New SDBot variant

["Christopher Harrington" <charrington () nitrodata com>]

All,

We are seeing what may be a new variant of SDBot. This variant spreads by
exploiting the LSASS vulnerability. Once infected, the machine joins an IRC
Bot net via TCP 6667. Some of the infected machines then download an
executable via TFTP. This transfer is initiated over IRC. I have attached
the Bintext output and an md5 for the file. The executable is named
NTAPI32.exe and is downloaded to the system32 directory. The exe is 143.03
kb. I tried Symantec, Trend, F-Secure and Sophos...none could identify it. 

In the IRC logs there these entries:

PRIVMSG #irc :[lsass]: Exploiting IP: 10.x.x.x.
PRIVMSG #irc :[TFTP]: File transfer started to IP: 10.x.x.x
(C:\WINDOWS\System32\ntapi32.exe)

A quick (and untested :)) signature below:

alert tcp any any -> any any ( msg: "LSASS expolit via IRC, possible SDBot
variant"; content: ":[lsass]: Exploiting IP:"; classtype: misc-activity;
rev: 1;)
 
I will post more when I have it.

Regards,

--Chris

--
Christopher Harrington, CISSP
Director of Security Engineering
NitroData Systems, Inc.
603-766-8160, ext. 25
http://www.nitroguard.com

Attachment: NTAPI32.md5
Description:

Attachment: bintext.txt
Description: