Re: Upload of "pipes.scr" attempted to NetBus "honeypot"

[Dennis McHenry <ronmch () comports com>]

Pipes.SCR is just a stock Windows screensaver.  It's an executable-type
file; possible to embed a virus or trojan in it.  I hardly ever see it being
used anymore (as the screen saver).

It's one of several that comes with Win 9x.  If it's a trojan, the author
likes the long shots.  First to find a system that's vulnerable to whatever
exploit they're using, then to get it onto a system where Pipes is the
active screensaver.  I don't know how it'd drop into the correct directory,
either.  It didn't seem like they were trying to get it into the Windows
directory (where it's installed by default).  Some virus, maybe?

-DMc

----- Original Message -----
From: "Sverre H. Huseby" <shh () THATHOST COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, January 24, 2001 11:31 AM
Subject: Upload of "pipes.scr" attempted to NetBus "honeypot"


> Last week I wrote a simple daemon that accepts incoming connections to
> TCP port 12345, and announces itself as "NetBus 1.60".  The program
> simply logs the first command sent by the client, and attempts to send
> a warning message to the bad guy in the other end.  Unfortunately, I
> don't know the NetBus protocol, so I'm unable to simulate a real
> NetBus server.
>
> The last six days I've had three connections to my daemon when online
> using my dialup ISDN connection.  All three comes from the same ISP as
> I connect to.  What follows are the relevant log lines (Norwegian
> times):
>
> 2001-01-18 15:24:34  server running on 130.67.238.181:12345
> 2001-01-18 16:00:25  [130.67.238.126:3388]  accepted connection
> 2001-01-18 16:00:25  [130.67.238.126:3388]  "UploadFile;pipes.scr;10000;\"
> 2001-01-18 16:00:26  [130.67.238.126:3388]  client disconnected
>
> 2001-01-18 22:31:40  server running on 130.67.123.106:12345
> 2001-01-18 23:13:00  [130.67.123.85:1448]  accepted connection
> 2001-01-18 23:13:01  [130.67.123.85:1448]  "UploadFile;pipes.scr;10000;\"
> 2001-01-18 23:13:01  [130.67.123.85:1448]  warning message sendt
> 2001-01-18 23:13:01  [130.67.123.85:1448]  client disconnected
>
> 2001-01-24 20:04:11  server running on 130.67.215.213:12345
> 2001-01-24 20:04:30  [130.67.215.250:1205]  accepted connection
> 2001-01-24 20:04:30  [130.67.215.250:1205]  "UploadFile;pipes.scr;10000;\"
> 2001-01-24 20:04:30  [130.67.215.250:1205]  warning message sendt
> 2001-01-24 20:04:33  [130.67.215.250:1205]  client disconnected
>
> The ISP issues addresses dynamically, so I have no idea whether the
> connections are from the same person.  Also, the ISP does not give out
> information to people like me, they merely send a warning to the bad
> guy.  At least that's their standard reply to complaints like this.
>
> Ok, what I see is what seems to be three attempts on uploading a file
> called "pipes.scr" to my computer.  I do not know NetBus at all, so I
> don't know if the almost immediate upload attempt after connecting
> (see time stamps) is normal NetBus behavior, or if it indicates some
> kind of a script.  If the NetBus client is running a script, it _may_
> be that the owner of the misbehaving computer is unaware of what is
> going on.  Again, I'we never run NetBus myself, so I'm not the right
> person to speculate.
>
> Has anyone else seen similar attempts?  Any idea what that "pipes.scr"
> may be (except a fancy screen saver)?
>
>
> Sverre.
>
> PS: If you happen to know the protocol of NetBus or SubSeven (the two
>     trojans I see most scans for at my computer), could you please
>     e-mail me the details?
>
> --
> <URL:mailto:shh () thathost com>
> <URL:http://shh.thathost.com/>