Re: strange windows behaviour.

[J Mike Rollins <rollins () wfu edu>]

I have seen this before.  I noticed that the Trojan performed a DNS lookup
on l0g.org.  When the IP number was returned, the Trojan would then go to
the http://l0g.org/cgi-bin/ref.cgi script.  (I suspect the Trojan has to
check-in with a server on the Internet.)

To thwart this communication, I propose the following as an Idea:

1. Modify you DNS servers to be authoritative for l0g.org
2. Create a webserver to respond as l0g.org and map l0g.org to
   this web server.
3. Create a cgi-bin/ref.cgi script to record the IP numbers
   of the REMOTE_HOST to a web page.
4. Now you have a web page recording all of your infected machines, and
   you have stopped the Trojan from checking in with the server on the
   Internet.

I think this will prevent some spam until the creator finds some new
ideas.

I have noticed that the IP number for l0g.org has been remapped a few
times over the past couple of weeks.

I currently have no ideas on how to clean the machine of the Trojan.

There seem to be two files associated with this:

A file which will install the Trojan on a machine:
        Filename:  somename.exe
        Size: 58368 Bytes.
        MD5: c41e11cc50acd26915963e073981c682

The actual Trojan:
        Filename:   C:\WINDOWS\System32:somename.dll
        Size: 113152 Bytes
        MD5: 42c94aa38c98b80c0c9c5ba0922fef52


On Thu, 9 Oct 2003, Jeff Kell wrote:

> J Mike Rollins wrote:
> > I have just tested the ideas expressed here and have to report that
> > streams can still be a threat.
> >
> > When I try to make a copy of the dll stored within the stream, the virus
> > scanning software does find it.
> >
> > However, when I run the contents of the dll stream by using rundll32 the
> > program is not caught by the virus scanning software.  And the trojan
> > continues to execute undetected.
>
> All I see is spam starting to spew from an otherwise quiet machine (most
> cases) although we have also had two cases of machines spoofing source
> addresses and attacking (a) an IRC server and (b) somebody's identd.
>
> This is happening here and I have one machine under quarantine in the
> testbed.  Symantec NAV latest DATs doesn't detect anything.  Spybot
> latest signatures doesn't detect anything.  Ad-Aware doesn't find
> anything.  McAfee's freebie Stinger doesn't find anything.  Yet if it is
> connected to the network when it boots, some process comes up, makes a
> few connection attempts to remote addresses, port 80; then it opens up
> two random high-numbered TCP ports and listens.  Telnetting to them and
> entering much of anything causes it to close the connection and respawn.
>
> In ActivePorts it lists the owning process name as the same as some
> other existant process in the list (e.g., explorer.exe, svchost.exe) but
> will have a unique PID in the task list.  Using ActivePort's terminate
> process feature on it causes the two sockets to disappear, only to be
> immediately followed by the original behavior -- connects to an outside
> address port 80 (not always the same address, mind you), followed by two
> different high-numbered ports opened and listening.
>
> There is a strange registry key in /HKEY/LOCAL.../Run and .../RunOnce
> which appears to be a random string, 'bzyrczu' or something similar, and
> the key value is 'rundll32 C:\Windows\System32:bzyrczu.dll'.  Of course
> I can't find any file by that name by traditional means (before reading
> this thread on NTFS streams).
>
> Attempting to delete the registry keys for /Run and /RunOnce appear to
> work, but when you go back to check, the keys have "reinstalled"
> themselves.  Even starting up in safe mode with network unplugged, you
> can't delete the registry keys, even with System Restore disabled (this
> is an XP Home Edition box).
>
> I plan on getting a packet capture of the beast's activity tomorrow.
> And assuming that the thing does exist as a stream, I'll try to capture
> the binary.
>
> Jeff

Mike

    Network Operations and Security, Wake Forest University
======================================================================
          J. Mike Rollins              rollins () wfu edu
     Wake Forest University     http://www.wfu.edu/~rollins
        Winston-Salem, NC            work: (336) 758-1938
======================================================================


---------------------------------------------------------------------------
----------------------------------------------------------------------------