[Intrusions] Interesting little piece of malware...

Matthew Sowers msowers77 at msn.com
Wed Sep 15 17:43:15 GMT 2004 

Seems to me to be Rbot or something very similar. Maybe Rxbot. And it's using the dcom exploit one of the kiddies new favorites right now. It's not malware, somewhere along the line you guys got rooted. Rbot is one of the favorites now I have a couple of them if you would like to take a look at them to see where it installs itself so you could get an idea of where its located. 
  ----- Original Message ----- 
  From: Andrew Daviel<mailto:andrew at andrew.triumf.ca> 
  To: Intrusions List<mailto:intrusions at lists.sans.org> 
  Sent: Wednesday, September 15, 2004 12:28 AM
  Subject: Re: [Intrusions] Interesting little piece of malware...


  On Tue, 11 May 2004, Jim Becher wrote:

  >
  > On a couple of machines today (started first thing this morning), I started
  > noticing Welchia type scanning (local class B preference, port 135, etc).  I
  > also noticed some IRC command and control traffic from the machines that
  > were responsible for the scanning.  The scanning activity were all from were
  > all WinXP and Win2K machines.  Symantec anti-virus running, updated sigs in
  > the last few days.  Symantec wasn't flagging anything.

  We have seen something similar here, though I don't have any details on
  the infected machines at this point (shut down 3 and worked on #4, but it
  turned out to be an unrelated problem).

  There was traffic to an IRC server in Taiwan (210.240.39.17). I think it
  uas used as a reporting venue. Traffic included things like:
  JOIN #ur omfw
  Random Port Scan started on Y.Y.x.x:135 with a delay of 5 seconds for
  0 minutes using 100 threads.
  PRIVMSG #ur :[Dcom135]: Exploiting IP: nnn.nnn.nnn.nnn
  :[mtr]|496289!~sdhnmjf@=42ml-45.xxxxx.xx.com PRIVMSG #ur :[TFTP]:
  File transfer complete to IP: nnn.nnn.nnn.nnn
  (C:\WINDOWS\System32\MSupdate.exe).

  This seemed to start up sometime this morning I think; at least, we
  noticed the local traffic setting off alarms then.

  The IRC server appeared to be running on a Windows machine used as a
  webserver; Chinese text, no english. I haven't tried contacting them yet.

  -- 
  Andrew Daviel, TRIUMF, Canada
  Tel. +1 (604) 222-7376
  security at triumf.ca<mailto:security at triumf.ca>
  _______________________________________________
  Intrusions mailing list
  Intrusions at lists.sans.org<mailto:Intrusions at lists.sans.org>
  http://www.dshield.org/mailman/listinfo/intrusions<http://www.dshield.org/mailman/listinfo/intrusions>

More information about the Intrusions mailing list