Educause Security Discussion mailing list archives
Here a Bot, there a Bot, everywhere...
From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Mon, 13 Sep 2004 16:23:20 -0500
I would guess we have placed over 100-150 systems in quarantine with Bots. Here is what we know about the process. No particular order. A compromised host scans local networks for the lsass vulnerability (port 445) via Botnet IRC channel A ftp/tftp server is "placed" on any compromised host The Botnet, via irc channel, ftps/tftps malware to the host The compromised host, in turn, starts the process all over again. I believe the primary purpose for these systems being compromised is to set up warez servers for the exchange of movies/mp3's/illegal software. I have seen traffic to suggest such. Of course, I also believe some of these systems have been for other purposes. Interesting tcpdump packets: malware opres.exe download 18:51:12.023289 131.204.x.x.1894 > 207.150.162.178.ircd: P 72:189(117) ack 345 win 64372 (DF) 0x0000 4500 009d 0b4d 4000 7f06 82d1 83cc xxxx E....M@.......w' 0x0010 cf96 a2b2 0766 1a0b 2604 eb01 20d1 fc23 .....f..&......# 0x0020 5018 fb74 505e 0000 5052 4956 4d53 4720 P..tP^..PRIVMSG. 0x0030 2374 7233 3373 203a 5b44 4f57 4e4c 4f41 #tr33s.:[DOWNLOA 0x0040 445d 3a20 446f 776e 6c6f 6164 696e 6720 D]:.Downloading. 0x0050 5552 4c3a 2068 7474 703a 2f2f 7265 7369 URL:.http://resi 0x0060 6c69 336e 742e 7375 7065 7269 686f 7374 li3nt.superihost 0x0070 2e63 6f6d 2f6f 7072 6573 2e65 7865 2074 .com/opres.exe.t 0x0080 6f3a 2063 3a5c 7669 6475 7064 6174 6572 o:.c:\vidupdater 0x0090 7072 6f67 6779 2e65 7865 2e0d 0a proggy.exe... scanning for lsass 10:56:39.472136 207.150.162.178.ircd > 131.204.x.x.1039: P 70:303(233) ack 72 win 5712 (DF) 0x0000 4500 0111 9fa5 4000 2d06 4005 cf96 a2b2 E.....@.-.@..... 0x0010 83cc xxxx 1a0b 040f 20b7 edd5 cf0d 83e6 ..w'............ 0x0020 5018 1650 adc5 0000 3a5b 6a65 775d 7c2d P..P....:[jew]|- 0x0030 3434 3139 3737 3321 7e6d 6b6e 6562 7463 4419773!~mknebtc 0x0040 6540 3133 312e 3230 342e 3131 392e 3339 e@131.204.x.x 0x0050 204a 4f49 4e20 3a23 7472 3333 730d 0a3a .JOIN.:#tr33s..: 0x0060 4d79 5351 4c20 3333 3220 5b6a 6577 5d7c MySQL.332.[jew]| 0x0070 2d34 3431 3937 3733 2023 7472 3333 7320 -4419773.#tr33s. 0x0080 3a2e 6164 7673 6361 6e20 6c73 6173 7320 :.advscan.lsass. 0x0090 3132 3020 3220 3939 3920 2d62 202d 7220 120.2.999.-b.-r. 0x00a0 2d73 0d0a 3a4d 7953 514c 2033 3333 205b -s..:MySQL.333.[ 0x00b0 6a65 775d 7c2d 3434 3139 3737 3320 2374 jew]|-4419773.#t 0x00c0 7233 3373 2031 303a 3330 2050 4d20 3130 r33s.10:30.PM.10 0x00d0 3934 3635 3537 3231 0d0a 3a4d 7953 514c 94655721..:MySQL 0x00e0 2033 3636 205b 6a65 775d 7c2d 3434 3139 .366.[jew]|-4419 0x00f0 3737 3320 2374 7233 3373 203a 456e 6420 773.#tr33s.:End. 0x0100 6f66 202 "exploiting ..." message? 11:13:43.486184 131.204.x.x.1039 > 207.150.162.178.ircd: P 3473769480:3473769536(56) ack 548925131 win 64400 (DF) 0x0000 4500 0060 7a59 4000 7f06 1402 83cc xxxx E..`zY@.......w' 0x0010 cf96 a2b2 040f 1a0b cf0d 8408 20b7 eecb ................ 0x0020 5018 fb90 de29 0000 5052 4956 4d53 4720 P....)..PRIVMSG. 0x0030 2374 7233 3373 203a 5b6c 7361 7373 5d3a #tr33s.:[lsass]: 0x0040 2045 7870 6c6f 6974 696e 6720 4950 3a20 .Exploiting.IP:. 0x0050 3133 312e 3230 342e 3737 2e35 332e 0d0a 131.204.x.x... tftp transfer 11:13:44.642201 131.204.x.x.1039 > 207.150.162.178.ircd: P 56:163(107) ack 1 win 64400 (DF) 0x0000 4500 0093 7b1b 4000 7f06 130d 83cc xxxx E...{.@.......w' 0x0010 cf96 a2b2 040f 1a0b cf0d 8440 20b7 eecb ...........@.... 0x0020 5018 fb90 f741 0000 5052 4956 4d53 4720 P....A..PRIVMSG. 0x0030 2374 7233 3373 203a 5b54 4654 505d 3a20 #tr33s.:[TFTP]:. 0x0040 4669 6c65 2074 7261 6e73 6665 7220 7374 File.transfer.st 0x0050 6172 7465 6420 746f 2049 503a 2031 3331 arted.to.IP:.131 0x0060 2e32 3034 2e37 372e 3533 2028 433a 5c57 .204.x.x.(C:\W 0x0070 494e 444f 5753 5c53 7973 7465 6d33 325c INDOWS\System32\ 0x0080 7874 6778 6766 6966 7073 6d2e 6578 6529 xtgxgfifpsm.exe) 0x0090 2e0d 0a Another interesting download of malware was noticed was from http://211.172.242.254/rbot.exe It appears that the opres.exe modifies the registry: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE http://resili3nt.superihost.com/o/index.htm I wonder if those IPs that visit the above website are logged and considered *tagged* and subseqently a botnet begins communication with the host. I really don't have the resourses to do extensive forensics on Bot-ed systems. Maybe someone could check out the malware mentioned above and report back? Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
Mark Wilson.vcf
Description:
Current thread:
- Here a Bot, there a Bot, everywhere... Mark Wilson (Sep 13)