More info about found Win2K "rootkit"

["Bojan Zdrnja" <Bojan.Zdrnja () FER hr>]

Hi.

As I posted yesterday (repeated, I sent original post on friday) I found
rootkit on one compromised machine.
Here are the details I manage to analyze so far:

1) It didn't install in same dir on all machines, however, part of rootkit
was in c:\winnt\system32\drivers\etc\tools directory on all compromised
machines. Tools directory only contains ServU ftp daemon which appears on
random ports (it was 56321 and 22222 on compromised machines).
Upon connecting to ftp daemon port you get following banner (same as we saw
previously on this mailing list):

220-Serv-U FTP Server v4.0 for WinSock ready...
220-===================================================
220-               -== HEH ==-
220-===================================================
220-You are Connecting From XXXXXXXXXX
220-3 users have visited in the last 24 hours.
220-This server has been running for
220-0 Days, 23 Hours, 36 Mins, 58 Secs
220-===================================================
220-Amout of Logins Since Server Started:   1 total
220-Logged in Users:     1
220-Total Kb downloaded:     2 Kb
220-Total Kb uploaded:       0 Kb
220-Amout of Files downloaded:  0
220-Amout of Files uploaded:    0
220-Average Speed: 0.000 Kb/sec
220-Current Speed: 0.000 Kb/sec
220-Free Disk Space:   254.74 MB
220 ===================================================


2) Directory named "Win" contains actual rootkit, which hacker used to
change local security policy and some other things. This directory was on
different places on compromised machines. Two main scripts in this directory
are called secure.bat and secure1.bat, and they are exactly the same as Mike
Cain posted on this mailing list, but my secure1.bat script had uncommented
filed for deleting IPC$ share.
Basically, scripts are pretty simple - first one puts all local security
parameters in a temp file and applies that file with secedit.exe command. It
practically puts default password aging times, turns off some of the
auditing, modifies some lanman settings, does a lot of work with privilege
rights and various SID (most of which seems pretty default to me) and adds
one user on machine. Username and password of account it adds is same on
Mike's scripts and mine.

3) Last thing to mention I found is irc offer bot, sitting in Win directory.
It's started under name win.exe and it is a cygwin compiled binary. Upon
starting it will join some of predefined EFNet servers (it has whole list in
it) and channel #additcz. I joined that channel and confirmed that it has
hundreds of other bots in it (all compromised machines), most of them
serving some warez.

I'll post more information when (and if :) I get it.

Best regards,

Bojan Zdrnja


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com