[Dshield] XBOX virus?

TRushing@hollandco.com TRushing at hollandco.com
Mon Jun 14 13:01:24 GMT 2004


Had an odd series of events in our firewall today.  It was a machine that 
had grabbed a dhcp address and was trying to contact irc channels.  Looked 
like a classic virus infected machine calling home.  It was only online 
for 12 minutes and just after I did an nmap, it dropped off.  I don't 
necessarily think those two were related.  Instead, I think it was someone 
who had dialed in to our corporate network.

What struck me as odd is that I think it may have been an X-BOX.  I don't 
play games and have never played with one of these boxes.  However, when I 
did an nbtstat here is what I got:

$ nbtstat -A 192.168.1.49
 
Local Area Connection:
Node IpAddress: [192.168.1.243] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    HOSTXXXXX      <00>  UNIQUE      Registered 
    HOSTXXXXX      <20>  UNIQUE      Registered 
    XBOXHOME       <00>  GROUP       Registered 
    XBOXHOME       <1E>  GROUP       Registered 

    MAC Address = 44-45-53-54-42-00

Note:  HOSTXXXXX above was actually something besides HOSTXXXXX.  The 
letters in the place of XXXXX formed an English word but could also be the 
first initial + first 4 letters of the last name of an employee we have, 
so I obfuscated them.

44-45-53 is an MS hardware MAC address, based on what I could find online.

Here is the result of my initial nmap run:

[root at hol-webInt root]# nmap -PT80 -vv -sT -sU -O 192.168.1.49

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host hostspark.hollandco.com (192.168.1.49) appears to be up ... good.
Initiating Connect() Scan against hostspark.hollandco.com (192.168.1.49)
Adding open port 1025/tcp
Adding open port 5000/tcp
Adding open port 139/tcp
Adding open port 135/tcp
The Connect() Scan took 22 seconds to scan 1601 ports.
Initiating UDP Scan against hostspark.hollandco.com (192.168.1.49)
The UDP Scan took 72 seconds to scan 1468 ports.
Adding open port 123/udp
Adding open port 1900/udp
Adding open port 1646/udp
Adding open port 1812/udp
Adding open port 137/udp
Adding open port 1645/udp
Adding open port 1813/udp
Adding open port 138/udp
Adding open port 500/udp
For OSScan assuming that port 135 is open and port 1 is closed and neither 
are firewalled
Interesting ports on hostspark.hollandco.com (192.168.1.49):
(The 3056 ports scanned but not shown below are in state: closed)
Port       State       Service
123/udp    open        ntp 
135/tcp    open        loc-srv 
137/udp    open        netbios-ns 
138/udp    open        netbios-dgm 
139/tcp    open        netbios-ssn 
500/udp    open        isakmp 
1025/tcp   open        NFS-or-IIS 
1645/udp   open        radius 
1646/udp   open        radacct 
1812/udp   open        radius 
1813/udp   open        radacct 
1900/udp   open        UPnP 
5000/tcp   open        UPnP 
Remote operating system guess: MS Windows2000 Professional RC1/W2K Advance 
Server Beta3
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=49664%TS=0)
T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=300644 (Good luck!)
TCP ISN Seq. Numbers: A17F21EF A19DA691 A1BB5E41 A1D56869 A1E70662 
A201F222
IPID Sequence Generation: Busy server or unknown class

Nmap run completed -- 1 IP address (1 host up) scanned in 106 seconds

The -PT80 option was there because I had yesterday scanned something on 
the internal network that was not responding to pings.  I can't say if 
this device was ignoring pings or not because by the time I tried, it was 
offline.

I did a google search for XBOX IRC and VIRUS, but all I found were 
mentions of irc channels to get XBOX games etc. . . 

I am assuming that XBOX machines can be infected by viruses.  I also 
wonder whether XBOX machines can have OS patches applied.  Can anyone 
point me to any pages that might discuss viruses and XBOXEN?   Also, does 
anyone know whether my HOSTXXXXX guess above as to the naming convention 
is correct?

For what it is worth, here are the ip addresses that this machine tried to 
contact during the 12 minutes it was on our network:

193.19.227.66
193.23.224.5
194.146.225.142
195.140.143.37
195.225.204.134
207.36.180.241
207.36.196.16
209.133.93.32
38.114.4.37
64.124.166.200
65.110.15.232
65.110.45.79
65.110.63.209
66.36.249.108
69.0.197.152
69.61.45.150
69.64.34.191

My suspicion is that this was one of our home users who dialed in to our 
network and has a home network with an XBOX on it. 

         ---Tim Rushing
             The Holland Company




More information about the list mailing list