Security Incidents mailing list archives
Re: strange windows behaviour.
From: J Mike Rollins <rollins () wfu edu>
Date: Thu, 9 Oct 2003 19:39:45 -0400 (EDT)
I have seen this before. I noticed that the Trojan performed a DNS lookup on l0g.org. When the IP number was returned, the Trojan would then go to the http://l0g.org/cgi-bin/ref.cgi script. (I suspect the Trojan has to check-in with a server on the Internet.) To thwart this communication, I propose the following as an Idea: 1. Modify you DNS servers to be authoritative for l0g.org 2. Create a webserver to respond as l0g.org and map l0g.org to this web server. 3. Create a cgi-bin/ref.cgi script to record the IP numbers of the REMOTE_HOST to a web page. 4. Now you have a web page recording all of your infected machines, and you have stopped the Trojan from checking in with the server on the Internet. I think this will prevent some spam until the creator finds some new ideas. I have noticed that the IP number for l0g.org has been remapped a few times over the past couple of weeks. I currently have no ideas on how to clean the machine of the Trojan. There seem to be two files associated with this: A file which will install the Trojan on a machine: Filename: somename.exe Size: 58368 Bytes. MD5: c41e11cc50acd26915963e073981c682 The actual Trojan: Filename: C:\WINDOWS\System32:somename.dll Size: 113152 Bytes MD5: 42c94aa38c98b80c0c9c5ba0922fef52 On Thu, 9 Oct 2003, Jeff Kell wrote:
J Mike Rollins wrote:I have just tested the ideas expressed here and have to report that streams can still be a threat. When I try to make a copy of the dll stored within the stream, the virus scanning software does find it. However, when I run the contents of the dll stream by using rundll32 the program is not caught by the virus scanning software. And the trojan continues to execute undetected.All I see is spam starting to spew from an otherwise quiet machine (most cases) although we have also had two cases of machines spoofing source addresses and attacking (a) an IRC server and (b) somebody's identd. This is happening here and I have one machine under quarantine in the testbed. Symantec NAV latest DATs doesn't detect anything. Spybot latest signatures doesn't detect anything. Ad-Aware doesn't find anything. McAfee's freebie Stinger doesn't find anything. Yet if it is connected to the network when it boots, some process comes up, makes a few connection attempts to remote addresses, port 80; then it opens up two random high-numbered TCP ports and listens. Telnetting to them and entering much of anything causes it to close the connection and respawn. In ActivePorts it lists the owning process name as the same as some other existant process in the list (e.g., explorer.exe, svchost.exe) but will have a unique PID in the task list. Using ActivePort's terminate process feature on it causes the two sockets to disappear, only to be immediately followed by the original behavior -- connects to an outside address port 80 (not always the same address, mind you), followed by two different high-numbered ports opened and listening. There is a strange registry key in /HKEY/LOCAL.../Run and .../RunOnce which appears to be a random string, 'bzyrczu' or something similar, and the key value is 'rundll32 C:\Windows\System32:bzyrczu.dll'. Of course I can't find any file by that name by traditional means (before reading this thread on NTFS streams). Attempting to delete the registry keys for /Run and /RunOnce appear to work, but when you go back to check, the keys have "reinstalled" themselves. Even starting up in safe mode with network unplugged, you can't delete the registry keys, even with System Restore disabled (this is an XP Home Edition box). I plan on getting a packet capture of the beast's activity tomorrow. And assuming that the thing does exist as a stream, I'll try to capture the binary. Jeff
Mike Network Operations and Security, Wake Forest University ====================================================================== J. Mike Rollins rollins () wfu edu Wake Forest University http://www.wfu.edu/~rollins Winston-Salem, NC work: (336) 758-1938 ====================================================================== --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: strange windows behaviour., (continued)
- Re: strange windows behaviour. J Mike Rollins (Oct 10)
- Re: strange windows behaviour. Tomasz Papszun (Oct 10)
- Re: strange windows behaviour. J Mike Rollins (Oct 08)
- Re: strange windows behaviour. H Carvey (Oct 08)
- Re: strange windows behaviour. Peter Moody (Oct 08)
- Re: strange windows behaviour. Harlan Carvey (Oct 08)
- Re: strange windows behaviour. Peter Moody (Oct 08)
- Re: strange windows behaviour. Derek (Oct 08)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- Re: strange windows behaviour. Jeff Kell (Oct 09)
- Re: strange windows behaviour. J Mike Rollins (Oct 09)
- Re: strange windows behaviour. Tobias Rice (Oct 10)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. Harlan Carvey (Oct 09)
- Administrivia: strange windows behaviour. Dan Hanson (Oct 09)
- RE: strange windows behaviour. Chris Brenton (Oct 09)
- Re: strange windows behaviour. Harlan Carvey (Oct 10)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)