Re: NKADM rootkit - Something new?

[Brian Eckman <eckman () umn edu>]

Jeremy Pollack wrote:

> Has anyone seen this NKADM rootkit? Four of the servers here were exploited at some point in the past 30 days and have 
> been  running this combination rootkit+ftp server. My searches have not hit anything. I definitely do not have a full 
> picture of the whole thing yet, but what I do know is:


<snip bunch of stuff>

> NKADM.INI
>
> [Hidden Table]
> nkadm*
> slimftpd.conf
> slimftpd.log
>
> [Root Processes]
> nkadm*
> ioA.exe
> ioGroups.exe
> ioLimitTransfers.exe
> ioUptime.exe
> ioZS.exe
> ioNewDay.exe
> SiteWho.exe
>
> [Hidden Services]
> nkserv*
> nkadm*
>         
> [Hidden RegKeys]
> nkadm*
> NKADM*
> LEGACY_NKADM*
>             
> [Hidden RegValues]
>              
> [Startup Run]
>
> [Free Space]
>
> [Hidden Ports]
> TCP:4420,4421,4422,4423,4424,4425,4426,4427,4428,4429,7117,7116,20200,20201,20202,20203,20204,20205,20206,20207,20208,20209,20210,20211,20212,20213,20214,20215,20216,20217,20218,20219,20220
>
> [Settings]  
> Password=pr3ssF1
> BackdoorShell=nkadmß$.exe
> FileMappingName=nkfolderrun
> ServiceName=nkadmhxdef100
> Se|rviceDisplayName=Backup Service
> ServiceDescription=Makes the Cow go M00
> DriverName=nkadmhxdefdrv100
> DriverFileName=nkadmdriver.sys

<more snippage>

Looks just like Hacker Defender to me. http://hxdef.czweb.org/

Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota