Re: NKADM rootkit - Something new?

[Harlan Carvey <keydet89 () yahoo com>]

This is an excellent example of what happens when you
take the easy route and look at something
(particularly on Windows systems) based on filenames
or open ports...both are configurable in most cases.


--- Brian Eckman <eckman () umn edu> wrote:
> Jeremy Pollack wrote:
>
> > Has anyone seen this NKADM rootkit? Four of the
> servers here were exploited at some point in the
> past 30 days and have been  running this combination
> rootkit+ftp server. My searches have not hit
> anything. I definitely do not have a full picture of
> the whole thing yet, but what I do know is:
>
>
> <snip bunch of stuff>
>
> > NKADM.INI
> >
> > [Hidden Table]
> > nkadm*
> > slimftpd.conf
> > slimftpd.log
> >
> > [Root Processes]
> > nkadm*
> > ioA.exe
> > ioGroups.exe
> > ioLimitTransfers.exe
> > ioUptime.exe
> > ioZS.exe
> > ioNewDay.exe
> > SiteWho.exe
> >
> > [Hidden Services]
> > nkserv*
> > nkadm*
> >         
> > [Hidden RegKeys]
> > nkadm*
> > NKADM*
> > LEGACY_NKADM*
> >             
> > [Hidden RegValues]
> >              
> > [Startup Run]
> >
> > [Free Space]
> >
> > [Hidden Ports]
TCP:4420,4421,4422,4423,4424,4425,4426,4427,4428,4429,7117,7116,20200,20201,20202,20203,20204,20205,20206,20207,20208,20209,20210,20211,20212,20213,20214,20215,20216,20217,20218,20219,20220
> > [Settings]  
> > Password=pr3ssF1
> > BackdoorShell=nkadmß$.exe
> > FileMappingName=nkfolderrun
> > ServiceName=nkadmhxdef100
> > Se|rviceDisplayName=Backup Service
> > ServiceDescription=Makes the Cow go M00
> > DriverName=nkadmhxdefdrv100
> > DriverFileName=nkadmdriver.sys
>
> <more snippage>
>
> Looks just like Hacker Defender to me.
> http://hxdef.czweb.org/
>
> Brian
> -- 
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota