RE: Probes to previously accessed FTPs and UNCs in XP

[Information Security <InformationSecurity () federatedinv com>]

I've noticed somewhat similar behavior in WinNT and Win2k.  In Win2k, the
triggering event can cause a dvd or zip drive to spin up.  In NT, the event
has caused a disconnected drive mapping to be reconnected--at one point it
chose a drive letter of its own choice until it used up all the available
drive letters (I think we applied a patch for that), but still if I leave
Windows Explorer in the background, I occasionally see it list 3 or more
drive mappings to the same drive letter and same share.

We ran the problem down, and determined it was related to shortcuts,
especially those for "Recent" files.  Shortcuts typically include both a
drive-relative path and a fully qualified UNC path to the target.  So common
dialogs like the new-style OpenFile dialog have access to the shortcuts and
periodically re-query them (maybe to get icons?).  Our solution was to
occasionally purge recent files, but with Win2k & XP, internet shortcuts are
showing up all over the place.


-----Original Message-----
From: Eric Weaver [mailto:eric.weaver () ids2 net]
Sent: Tuesday, April 09, 2002 4:55 AM
To: Incidents () securityfocus com; BugTraq () securityfocus com
Subject: Probes to previously accessed FTPs and UNCs in XP 



Re: POSSIBLE WORM / DDOS

Sorry for the delayed response.

I have concluded that this activity is caused by another Microsoft
misfeature.  (Weather it is a virus or not, XP is caching previously
accessed url/unc somewhere, leaving these hosts/shares potential victims for
a virus/worm)

Findings:

Upon access to certain local directories of the "hot" machine (E:\,
E:\download\ ). Windows (XP Pro), causes orderly probing to previously
accessed ftp url & unc's. (This explains the many samba queries after the
FTP attempts)

The following caused the network activity:

Start/ Run / E:\ <cr>
Start/ Run / E:\download <cr>


I searched through the local registry for the targeted IP's & sharenames
(also search for possible aliases)  but was unable to find anything.  I
deleted the temporary internet cache, history, etc. Rebooted.  Machine still
caused same network activity.

Reapplying generic-folder-options to the directories that were "triggering"
this activity seemed to fix the problem.

I wonder where Microsoft is storing this information?  Those directories did
not have any abnormal/hidden files.  Odd.

Someone mentioned this may be ACEBot or GTBot.  I found no traces of these
Trojans.

I have not ruled out a virus.

The fact that this happens in regular windows explorer (not shortcut/link
inside a browser) worries me.


Thanks for everyone's $0.02.

_______________________________
Eric Weaver





> tcpdump:
>
> 06:29:17.078874 10.2.2.241.1890 > 204.152.189.113.21: S
> 3272713560:3272713560(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:29:20.081771 10.2.2.241.1891 > 204.152.189.113.21: S
> 3273527112:3273527112(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:29:23.087434 10.2.2.241.1892 > 209.250.0.132.21: S
> 3274340020:3274340020(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:29:26.089861 10.2.2.241.1893 > 209.250.0.132.21: S
> 3275149251:3275149251(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:29:29.301291 10.2.2.241.1028 > 10.2.2.14.53:  161+ A?
> hawking.res.cmu.edu. (37)
> 06:29:29.302121 10.2.2.14.53 > 10.2.2.241.1028:  161 NXDomain 0/1/0 (118)
> (DF)
> 06:30:29.836128 10.2.2.241.1938 > 198.133.219.27.21: S
> 3293275935:3293275935(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:30:32.782191 10.2.2.241.1939 > 62.243.72.50.21: S
> 3294076486:3294076486(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:30:35.786356 10.2.2.241.1940 > 129.128.5.191.21: S
> 3294859714:3294859714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:30:38.690326 10.2.2.241.1941 > 66.26.238.15.21: S
> 3295637385:3295637385(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:30:51.775416 10.2.2.241.1956 > 204.152.189.113.21: S
> 3299451469:3299451469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:30:54.804154 10.2.2.241.1957 > 216.10.106.189.21: S
> 3300252651:3300252651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:30:57.712465 10.2.2.241.1958 > 204.152.189.113.21: S
> 3301052975:3301052975(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:31:00.716285 10.2.2.241.1959 > 204.152.189.113.21: S
> 3301854583:3301854583(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:31:03.721980 10.2.2.241.1960 > 209.250.0.132.21: S
> 3302638469:3302638469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:31:06.725382 10.2.2.241.1961 > 209.250.0.132.21: S
> 3303448449:3303448449(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:31:13.857898 10.2.2.241.1984 > 206.100.24.34.21: S
> 3306270291:3306270291(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:31:16.836273 10.2.2.241.1985 > 206.100.24.34.21: S
> 3307075111:3307075111(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:02.060208 10.2.2.241.2004 > 198.133.219.27.21: S
> 3319333584:3319333584(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:05.056510 10.2.2.241.2005 > 62.243.72.50.21: S
> 3320119259:3320119259(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:08.009097 10.2.2.241.2006 > 129.128.5.191.21: S
> 3320930893:3320930893(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:11.013294 10.2.2.241.2007 > 66.26.238.15.21: S
> 3321738567:3321738567(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:23.459155 10.2.2.241.2024 > 204.152.189.113.21: S
> 3325545579:3325545579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:26.462660 10.2.2.241.2025 > 216.10.106.189.21: S
> 3326338384:3326338384(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:29.433905 10.2.2.241.2026 > 204.152.189.113.21: S
> 3327134151:3327134151(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:32.436725 10.2.2.241.2027 > 204.152.189.113.21: S
> 3327941671:3327941671(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:35.443518 10.2.2.241.2028 > 209.250.0.132.21: S
> 3328724549:3328724549(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:38.444911 10.2.2.241.2029 > 209.250.0.132.21: S
> 3329535547:3329535547(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 06:32:45.491534 10.2.2.241.2052 > 206.100.24.34.21: S
> 3332310269:3332310269(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com