by Sophos AV 3.59 as 'Troj/Hk', demonstration
exploit for 'Spoofed LPC Port Request', see
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/ms00-003.asp for ms article, and
http://www.nmrc.org/files/nt/hk-0.1.zip for a download of the exploit and
the source code.
 C:\recycler\iis.dll (file used by iissrvs.exe, Serv-U FTP Server v3.0)
 C:\recycler\iisl.dll (file used by iissrvs.exe, Serv-U FTP Server v3.0)
 C:\recycler\iissrvs.exe (renamed Serv-U FTP Server v3.0)
 C:\recycler\JAsfv.dll (used by Jasfv.exe)
 C:\recycler\JAsfv.exe ("Just Another SFV Checker", uses CRC-32 technology
to check each file and notifies you of any potentially bad, corrupt,
incorrect size or missing files).
 C:\recycler\JAsfv.ini (used by Jasfv.exe)
 C:\recycler\Localstart.cnf (config file used to start iissrvs.exe)
 C:\recycler\nc.exe (netcat for nt)
 C:\recycler\pskill.exe (process kill)
 C:\recycler\tlist.exe (process list)
(2) after extraction it runs lol.bat which runs the ftp server, bound to
port 1664 (see LocalStart.cnf).  There are two users, Axx and Juliana,
defined on the FTP server.
(3) there appears to be no attempt to write to the registry to allow the ftp
server to restart when the server is rebooted, the only places cc.exe writes
to in the registry is HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed, not
sure why.

I would guess that this compromise was probably for warez kiddies who wanted
to dump cracked software/mp3 etc on your server.  The a.htm file indicates
that volume size and free space is a priority, so that's my reasoning.

Hope this helps, get the server patched, delete the files listed above and
watch out for new exploits!

Richard Bartlett
Hacker Immunity Ltd

-----Original Message-----
From: Matt Andreko [mailto:mandreko () ori net]
Sent: 10 July 2002 22:58
To: incidents () securityfocus com
Subject: Can anyone identify this backdoor?


Apparently over the holiday, one of my client's machines was broken
into.  It was running Windows 2000 Pro, with IIS installed (webserver
only, no ftp,smtp..)  Apparently the attacker got in through this.  The
logs show some Unicode in the requests, so I'd bet that's it.

A file was deposited in the c:\winnt\system32\ folder named "cc.exe".  I
have studied it a little bit, and it seems quite interesting.  It's
actually a winrar self-executable file.  Inside contains what I believe
a stripped down copy of serv-u ftp server, messages for that server, and
some other interesting tools.  There's a cmd.exe file, which doesn't
match the size of the one in c:\winnt\system32, so it could be
backdoored.

I was basically wondering if anyone had seen anything like it, or could
identify it.  I have put a copy up temporarily on my webserver at
http://www.criminalsmostly.com/~mandreko/cc.zip








----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com