Re: Passwords brute forced and sent over IRC

[Jim Bollinger <JBollinger () WLU EDU>]

We have seen it here. It appears to be new Randex (or sdbot) variant.

http://www.sophos.com/virusinfo/analyses/w32sdbotgw.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.gen.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.DX


We use Symantec, and even newest definitions don't appear to catch all
the executables. We have seen services running:

Antivirus32.exe
Symantec32.exe
Winlord32.exe
ntlord.exe

These .exe were located on the local C:\ drives in multiple locations,
and were launched at boot from the following places:

Start -> Programs -> Startup
Start -> Programs -> Accessories -> System Tools -> Scheduled Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

In addition, SARC has just announced the W32.Randex.PR
virus, which specifically addresses the Symantec32.exe which was
previously going undetected.  More info at
http://www.sarc.com/avcenter/venc/data/w32.randex.pr.html

A side effect was the scanning activity caused our PIX firewall to
begin running out of resources. You need to make sure your MS machines
have null session enumeration turned off (restrictanonymous "on" to 1 or
2). Otherwise, it will have your Microsoft boxes dump all the users to
it and then try its list of passwords on each one.

To become infected seems to require weak admin passwords.

Wonder if this is the beginning of a trend. People have mostly patched
machines because of Blaster, so now they attack "our management of the
operating system" instead of attacking the operating system itself?

Jim

Jim Bollinger
Systems and Network Engineer
Washington and Lee University
Lexington, VA 24450
540-458-8743

> > > krizi () GWU EDU 4/1/2004 3:54:16 PM >>>
Hello,

We have had the login creditials of a number of systems enumerated and
sent over IRC to an IRC server in Korea with the IP address of
218.55.182.49 (now blocked at our router).

Based on examination so far, this is what we have found:
1.  One system was compromised and started scanning the network for
open shares and weak passwords on other systems
2.  Once a system was found with a weak password, the creditials were
sent over IRC
3.  Files found on compromised/infected systems (in
c:\%systemroot%\system32) include regedlt.exe and moo.dat
4.  Domain controllers to which the compormised systems were connected
were at 100% utilization
5.  In some cases we are seeing a telnet backdoor being opened on 5542

Might be a worm, possibly a W32.Randex.gen variant, but we are not sure
at this point.

We are hearing other Universities may be having this same problem.
Anyone else experiencing this?

Krizi

**********************************
Krizi Trivisani, CISSP
Director of Systems Security Operations
Chief Security Officer
The George Washington University
202/994-7803
krizi () gwu edu

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.