[Intrusions] Interesting little piece of malware...

Chris Harrintgon charrington at nitrodata.com
Tue Sep 21 17:36:37 GMT 2004 

I did a writeup on the rxbot a while back. It may be of some use. The
customers that we saw that were infected got it by laptops being brought in
that had old virus defs. The inor.b trojan dropper was responsible for at
least one of the two.

http://www.nitroguard.com/rxbot.html

--Chris


--
Christopher Harrington, CISSP
Senior Security Engineer
NitroData Systems, Inc.
603-766-8160, ext. 25
http://www.nitroguard.com
 

-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of don murdoch
Sent: Monday, September 20, 2004 8:31 PM
To: Intrusions List (GCIA Practicals)
Subject: Re: [Intrusions] Interesting little piece of malware...


On this R-BOT and RX-Bot thread - we are seeing this at my U, or so I hear.
and we have a few machines with it.  Anyone hace any solid adivce on how to
get rid of it?  Further, what do I tel management ... when they want to know
how it got on here in the first place ?

We have seen ....

DNS floods w/ constructed addresses that don't resolve.
lots of traffic to an IRC server.
Further exploit attempts.
DCom scans.

Thanks

Matthew Sowers wrote:

>Seems to me to be Rbot or something very similar. Maybe Rxbot. And it's
using the dcom exploit one of the kiddies new favorites right now. It's not
malware, somewhere along the line you guys got rooted. Rbot is one of the
favorites now I have a couple of them if you would like to take a look at
them to see where it installs itself so you could get an idea of where its
located. 
>  ----- Original Message -----
>  From: Andrew Daviel<mailto:andrew at andrew.triumf.ca>
>  To: Intrusions List<mailto:intrusions at lists.sans.org>
>  Sent: Wednesday, September 15, 2004 12:28 AM
>  Subject: Re: [Intrusions] Interesting little piece of malware...
>
>
>  On Tue, 11 May 2004, Jim Becher wrote:
>
>  >
>  > On a couple of machines today (started first thing this morning), I 
> started  > noticing Welchia type scanning (local class B preference, 
> port 135, etc).  I  > also noticed some IRC command and control 
> traffic from the machines that  > were responsible for the scanning.  
> The scanning activity were all from were  > all WinXP and Win2K 
> machines.  Symantec anti-virus running, updated sigs in  > the last few
days.  Symantec wasn't flagging anything.
>
>  We have seen something similar here, though I don't have any details 
> on  the infected machines at this point (shut down 3 and worked on #4, 
> but it  turned out to be an unrelated problem).
>
>  There was traffic to an IRC server in Taiwan (210.240.39.17). I think 
> it  uas used as a reporting venue. Traffic included things like:
>  JOIN #ur omfw
>  Random Port Scan started on Y.Y.x.x:135 with a delay of 5 seconds for  
> 0 minutes using 100 threads.
>  PRIVMSG #ur :[Dcom135]: Exploiting IP: nnn.nnn.nnn.nnn  
> :[mtr]|496289!~sdhnmjf@=42ml-45.xxxxx.xx.com PRIVMSG #ur :[TFTP]:
>  File transfer complete to IP: nnn.nnn.nnn.nnn  
> (C:\WINDOWS\System32\MSupdate.exe).
>
>  This seemed to start up sometime this morning I think; at least, we  
> noticed the local traffic setting off alarms then.
>
>  The IRC server appeared to be running on a Windows machine used as a  
> webserver; Chinese text, no english. I haven't tried contacting them yet.
>
>  --
>  Andrew Daviel, TRIUMF, Canada
>  Tel. +1 (604) 222-7376
>  security at triumf.ca<mailto:security at triumf.ca>
>  _______________________________________________
>  Intrusions mailing list
>  Intrusions at lists.sans.org<mailto:Intrusions at lists.sans.org>
>  
>http://www.dshield.org/mailman/listinfo/intrusions<http://www.dshield.o
>rg/mailman/listinfo/intrusions> 
>_______________________________________________
>Intrusions mailing list
>Intrusions at lists.sans.org
>http://www.dshield.org/mailman/listinfo/intrusions
>
>  
>


--
------------------------------------------------
>From the home box of Don Murdoch, CISSP + others
SANS - Local Mentor / GCIH Grader

To fight and conquer in all your battles is not supreme excellence; supreme
excellence consists in breaking the enemy's resistance without fighting.
-Sun Tzu, the Art of War

Opinions expressed are mine, usually right, and don't reflect others.  OH -
and this isn't a UETA compliant digital signature.  

_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list