Educause Security Discussion mailing list archives
Re: Passwords brute forced and sent over IRC
From: Jim Bollinger <JBollinger () WLU EDU>
Date: Thu, 1 Apr 2004 16:12:58 -0500
We have seen it here. It appears to be new Randex (or sdbot) variant. http://www.sophos.com/virusinfo/analyses/w32sdbotgw.html http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.gen.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.DX We use Symantec, and even newest definitions don't appear to catch all the executables. We have seen services running: Antivirus32.exe Symantec32.exe Winlord32.exe ntlord.exe These .exe were located on the local C:\ drives in multiple locations, and were launched at boot from the following places: Start -> Programs -> Startup Start -> Programs -> Accessories -> System Tools -> Scheduled Tasks HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices In addition, SARC has just announced the W32.Randex.PR virus, which specifically addresses the Symantec32.exe which was previously going undetected. More info at http://www.sarc.com/avcenter/venc/data/w32.randex.pr.html A side effect was the scanning activity caused our PIX firewall to begin running out of resources. You need to make sure your MS machines have null session enumeration turned off (restrictanonymous "on" to 1 or 2). Otherwise, it will have your Microsoft boxes dump all the users to it and then try its list of passwords on each one. To become infected seems to require weak admin passwords. Wonder if this is the beginning of a trend. People have mostly patched machines because of Blaster, so now they attack "our management of the operating system" instead of attacking the operating system itself? Jim Jim Bollinger Systems and Network Engineer Washington and Lee University Lexington, VA 24450 540-458-8743
krizi () GWU EDU 4/1/2004 3:54:16 PM >>>
Hello, We have had the login creditials of a number of systems enumerated and sent over IRC to an IRC server in Korea with the IP address of 218.55.182.49 (now blocked at our router). Based on examination so far, this is what we have found: 1. One system was compromised and started scanning the network for open shares and weak passwords on other systems 2. Once a system was found with a weak password, the creditials were sent over IRC 3. Files found on compromised/infected systems (in c:\%systemroot%\system32) include regedlt.exe and moo.dat 4. Domain controllers to which the compormised systems were connected were at 100% utilization 5. In some cases we are seeing a telnet backdoor being opened on 5542 Might be a worm, possibly a W32.Randex.gen variant, but we are not sure at this point. We are hearing other Universities may be having this same problem. Anyone else experiencing this? Krizi ********************************** Krizi Trivisani, CISSP Director of Systems Security Operations Chief Security Officer The George Washington University 202/994-7803 krizi () gwu edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Passwords brute forced and sent over IRC Krizi Trivisani (Apr 01)
- <Possible follow-ups>
- Re: Passwords brute forced and sent over IRC Jim Bollinger (Apr 01)