Re: Re: NKADM rootkit

[Jeremy Pollack <jpollack2 () cox net>]

Thank you all for the feedback. I downloaded the Hacker Defender and, after telling Symantec to ignore it, I'll take a 
look at it.



> From: Brian Eckman <eckman () umn edu>
> Date: 2004/05/26 Wed AM 10:54:51 EDT
> To: incidents () securityfocus com
> Subject: Re: NKADM rootkit - Something new?
>
> Jeremy Pollack wrote:
>
> > Has anyone seen this NKADM rootkit? Four of the servers here were exploited at some point in the past 30 days and 
> > have been  running this combination rootkit+ftp server. My searches have not hit anything. I definitely do not have 
> > a full picture of the whole thing yet, but what I do know is:
>
>
> <snip bunch of stuff>
>
> > NKADM.INI
> >
> > [Hidden Table]
> > nkadm*
> > slimftpd.conf
> > slimftpd.log
> >
> > [Root Processes]
> > nkadm*
> > ioA.exe
> > ioGroups.exe
> > ioLimitTransfers.exe
> > ioUptime.exe
> > ioZS.exe
> > ioNewDay.exe
> > SiteWho.exe
> >
> > [Hidden Services]
> > nkserv*
> > nkadm*
> >         
> > [Hidden RegKeys]
> > nkadm*
> > NKADM*
> > LEGACY_NKADM*
> >             
> > [Hidden RegValues]
> >              
> > [Startup Run]
> >
> > [Free Space]
> >
> > [Hidden Ports]
> > TCP:4420,4421,4422,4423,4424,4425,4426,4427,4428,4429,7117,7116,20200,20201,20202,20203,20204,20205,20206,20207,20208,20209,20210,20211,20212,20213,20214,20215,20216,20217,20218,20219,20220
> >
> > [Settings]  
> > Password=pr3ssF1
> > BackdoorShell=nkadmß$.exe
> > FileMappingName=nkfolderrun
> > ServiceName=nkadmhxdef100
> > Se|rviceDisplayName=Backup Service
> > ServiceDescription=Makes the Cow go M00
> > DriverName=nkadmhxdefdrv100
> > DriverFileName=nkadmdriver.sys
>
> <more snippage>
>
> Looks just like Hacker Defender to me. http://hxdef.czweb.org/
>
> Brian
> -- 
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota