Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Here a Bot, there a Bot, everywhere...

From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Mon, 13 Sep 2004 16:23:20 -0500
I would guess we have placed over 100-150 systems in quarantine with
Bots.  Here is what we know about the process. No particular order.

A compromised host scans local networks for the lsass vulnerability
(port 445) via Botnet IRC channel
A ftp/tftp server is "placed" on any compromised host
The Botnet, via irc channel,  ftps/tftps malware to the host
The compromised host, in turn, starts the process all over again.

I believe the primary purpose for these systems being compromised is to
set up warez servers for the exchange of movies/mp3's/illegal software.
I have seen traffic to suggest such.  Of course, I also believe some of
these systems have been  for other purposes.

Interesting tcpdump packets:
malware opres.exe  download
18:51:12.023289 131.204.x.x.1894 > 207.150.162.178.ircd: P 72:189(117)
ack 345 win 64372 (DF)
0x0000   4500 009d 0b4d 4000 7f06 82d1 83cc xxxx
E....M@.......w'
0x0010   cf96 a2b2 0766 1a0b 2604 eb01 20d1 fc23
.....f..&......#
0x0020   5018 fb74 505e 0000 5052 4956 4d53 4720
P..tP^..PRIVMSG.
0x0030   2374 7233 3373 203a 5b44 4f57 4e4c 4f41
#tr33s.:[DOWNLOA
0x0040   445d 3a20 446f 776e 6c6f 6164 696e 6720
D]:.Downloading.
0x0050   5552 4c3a 2068 7474 703a 2f2f 7265 7369
URL:.http://resi
0x0060   6c69 336e 742e 7375 7065 7269 686f 7374
li3nt.superihost
0x0070   2e63 6f6d 2f6f 7072 6573 2e65 7865 2074
.com/opres.exe.t
0x0080   6f3a 2063 3a5c 7669 6475 7064 6174 6572
o:.c:\vidupdater
0x0090   7072 6f67 6779 2e65 7865 2e0d 0a
proggy.exe...

scanning for lsass
10:56:39.472136 207.150.162.178.ircd > 131.204.x.x.1039: P 70:303(233)
ack 72 win 5712 (DF)
0x0000   4500 0111 9fa5 4000 2d06 4005 cf96 a2b2
E.....@.-.@.....
0x0010   83cc xxxx 1a0b 040f 20b7 edd5 cf0d 83e6
..w'............
0x0020   5018 1650 adc5 0000 3a5b 6a65 775d 7c2d
P..P....:[jew]|-
0x0030   3434 3139 3737 3321 7e6d 6b6e 6562 7463
4419773!~mknebtc
0x0040   6540 3133 312e 3230 342e 3131 392e 3339        e@131.204.x.x
0x0050   204a 4f49 4e20 3a23 7472 3333 730d 0a3a
.JOIN.:#tr33s..:
0x0060   4d79 5351 4c20 3333 3220 5b6a 6577 5d7c
MySQL.332.[jew]|
0x0070   2d34 3431 3937 3733 2023 7472 3333 7320
-4419773.#tr33s.
0x0080   3a2e 6164 7673 6361 6e20 6c73 6173 7320
:.advscan.lsass.
0x0090   3132 3020 3220 3939 3920 2d62 202d 7220
120.2.999.-b.-r.
0x00a0   2d73 0d0a 3a4d 7953 514c 2033 3333 205b
-s..:MySQL.333.[
0x00b0   6a65 775d 7c2d 3434 3139 3737 3320 2374
jew]|-4419773.#t
0x00c0   7233 3373 2031 303a 3330 2050 4d20 3130
r33s.10:30.PM.10
0x00d0   3934 3635 3537 3231 0d0a 3a4d 7953 514c
94655721..:MySQL
0x00e0   2033 3636 205b 6a65 775d 7c2d 3434 3139
.366.[jew]|-4419
0x00f0   3737 3320 2374 7233 3373 203a 456e 6420
773.#tr33s.:End.
0x0100   6f66 202

"exploiting ..." message?
11:13:43.486184 131.204.x.x.1039 > 207.150.162.178.ircd: P
3473769480:3473769536(56) ack 548925131 win 64400 (DF)
0x0000   4500 0060 7a59 4000 7f06 1402 83cc xxxx       E..`zY@.......w'

0x0010   cf96 a2b2 040f 1a0b cf0d 8408 20b7 eecb
................
0x0020   5018 fb90 de29 0000 5052 4956 4d53 4720
P....)..PRIVMSG.
0x0030   2374 7233 3373 203a 5b6c 7361 7373 5d3a
#tr33s.:[lsass]:
0x0040   2045 7870 6c6f 6974 696e 6720 4950 3a20
.Exploiting.IP:.
0x0050   3133 312e 3230 342e 3737 2e35 332e 0d0a        131.204.x.x...

tftp transfer
11:13:44.642201 131.204.x.x.1039 > 207.150.162.178.ircd: P 56:163(107)
ack 1 win 64400 (DF)
0x0000   4500 0093 7b1b 4000 7f06 130d 83cc xxxx
E...{.@.......w'
0x0010   cf96 a2b2 040f 1a0b cf0d 8440 20b7 eecb
...........@....
0x0020   5018 fb90 f741 0000 5052 4956 4d53 4720
P....A..PRIVMSG.
0x0030   2374 7233 3373 203a 5b54 4654 505d 3a20
#tr33s.:[TFTP]:.
0x0040   4669 6c65 2074 7261 6e73 6665 7220 7374
File.transfer.st
0x0050   6172 7465 6420 746f 2049 503a 2031 3331
arted.to.IP:.131
0x0060   2e32 3034 2e37 372e 3533 2028 433a 5c57        .204.x.x.(C:\W
0x0070   494e 444f 5753 5c53 7973 7465 6d33 325c
INDOWS\System32\
0x0080   7874 6778 6766 6966 7073 6d2e 6578 6529
xtgxgfifpsm.exe)
0x0090   2e0d 0a

Another interesting download of malware was noticed was from
http://211.172.242.254/rbot.exe

It appears that the opres.exe modifies the registry:
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
 http://resili3nt.superihost.com/o/index.htm

I wonder if those IPs that visit the above website are logged and
considered *tagged* and subseqently a botnet begins communication with
the host.

I really don't have the resourses to do extensive forensics on Bot-ed
systems.  Maybe someone could check out the malware mentioned above and
report back?





Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: Mark Wilson.vcf
Description:

Previous By Date Next
Previous By Thread Next

Current thread: