RE: Malware/trojan attacks

[Harlan Carvey <keydet89 () yahoo com>]

James,

> In this case I think you have mislabed a trojan with
> a rootkit.

Just out of curiosity, what are you seeing that leads
you to say this?  I'm not sure that I see anything in
Richard's original email that suggests a rootkit at
this point.
 
> You should determine (if possible) what rootkit has
> infected the machine.
> It sounds like a new variant or perhaps a new tool
> altogether.

Again, what leads you to think this, if you don't mind
me asking?
 
> I would suggest wiping the box and rebuilding it if
> you cannot determine
> exactly what is the culprit or any way to clean it.

Hhhmmm...if it is a rootkit, then perhaps
wiping/reinstalling may be the way to go, but I'd
suggest further investigation and a root cause
analysis first.  Even if Richard were to find out what
the malware is (looks like an IRCbot at this point),
without a root cause analysis (and subsequent actions
as a result), the system will likely be reinfected all
over again.

> To answer your questions:
>
> 1.  No, I have not seen this in our nets.
>
> 2.  I answered this above.
>
> 3.  Probably not.  There is nothing law enforcement
> can do unless there is a
> substantial loss.  You are ultimately responsible
> for what gets installed on
> your machines regardless of the method of
> installation.  Now, if you find
> someone using data that you can prove could only
> have been acquired by this
> method, then you should discuss with your legal
> department about your
> options and what you will need to do to provide
> proof of this infringment.
>
>
> Cheers,
>
> James Friesen, CIO
> Lucretia Enterprises
> Our World Is Here
> info at lucretia dot ca
> http://lucretia.ca
>
>
> > -----Original Message-----
> > From: listbounce () securityfocus com
> > [mailto:listbounce () securityfocus com] On Behalf Of
> Goetz, Richard
> > Sent: Tuesday, October 24, 2006 8:54 AM
> > To: incidents () securityfocus com
> > Subject: Malware/trojan attacks
> >
> > Over the last several months we have on more than
> one
> > occasion uncovered a number of Trojans that appear
> to be
> > seeking corporate information, sending that over a
> chat
> > session to/through several European sites and
> downloading
> > additional programs to the infected computer.
> Here's a short
> > synopsis of the type of conversations one of our
> people
> > uncovered on a laptop on the network:
> >
> >
> > Contacts 203.121.73.136 on port TCP/17555.  IRC
> commands were
> > sent to the workstation to run a command
> "staticftp"
> > 70.84.109.84 to download a program x.exe.
> Instructed to
> > launch 5 scans (netapi on port 137, wkssvc port
> 445, asn on
> > port 445, dcom on port 135 and lsass on port 445).
> Connects
> > to 66.36.243.116 on TCP/80 and starts a PHP-based
> > conversation, giving the workstation credentials
> to the host
> > and receiving the following information:
> > CARGO:smtp_purple;
> > MOD:smtp;
> > PATH:http://niuqennaois.com/s2.5.exe;
> > SERVER:209.160.64.216;
> > REFRESH:2700;KEY:864a1bae77fc8053055d02550ed7b49c;
> > Connects to 195.49.141.23 on TCP/3144, retrieving
> unreadable
> > data Connects to 66.36.243.116 on TCP/80,
> exchanging
> > credentials via PHP:
> > To host:
> > uuid <wsname>_547611528
> > wv mag5_min0_build2195_Service_Pack_4
> > cargo
> > check purple
> > To workstation:
> > REFRESH:3600;
> > KEY: 864a1bae77fc8053055d02550ed7b49c;
> > HTTP connections are made to 66.45.232.66,
> 66.36.243.116 to
> > perform similar PHP and download conversations.
> > Three way TCP handshakes are attempted to
> 74.52.53.66,
> > 68.142.212.41and 68.142.212.93 on TCP/80, but no
> further
> > conversation was made.
> >
> >
> >  My questions are:
> >
> > 1. Are other folks in the community seeing this
> kind of activity?
> > 2. What, aside from deleting what you can find
> what other
> > actions are recommended/required?
> > Who, if anyone, in the community or law
> enforcement should be
> > notified?
> >
> > If this post should be somewhere else, please let
> me know.
> > Thanks,
> >
> > Richard Goetz
> > IT Security Officer
> > Kronos, Incorporated
> > Phone: 978-947-2819
> > Fax: 978-256-3919
> > RGoetz () Kronos com
> >
> > Experts at Improving the Performance of People and
> Business
> >  
--------------------------------------------------------------
> > ----------------
> > This List Sponsored by: Black Hat
> >
> > Attend the Black Hat Briefings & Training USA,
> July 29-August
> > 3 in Las Vegas.
> > World renowned security experts reveal tomorrow's
> threats
> > today. Free of vendor pitches, the Briefings are
> designed to
> > be pragmatic regardless of your security
> environment.
> > Featuring 36 hands-on training courses and 10
> conference
> > tracks, networking opportunities with over 2,500
> delegates
> > from 40+ nations.
> >
> > http://www.blackhat.com
--------------------------------------------------------------
> > ----------------
------------------------------------------------------------------------------
> This List Sponsored by: Black Hat
>
> Attend the Black Hat Briefings & Training USA, July
> 29-August 3 in Las Vegas. 
> World renowned security experts reveal tomorrow's
> threats today. Free of 
> vendor pitches, the Briefings are designed to be
> pragmatic regardless of your 
> security environment. Featuring 36 hands-on training
> courses and 10 conference 
> tracks, networking opportunities with over 2,500
> delegates from 40+ nations. 
>
> http://www.blackhat.com
------------------------------------------------------------------------------
>


------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. 
World renowned security experts reveal tomorrow's threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------