[unisog] Re: Mysterious appearance of Backdoor.RA on Win2K machines

Jeff Bollinger jeff01 at email.unc.edu
Thu Dec 13 15:08:55 GMT 2001


Yes, we've seen another instance of a similar nature, only when we look at any
files modified and/or created on the date and time that we know the machine was
compromised and we see nothing!  I was just referred to FportNG
(http://www.foundstone.com/rdlabs/tools.php?category=Forensic)

which will hopefully show us what exactly is still causing problems (rogue FTP
server running on port 10000, to which we cannot trace!)

Jeff

"Stephen W. Thompson" wrote:

> Here's another indication that there is some vector for infection or
> intruding into NT/Win2k machines active on the net which hasn't been
> publicized yet.
>
> This from another of our sysadmins:
>
> >  Greetings. Yesterday, for the first time since I setup this server in
> > October, 1999, the Norton Antivirus Server Real time program caught a
> > virus. It quarteened
> > the Goner virus which I subsequently deleted, then ran a manual scan
> > afterward.(A scheduled scan runs every night and has never located a
> > virus.)
> >
> >  The mystery is, I have no idea how this could have been transmitted to
> > the server!
> > Although our NT server has Outlook and IE installed, the former is not
> > configured and neither is used. I was doing no file copying at the time
> > of the attack.Nor did any of my users admit to copying anything to the
> > effected folder at the time of infection.
> >
> >  I have gone to each workstation and checked their quaranteen folder and
> > Virus History - nothing for yesterday! Moreover, my users are always
> > being told about safe attachment opening techniques, and no one came
> > forward to say they were involved. Moreover, they would have had to save
> > the attachment to disk (a server shared common
> > folder) while they had the Virus warning screen up, which they can't
> > background - not really likely. All there Virus scanner were enabled
> > with the latest Virus definitions.
> >
> >  Is there another entry point for this virus other than e-mail? What
> > should I be checking?
>
> [and same sysadmin, in another message:]
>
> >  If it was copied from a workstation, I would think there would have
> > been a trace of the virus on the workstation. I checked the Virus
> > history and Quaranteen for each workstation. There were no viruses
> > detected that day on ANY workstation, and no Goner virus on any day. (I
> > don't have the managed version of Norton on the server, just the regular
> > version, so It wouldn't tell me from which machine the virus was copied,
> > if it was copied!)
> >
> >  The virus ended up on a folder beneath a shared server folder. All of
> > my users would have access to this folder, even student workers.
>
> Earlier bits of this thread:
>
> Rita Seplowitz Saltz <rita at Princeton.EDU>
>
> > This week, two different departments here reported discovering Backdoor.RA,
> > a component of the package Remote Anything, running on a Windows 2000 system
> > without having been installed by the responsible parties.  Both machines are
> > phsyically secured, and those with access have disclaimed responsibility for
> > installing the item.  In each case, the presence of Backdoor.RA was
> > discovered when, exploring problems with the machine, the user scanned the
> > Task Manager list and noted a process called Slave.exe running.
> >
> > It appears that the instances were remote installs.  Anyone know of an
> > exploit or apres-virus vulnerability which involves remote installation of
> > Backdoor.RA?
>
> I wrote in reply about a different case than today's:
>
> > What drew attention to the machines initially?  A group here had an
> > NT4 box which unexpectedly was missing many files normally found on a
> > healthy install.  Little investigation could be done before the group
> > reformatted and started over.  Probably unrelated, but...
>
> And later, also from Rita Seplowitz Saltz <rita at Princeton.EDU>, quoting
> a sysadmin:
>
> > The first person to report the discovery was having slow performance from
> > Internet Explorer, and also his task bar froze sporadically.  He does not
>
> And quoting another of her syadmins:
>
> > "On the day I was hacked, there were 3 backdoor.trojan files quarantined on
> > my system -- around the same time other suspicious files were created.  I
> > have absolutely no idea how the slave program was implanted on my server.
> > Once the attacker gained control over the server, an ftp service (ServU) was
> > installed in c:\winnt\fonts\truetype.  About 60 Gig of information was
> > stored on D:\recycler\dumpsite.  I deleted D:\recycler\dumpsite and was able
> > to uninstall slave and the ftp service."
>
> And more info she gives:
>
> > I've just heard from the first fellow again.  I shared an alert with the
> > distributed computing support list a short while ago (which turned up the
> > second instance).  His deputy director, who is on that mailing list, found a
> > copy on his own machine and is in the process of checking workstations of
> > other VIP staff in the unit.  It apparently installs silently.  Now the
> > question is:  how?!
>
> lbuchana at csc.com wrote:
>
> > In an earlier private email to Rita, I noted that I had found a machine
> > with RemotelyAnywhere on it.  The manner in which it was discovered was by
> > our IDS detecting it attacking another part of our organization.  I can't
> > share many details as there may be an ongoing criminal investigation.  The
> > method used to attack the machine I looked at was different than the attack
> > the IDS noticed.
>
> Jeff Bollinger <jeff01 at email.unc.edu> wrote:
>
> > Yes, we have seen this as well.  Note that the Trojan installs s32.exe and
> > the servuFTP.  No idea though as to how it got in yet.
>
> En paz,
> Steve, security analyst
> --
> Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
> thompson at isc.upenn.edu    URL=http://pobox.upenn.edu/~thompson/index.html
>   For security matters, use security at isc.upenn.edu, read by InfoSec staff
>    * OPEN LETTER: http://pobox.upenn.edu/~thompson/considered-war.html *

--
Jeff Bollinger
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc dot edu




More information about the unisog mailing list