Malware/trojan attacks

["Goetz, Richard" <RGoetz () Kronos com>]

Over the last several months we have on more than one occasion uncovered a number of Trojans that appear to be seeking 
corporate information, sending that over a chat session to/through several European sites and downloading additional 
programs to the infected computer. Here's a short synopsis of the type of conversations one of our people uncovered on 
a laptop on the network:


Contacts 203.121.73.136 on port TCP/17555.  IRC commands were sent to the workstation to run a command "staticftp" 
70.84.109.84 to download a program x.exe.  
Instructed to launch 5 scans (netapi on port 137, wkssvc port 445, asn on port 445, dcom on port 135 and lsass on port 
445).  
Connects to 66.36.243.116 on TCP/80 and starts a PHP-based conversation, giving the workstation credentials to the host 
and receiving the following information: 
CARGO:smtp_purple; 
MOD:smtp; 
PATH:http://niuqennaois.com/s2.5.exe; 
SERVER:209.160.64.216; 
REFRESH:2700;KEY:864a1bae77fc8053055d02550ed7b49c; 
Connects to 195.49.141.23 on TCP/3144, retrieving unreadable data 
Connects to 66.36.243.116 on TCP/80, exchanging credentials via PHP: 
To host: 
uuid <wsname>_547611528 
wv mag5_min0_build2195_Service_Pack_4 
cargo 
check purple 
To workstation: 
REFRESH:3600; 
KEY: 864a1bae77fc8053055d02550ed7b49c; 
HTTP connections are made to 66.45.232.66, 66.36.243.116 to perform similar PHP and download conversations. 
Three way TCP handshakes are attempted to 74.52.53.66, 68.142.212.41and 68.142.212.93 on TCP/80, but no further 
conversation was made. 


 My questions are:

1. Are other folks in the community seeing this kind of activity?
2. What, aside from deleting what you can find what other actions are recommended/required?
Who, if anyone, in the community or law enforcement should be notified?

If this post should be somewhere else, please let me know. 

Thanks,

Richard Goetz
IT Security Officer
Kronos, Incorporated
Phone: 978-947-2819
Fax: 978-256-3919
RGoetz () Kronos com

Experts at Improving the Performance of People and Business
 


------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------