[Dshield] Anyone seen

Corinne Cook corinnec at abdi.com
Fri Feb 27 06:20:05 GMT 2004


I don't run Dameware but it very well could have been the entry point.  If
you are running a vulnerable version of Dameware (see link below), I'd
disconnect affected clients until it they are patched and the machines
cleaned or you might risk reinfection.  The A/V people or someone able to
reverse engineer might be good help for you right now since it doesn't
appear to be a known or common program file name that you've found.  

Here is some information from Security Focus (maybe some of the people
looking at the program now can take a look and see if any of the exploits
listed here are similar to yours?):

http://www.securityfocus.com/bid/9213/info/

[From the site] A problem has been identified in the handling of
pre-authentication packets by DameWare Mini Remote Control Server. Because
of this, it may be possible for a remote attacker to gain unauthorized
access to hosts using the vulnerable software.

Good luck,

Corinne
 
-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of Daugherty Bryan
Sent: Thursday, February 26, 2004 1:39 PM
To: General DShield Discussion List
Subject: RE: [Dshield] Anyone seen


We do run some Dameware and have been seeing clients mysteriously crash.

Here's what I found:

HKEY LOCAL MACHINE\system\controlset002\services\soundman\imagepath
"c:\windows\system32\sndman.exe" -service

HKEY LOCAL MACHINE\system\controlset004\services\soundman\imagepath
"c:\windows\system32\sndman.exe" -service

HKEY LOCAL MACHINE\system\currentcontrolset\services\soundman\imagepath
"c:\windows\system32\sndman.exe" -service

Plus I found the following file in C:\windows\prefetch;

Sndman.exe.pf

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of
Corinne Cook
Sent: Thursday, February 26, 2004 12:06 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Anyone seen

Ahh...that all sounds far more suspicious then.  There is likely more than
just the sndman.exe file to look for, too.

Gaobot can open an IRC channel so that could be something to do with the
port 6129 (6129 is also associated with Dameware, I believe, which recently
had a large exploit discovered.  You don't run Dameware, do you?).

I don't see anything about Gaobot spreading via infected office docs so that
may not be the source, but it is still worth patching those to avoid docs
with infected macros and the like (remember infected Word/Excel docs can
come in on CD's, Floppies, ftp, network shares, and not just email).  

Is anything odd found on those computers' registries, particularly in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices?

I'd be interested to hear the final results of this.  Keep me posted.

Thanks,

Corinne

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Daugherty Bryan
Sent: Thursday, February 26, 2004 8:19 AM
To: General DShield Discussion List
Subject: RE: [Dshield] Anyone seen


Initially I thought it was related to sound apps or the sound card.
However, it only resides on 20 or 25 of my XP pc's.  Incidentally, these
pc's all reside on the same subnet.  My other subnets have not been
impacted.  When I remove the file all of my sound devices are still intact.

I believe you are correct about SUS.  To my knowledge it only pushes OS
updates.  From what I can tell all the systems infected contain the
sndman.exe file with a creation date of February 12th or 13th.  There is no
doubt that the OS on the pc's in question were updated at that time.
However, this does not include the Office updates.

Does anyone know of a worm that exploits Office??

It's funny to me that as soon as I remove this file from the pc's the ARP
Broadcast stop (from the IP of the pc), over 200 flows of traffic through
Packeteer (from the ip of the pc) destined for random ip's, using a mix of
ports 135, 445 and 6129 all stops.  Also, I have used aports.exe to examine
open ports on the pc's it reveals the same thing.  If it's not a bug I would
like to know what software or misconfiguration displays this behavior.  

One group has already examined the file and has identified it as
Win32.GAOBOT.HJ.  My virus company is currently examining the file.


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Corinne Cook
Sent: Wednesday, February 25, 2004 4:07 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Anyone seen

The only things I could dig up on Sndman.exe is that it is possibly
something related to sound apps or the sound card on the computer, so it may
not be anything to worry about, but I've never had that service on any of my
computers so I can't say for certain.

One other item of note.  I don't believe SUS pushes out MS Office patches
and service packs, and there are several patches/SP's for all versions of
Office available.  Do you run any versions of Word, Excel, Outlook, etc. in
your environment?  They are another possible area of attack from infected
documents, etc.  There's also always the possibility that something was
exploited before it was patched and that it is a custom job or something not
detected by AV.

Although, I'm not really convinced that there is actually an exploit going
on here without more data and proof.  It could be traffic due to equipment
(hubs) or even something misconfigured somewhere; I'd say there are at least
a couple of possibilities that aren't necessarily the result of infection or
intrusion.  I'd say do more investigation into the services, search for
suspicious open ports on the machines and use a sniffer to see if there's
any suspicious traffic that might point towards something more definite.  

-Corinne Cook



-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Daugherty Bryan
Sent: Wednesday, February 25, 2004 1:01 PM
To: General DShield Discussion List
Subject: RE: [Dshield] Anyone seen


I checked each pc in question and they were in fact up to date.  I have been
successful in using SUS to push SPs and critical updates.  My AV console
allows me to manually push AV def's to those few pc's that might miss an
auto update.  I check for OS updates and AV updates several times a day.

I do see some similarities to Gaobot.  However, I would like to think my
virus engine would detect this by now.

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list