Re: very weird traffic

[Michiel van de Garde <security () marketxs com>]

On Sun, 2004-03-21 at 00:20, cass7 () shaw ca wrote:

> If I search for "eyes wired shut" I will get up to 15,000 hits for this one title (madonna got 1597 hits this AM: 
> britney spears got 4971: eyes wired shut got 11,458 hits) This file name is the most dramatic but there are similar 
> results with other searches based on what they are reporting in their shared folder. 
> There are about 30 names but the hash at the end of the name will be different, ie: user123_45678; user234_56897; 
> user489_78546; user789_78956 etc. For example first 5 nicknames generated 100+ nicknames with different hashes only 
> and over 1,000 files listed. 
> Also the reported connection to winmx is different from hash to hash - could be anything from 13.3K to T3. As well as 
> number of open slots will differ from name to name (136 of 136 available etc)

I think what you're seeing could be some kind of zombie botnet that uses
winmx to keep track of all infected hosts so the individual hosts can
find their peers and keep something like a zombie p2p network going. 

Something similar was done using gnutella cache servers and one of the
more recent microsoft outlook virus outbreaks (can't remember which one,
so many lately).

> When the user is browsed for shared files the files shared are nearly the same. Also all are sharing on C:\Music
> When you attempt to download a file from one of these users you will receive a "connection refused" message. If you 
> try searching for another based on the files hash you might get one hit and you wont be able to download that either. 

Sounds plausible, they try to emulate a normal client  until you
actually start interacting with one.

> When tcp view is run while trying to download one of these files the IP's are the same (one is a computer on a 
> network I think

No surprise there...

>  - ending numbers are .19, .20 and .21). 6 IP's no matter which name you choose from the list of 18,000 listed 
> titles. 

Is "tcp view" a feature within winmx or is it a real network traffic
analyzer?

> At the same time you have the same 30 nicknames trying to upload any files you have. Difference is 
> 1: they aren't sharing any files 
> 2:They always bypass the users queue 
> 3: the file always times out. The files they are trying to upload aren't specific to any file type but seems to be 
> mostly small files, txt, jpg etc.

Apart from your very confusing use of the word "uploading" it looks like
they are just trying to mimic a real client by doing searches every now
and then and downloading something small that doesn't have the risk of
hogging resources and increasing visibility on the hacked machine
because the download is taking too long.

> If I block the 6 IP's in my firewall I still get these same nicknames trying to upload from me. Blocking the whole IP 
> range for each doesn't work either. Which leads me to the conclusion those 6 IP's aren't the only ones doing this. My 
> feable attempts at getting the IP's from the uploaders has been unsuccessful. 

This indicates to me that "tcp view" isn't very accurate or reliable,
it's that or the firewall you are using doesn't work. There are likely
to be more than 6 hosts in any kind of zombie botnet.

> So essentially you have 6 IP's who have created 30 names with hundreds of ending hashes, generating over 10,000 hits 
> for one file name. You have another unknown set of IP's with same names not sharing any files and attempting to 
> upload. Odd and I don't know what to make of it.

Some packetdumps would be nice, maybe it reveals the real origin of
those clients, that could get you something to work with.

-- 
Michiel van de Garde
Operations Engineer
MarketXS.com BV

Attachment: signature.asc
Description: This is a digitally signed message part