Re: strange windows behaviour.

[Jeff Kell <jeff-kell () utc edu>]

J Mike Rollins wrote:
> I have just tested the ideas expressed here and have to report that
> streams can still be a threat.
>
> When I try to make a copy of the dll stored within the stream, the virus
> scanning software does find it.
>
> However, when I run the contents of the dll stream by using rundll32 the
> program is not caught by the virus scanning software.  And the trojan
> continues to execute undetected.

All I see is spam starting to spew from an otherwise quiet machine (most 
cases) although we have also had two cases of machines spoofing source 
addresses and attacking (a) an IRC server and (b) somebody's identd.

This is happening here and I have one machine under quarantine in the 
testbed.  Symantec NAV latest DATs doesn't detect anything.  Spybot 
latest signatures doesn't detect anything.  Ad-Aware doesn't find 
anything.  McAfee's freebie Stinger doesn't find anything.  Yet if it is 
connected to the network when it boots, some process comes up, makes a 
few connection attempts to remote addresses, port 80; then it opens up 
two random high-numbered TCP ports and listens.  Telnetting to them and 
entering much of anything causes it to close the connection and respawn.

In ActivePorts it lists the owning process name as the same as some 
other existant process in the list (e.g., explorer.exe, svchost.exe) but 
will have a unique PID in the task list.  Using ActivePort's terminate 
process feature on it causes the two sockets to disappear, only to be 
immediately followed by the original behavior -- connects to an outside 
address port 80 (not always the same address, mind you), followed by two 
different high-numbered ports opened and listening.

There is a strange registry key in /HKEY/LOCAL.../Run and .../RunOnce 
which appears to be a random string, 'bzyrczu' or something similar, and 
the key value is 'rundll32 C:\Windows\System32:bzyrczu.dll'.  Of course 
I can't find any file by that name by traditional means (before reading 
this thread on NTFS streams).

Attempting to delete the registry keys for /Run and /RunOnce appear to 
work, but when you go back to check, the keys have "reinstalled" 
themselves.  Even starting up in safe mode with network unplugged, you 
can't delete the registry keys, even with System Restore disabled (this 
is an XP Home Edition box).

I plan on getting a packet capture of the beast's activity tomorrow. 
And assuming that the thing does exist as a stream, I'll try to capture 
the binary.

Jeff


---------------------------------------------------------------------------
----------------------------------------------------------------------------