[Dshield] Simultaneous MSBlaster and ??? attack?
drh26 at drexel.edu
Wed Aug 13 16:38:25 GMT 2003
Yes, there are several toolkits like this floating around. I'll give
you a couple of things to check for..
Check to see if you have an "update.exe" in the root of your C drive,
there will also probably be an update folder with the MS RPC Patch
files in it.
If this file/folder exists, do a netstat -an from a command prompt. You
will more than likely see a high port listening, download fport
navigation.htm&subcontent=/resources/proddesc/fport.htm) and run it
piping the output to a file "fport.exe > fport.txt" this will create a
text file with the output of the fport program. Open the fport.txt file
in notepad and look for the high port, this should map what application
has the port open. If the port does not appear in the fport output then
map the drive from a remote computer "\\IP.OF.INFECTED.HOST\c$"
Once you have the C drive mounted on a different system, do a search
for "csr*" on the file system, you should see CSRSS.exe this is a legit
system file, you will probably see more files though csrsrv.exe and
csrsx.exe or csrsu.exe (the last letter of this file often changes).
If you do see these files on the system when the drive is mounted on a
different system, go back to the local infected machine and search for
them, chances are they will be hidden/stealthed so you can't see them.
The csrsrv.exe file is the exe stealth program from webtoolmaster.com
and the csrs[a-z].exe is a backdoor that is hidden by the exe stealther.
Basically what this stealth program is doing is hiding any
files/registry keys that begin with the string csr.
We removed this by booting into Windows PE and removing the registry
entries and files from the system, however booting into safe mode and
doing the same may work, we've not tested it.
The Registry keys that this toolset created are below.
"ImagePath"=(REG_EXPAND_SZ)"C:\\WINNT\\system32\\csrsrv -k csrspx"
"Description"=(REG_SZ)"CSRS Windows NT"
"DisplayName"=(REG_SZ)"CSRS Windows NT"
On Wednesday, August 13, 2003, at 11:15 AM, Micheal Patterson wrote:
> Does anyone have any information on any trojans that are utilizing the
> DCOM exploit yet? I've got systems that were patched via the Win2k
> file, not via windows update, that have an apparent trojan on them.
> The main
> systems that are noticeable is the inability to pull up properties, see
> within the winnt folder and the control panel icons are all listed in a
> frame on the left, Add / Remove programs is empty with the fonts
> I'd seen mention of kaht2 root kit using the DCOM exploit, but it
> appears to
> have been overshadowed by msblaster.
> Micheal Patterson
> TSG Network Administration
> Confidentiality Notice: This e-mail message, including any
> attachments, is
> for the sole use of the intended recipient(s) and may contain
> and privileged information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient,
> contact the sender by reply e-mail and destroy all copies of the
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
Work - http://www.eBoundary.com - Secure, FreeBSD hosting.
Play - http://www.eBoundary.net - Who really sets your electronic
AIM: eBoundaryTch | ICQ: 3090141
More information about the list