[Dshield] Simultaneous MSBlaster and ??? attack?

Danny drh26 at drexel.edu
Wed Aug 13 16:38:25 GMT 2003


Yes, there are several toolkits like this floating around. I'll give  
you a couple of things to check for..

Check to see if you have an "update.exe" in the root of your C drive,  
there will also probably be an update folder with the MS RPC Patch  
files in it.
If this file/folder exists, do a netstat -an from a command prompt. You  
will more than likely see a high port listening, download fport  
(http://www.foundstone.com/index.htm?subnav=resources/ 
navigation.htm&subcontent=/resources/proddesc/fport.htm) and run it  
piping the output to a file "fport.exe > fport.txt" this will create a  
text file with the output of the fport program. Open the fport.txt file  
in notepad and look for the high port, this should map what application  
has the port open. If the port does not appear in the fport output then  
map the drive from a remote computer "\\IP.OF.INFECTED.HOST\c$"

Once you have the C drive mounted on a different system, do a search  
for "csr*" on the file system, you should see CSRSS.exe this is a legit  
system file, you will probably see more files though csrsrv.exe and  
csrsx.exe or csrsu.exe (the last letter of this file often changes).

If you do see these files on the system when the drive is mounted on a  
different system, go back to the local infected machine and search for  
them, chances are they will be hidden/stealthed so you can't see them.

The csrsrv.exe file is the exe stealth program from webtoolmaster.com  
and the csrs[a-z].exe is a backdoor that is hidden by the exe stealther.

Basically what this stealth program is doing is hiding any  
files/registry keys that begin with the string csr.

We removed this by booting into Windows PE and removing the registry  
entries and files from the system, however booting into safe mode and  
doing the same may work, we've not tested it.

The Registry keys that this toolset created are below.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSPX]
"DisplayName"=(REG_SZ)"Clipboard"
"ErrorControl"=(REG_DWORD)"0x0"
"ImagePath"=(REG_EXPAND_SZ)"C:\\WINNT\\system32\\csrsrv -k csrspx"
"ObjectName"=(REG_SZ)"LocalSystem"
"Start"=(REG_DWORD)"0x2"
"Type"=(REG_DWORD)"0x20"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSPX\Enum]
"0"=(REG_SZ)"Root\\LEGACY_CSRSPX\\0000"
"Count"=(REG_DWORD)"0x1"
"NextInstance"=(REG_DWORD)"0x1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSPX\Security]
"Security"=(REG_BINARY)"01001480A0000000AC000000140000003000000002001C00 
0100000002801400FF010F00010100000000000100000000020070000400000000001800 
FD0102000101000000000005120000000000000000001C00FF010F000102000000000005 
200000002002000000000000000018008D01020001010000000000050B00000020020000 
00001C00FD01020001020000000000052000000023020000000000000101000000000005 
12000000010100000000000512000000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSX]
"Description"=(REG_SZ)"CSRS Windows NT"
"DisplayName"=(REG_SZ)"CSRS Windows NT"
"ErrorControl"=(REG_DWORD)"0x1"
"ImagePath"=(REG_EXPAND_SZ)"C:\\WINNT\\system32\\csrsx.exe"
"ObjectName"=(REG_SZ)"LocalSystem"
"Start"=(REG_DWORD)"0x2"
"Type"=(REG_DWORD)"0x110"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSX\Enum]
"0"=(REG_SZ)"Root\\LEGACY_CSRSX\\0000"
"Count"=(REG_DWORD)"0x1"
"NextInstance"=(REG_DWORD)"0x1"


On Wednesday, August 13, 2003, at 11:15  AM, Micheal Patterson wrote:

> Does anyone have any information on any trojans that are utilizing the  
> same
> DCOM exploit yet? I've got systems that were patched via the Win2k  
> patch
> file, not via windows update, that have an apparent trojan on them.  
> The main
> systems that are noticeable is the inability to pull up properties, see
> within the winnt folder and the control panel icons are all listed in a
> frame on the left, Add / Remove programs is empty with the fonts  
> mangled.
> I'd seen mention of kaht2 root kit using the DCOM exploit, but it  
> appears to
> have been overshadowed by msblaster.
>
> Thanks.
>
> --
>
> Micheal Patterson
> TSG Network Administration
> 405-917-0600
>
> Confidentiality Notice:  This e-mail message, including any  
> attachments, is
> for the sole use of the intended recipient(s) and may contain  
> confidential
> and privileged information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient,  
> please
> contact the sender by reply e-mail and destroy all copies of the  
> original
> message.
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:  
> http://www.dshield.org/mailman/listinfo/list
>
>
>
Danny
Work - http://www.eBoundary.com - Secure, FreeBSD hosting.
Play - http://www.eBoundary.net - Who really sets your electronic  
boundaries?
AIM: eBoundaryTch  | ICQ: 3090141




More information about the list mailing list