Re: strange windows behaviour.

[John Sage <jsage () finchhaven com>]

Peter:

On Mon, Oct 06, 2003 at 01:05:13PM -0700, Peter Moody wrote:
> Hello all,
>
> I've got a bit of a problem, and I was wondering if anyone on this list
> has seen similar things.  Recently, we've been having student windows
> machines on our residential network begin spewing large, massive (on the
> order of hundreds of thousands in a few hours) spam messages at our mail
> servers.  We promptly disconnect the machines and head down to do some
> forensic work on the boxes when we get a chance (usually after they call
> to complain that the internet has died).
>
> I've been trying to find information on this, but the most I've been
> able to come up with is an advisory from symantec's threat management
> system saying Mprox (some sort of MS proxy) is to blame.  None of the
> machines I've gone and examined have had this program running or on the
> system anywhere for that matter.
>
> Has anyone else had similar problems of late?  This all started for us
> about a week ago and it's showing no signs of going away any time soon.

You may be interested in this 09/06/03 post to the UNISOG maillist
(unisog () sans org):

/* begin post fragment */

From: Paul Russell <prussell () nd edu>
To: unisog () sans org
Subject: [unisog] Spam from student-owned computers
Date: Mon, 06 Oct 2003 15:51:12 -0500

In the past ten days, we have had five incidents in which
student-owned computers in our residence hall network (ResNet) were
used to send large quantities of spam. I have seen similar reports
from other sites, so I thought some of you might be interested our
experience. Appended below are the case notes from one of these
incidents. The report has been edited to remove all personal
identification information. The analysis of the student's workstation
was performed by a member of our Information Security team. 

--
Paul Russell
Senior Systems Administrator
University of Notre Dame

*** NOTES 10/06/2003 08:05:21 AM ******** Action Type: Add'tl
Info. Rec'd. Visited student's workstation last Friday afternoon. Upon
running 'tcpview' dozens of processes, all running as svchost.exe,
appeared to be listening to a variety of high-level ports.  Aftering
installing and updating McAfee Enterprise 7 VS, his machine was
gracefully powered down, then turned back on while unplugged from the
network.  A scan of all files on his workstation revealed no viruses.
Also, the machine was fully patched (he had automatic updates turned
on under XP).  All of the unusual svchost.exe processes disappeared
(which was expected given the lack of a network connection). I then
noticed a process named 'winsrvn.exe' listening on port 1033 UDP, as
well as 'system:4' listening on 1030 TCP.

Checking all of the programs that were automatically started at boot,
it appeared as though the student had a lot of optional things running
in the background, including winsrvn.exe.  He believed that this
particular program was installed as part of Purity Scanner, which,
apparently, scans one's hard drive for inappropriate materials.  It
turns out that Purity is actually adware, and is often bundled with
Grokster (P2P program).  Further, it looked as though the student was
using Grokster.  From what I've been able to find with a web search,
Grokster sometimes includes ancilary software that may contain back
doors.  I had the student email me a zip of the winsrvn.exe for later
examination.  The other mysterious process (system:4) seemed to
disappear after I removed winservn.exe (perhaps the two were
related?).

/* end post fragment */


HTH..


- John
-- 
"You are in a twisty maze of weblogs, all alike."
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

---------------------------------------------------------------------------
----------------------------------------------------------------------------