Re: Systems compromised with ShellBOT perl script - part 2

[Kirby Angell <kangell () alertra com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

WARNING:  To anyone who requested I send them the archive.  The "doze4"
application in it is DEFINATELY INFECTED WITH Linux/RST.B.  Do not run
it on anything but a test environment.


This might be some different version of Rst-B.  I created a simple C
program with just a 1 line main function and had doze4 infect it.  The
program size jumped by 4k, but I can't find the strings "snortdos" or
"tory" in the infected version.  The rest works as advertised.  I
compiled another version of the C program and then ran the infected
version and sure enough it infected the new copy too.

I think this might be a mutation of RST.B since the descriptions of this
virus do not mention the DOS aspects.  Hey, here's a thought, maybe the
attacker was infected with RST.B and didn't know it?  That would be so
funny.

I don't know what was wrong before, but with a newly generated virtual
machine, I can now capture the packets it sends:

$ ./doze4 192.168.30.40 53 192.168.30.100

No.     Time        Source                Destination           Protocol
Info
~  39823 0.000145    192.168.30.90         192.168.30.40         DNS
~ Unknown operation (6)[Malformed Packet]

Frame 39823 (52 bytes on wire, 52 bytes captured)
~    Arrival Time: Sep  9, 2004 14:23:03.370487000
~    Time delta from previous packet: 0.000145000 seconds
~    Time since reference or first frame: 7.331984000 seconds
~    Frame Number: 39823
~    Packet Length: 52 bytes
~    Capture Length: 52 bytes
Ethernet II, Src: 00:0c:29:c7:df:de, Dst: 00:0c:29:8d:64:9a
~    Destination: 00:0c:29:8d:64:9a (Vmware_8d:64:9a)
~    Source: 00:0c:29:c7:df:de (Vmware_c7:df:de)
~    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.30.90 (192.168.30.90), Dst Addr:
192.168.30.40 (192.168.30.40)
~    Version: 4
~    Header length: 20 bytes
~    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
~        0000 00.. = Differentiated Services Codepoint: Default (0x00)
~        .... ..0. = ECN-Capable Transport (ECT): 0
~        .... ...0 = ECN-CE: 0
~    Total Length: 38
~    Identification: 0x6a27 (27175)
~    Flags: 0x04 (Don't Fragment)
~        0... = Reserved bit: Not set
~        .1.. = Don't fragment: Set
~        ..0. = More fragments: Not set
~    Fragment offset: 0
~    Time to live: 64
~    Protocol: UDP (0x11)
~    Header checksum: 0x12cd (correct)
~    Source: 192.168.30.90 (192.168.30.90)
~    Destination: 192.168.30.40 (192.168.30.40)
User Datagram Protocol, Src Port: 1025 (1025), Dst Port: domain (53)
~    Source port: 1025 (1025)
~    Destination port: domain (53)
~    Length: 18
~    Checksum: 0x38b7 (correct)
Domain Name System (query)
~    Transaction ID: 0x3031
~    Flags: 0x3233 (Unknown operation)
~        0... .... .... .... = Response: Message is a query
~        .011 0... .... .... = Opcode: Unknown (6)
~        .... ..1. .... .... = Truncated: Message is truncated
~        .... ...0 .... .... = Recursion desired: Don't do query recursively
~        .... .... .0.. .... = Z: reserved (0)
~        .... .... ...1 .... = Non-authenticated data OK:
Non-authenticated data is acceptable
~    Questions: 13365
~    Answer RRs: 13879
~    Authority RRs: 14393
[Malformed Packet: DNS]

0000  00 0c 29 8d 64 9a 00 0c 29 c7 df de 08 00 45 00   ..).d...).....E.
0010  00 26 6a 27 40 00 40 11 12 cd c0 a8 1e 5a c0 a8   .&j'@.@......Z..
0020  1e 28 04 01 00 35 00 12 38 b7 30 31 32 33 34 35   .(...5..8.012345
0030  36 37 38 39                                       6789


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBQLma21unUZAE9MARAk+GAJ4sqWxfiY1E7TReNK00zt8LPRHVEQCeIiOd
MpRWsIHm/l5rEzi6BJHN/PE=
=xOTe
-----END PGP SIGNATURE-----