Mysterious appearance of Backdoor.RA on Win2K machines

Stephen W. Thompson thompson at pobox.upenn.edu
Wed Dec 12 15:22:24 GMT 2001


Here's another indication that there is some vector for infection or
intruding into NT/Win2k machines active on the net which hasn't been
publicized yet.

This from another of our sysadmins:

>  Greetings. Yesterday, for the first time since I setup this server in
> October, 1999, the Norton Antivirus Server Real time program caught a
> virus. It quarteened
> the Goner virus which I subsequently deleted, then ran a manual scan
> afterward.(A scheduled scan runs every night and has never located a
> virus.)
> 
>  The mystery is, I have no idea how this could have been transmitted to
> the server!
> Although our NT server has Outlook and IE installed, the former is not
> configured and neither is used. I was doing no file copying at the time
> of the attack.Nor did any of my users admit to copying anything to the
> effected folder at the time of infection.
> 
>  I have gone to each workstation and checked their quaranteen folder and
> Virus History - nothing for yesterday! Moreover, my users are always
> being told about safe attachment opening techniques, and no one came
> forward to say they were involved. Moreover, they would have had to save
> the attachment to disk (a server shared common
> folder) while they had the Virus warning screen up, which they can't
> background - not really likely. All there Virus scanner were enabled
> with the latest Virus definitions.
> 
>  Is there another entry point for this virus other than e-mail? What
> should I be checking?

[and same sysadmin, in another message:]

>  If it was copied from a workstation, I would think there would have
> been a trace of the virus on the workstation. I checked the Virus
> history and Quaranteen for each workstation. There were no viruses
> detected that day on ANY workstation, and no Goner virus on any day. (I
> don't have the managed version of Norton on the server, just the regular
> version, so It wouldn't tell me from which machine the virus was copied,
> if it was copied!)
> 
>  The virus ended up on a folder beneath a shared server folder. All of
> my users would have access to this folder, even student workers.

Earlier bits of this thread:

Rita Seplowitz Saltz <rita at Princeton.EDU>

> This week, two different departments here reported discovering Backdoor.RA,
> a component of the package Remote Anything, running on a Windows 2000 system
> without having been installed by the responsible parties.  Both machines are
> phsyically secured, and those with access have disclaimed responsibility for
> installing the item.  In each case, the presence of Backdoor.RA was
> discovered when, exploring problems with the machine, the user scanned the
> Task Manager list and noted a process called Slave.exe running.
> 
> It appears that the instances were remote installs.  Anyone know of an
> exploit or apres-virus vulnerability which involves remote installation of
> Backdoor.RA?

I wrote in reply about a different case than today's:

> What drew attention to the machines initially?  A group here had an
> NT4 box which unexpectedly was missing many files normally found on a
> healthy install.  Little investigation could be done before the group
> reformatted and started over.  Probably unrelated, but...

And later, also from Rita Seplowitz Saltz <rita at Princeton.EDU>, quoting
a sysadmin:

> The first person to report the discovery was having slow performance from
> Internet Explorer, and also his task bar froze sporadically.  He does not

And quoting another of her syadmins:

> "On the day I was hacked, there were 3 backdoor.trojan files quarantined on
> my system -- around the same time other suspicious files were created.  I
> have absolutely no idea how the slave program was implanted on my server.
> Once the attacker gained control over the server, an ftp service (ServU) was
> installed in c:\winnt\fonts\truetype.  About 60 Gig of information was
> stored on D:\recycler\dumpsite.  I deleted D:\recycler\dumpsite and was able
> to uninstall slave and the ftp service."

And more info she gives:

> I've just heard from the first fellow again.  I shared an alert with the
> distributed computing support list a short while ago (which turned up the
> second instance).  His deputy director, who is on that mailing list, found a
> copy on his own machine and is in the process of checking workstations of
> other VIP staff in the unit.  It apparently installs silently.  Now the
> question is:  how?!

lbuchana at csc.com wrote:

> In an earlier private email to Rita, I noted that I had found a machine
> with RemotelyAnywhere on it.  The manner in which it was discovered was by
> our IDS detecting it attacking another part of our organization.  I can't
> share many details as there may be an ongoing criminal investigation.  The
> method used to attack the machine I looked at was different than the attack
> the IDS noticed.

Jeff Bollinger <jeff01 at email.unc.edu> wrote:

> Yes, we have seen this as well.  Note that the Trojan installs s32.exe and
> the servuFTP.  No idea though as to how it got in yet.

En paz,
Steve, security analyst
-- 
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
thompson at isc.upenn.edu    URL=http://pobox.upenn.edu/~thompson/index.html
  For security matters, use security at isc.upenn.edu, read by InfoSec staff
   * OPEN LETTER: http://pobox.upenn.edu/~thompson/considered-war.html *



More information about the unisog mailing list