[unisog] Infected windows boxes with IRC controlled trojans on them

Allen Chang allen at rescomp.berkeley.edu
Wed Apr 10 17:20:35 GMT 2002


We have been looking at this for 2-3 weeks now. The degree of
infection/compromise varies. The machines compromised on our network were
all Win2k without Administrator passwords. It appears that a bot is being
used to compromise the machine and the owner comes around later to run
sua.bat and do all sorts of juicy stuff. A probable method is using PsExec
to start telnet.

Our machines also had a directory created in C:\RECYCLYER that had the
same name as the recycle bin and was attrib +s +r +h. That apparently was
set as the upload dir for the XDCC bot.

Also, \winnt\system32\vmn32\ contains the contents of vmn32.exe. Including
lsass.exe, which is used to open multiple services.

The IRC channel passwords are actually in one of the mirc.ini files
(haven't had time to look). It probably uses strange ASCII characters but
it's in there somewhere.

I'm refining removal instructions right now and will forward to the list
when completed.

@llen
Network Security
Residential Computing
UC Berkeley

On Wed, 10 Apr 2002, Huba Leidenfrost wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Some forensics work by one of our system administrators came up with
> the following on the latest win2k box that was found dishing out DoS
> traffic (huge number of small sized flows).  I've enclosed the
> gates.txt file found which appears to be a huge list open proxies?

The gates.txt is a file that is standard to the gtbot bot control trojan.
Not quite sure what the file is used for. temp.scr, temp.exe and temp2.exe
are also standard from gtbot. Temp.exe is mIRC client and temp2.exe seems
to be just a window hider.

> Other infected systems?  If you notice something in common about all
> those systems please let me know.  I would suggest adding a rule to
> your NIDS boxes to watch for outgoing connections from your
> network(s) to http://home.earthlink.net/~e03913/dll32nos.exe.  If you
> use SNORT here's what works for me:
> alert ip $HOME_NET any -> 207.217.98.0/24 80 (msg:"DarkIRC trojan
> retrieval"; classtype:bad-unknown; uricontent:"/dll32nos.exe";
> nocase; sid 536; rev:1;)
>
>
> <BEGINNING OF NOTES>
> 02/27/2002
>
> 	temp.exe (looks like MIRC icon, etc.)
> 	oxcu.ini  (Backdoor.IRC.Flood.h)
> 	2xvll.ocx (Backdoor.IRC.Cloner)
>
> I am unable to find the drop... bummer.
> Located in \winnt\system32, complete scripts available...
>
> 03/05/2002
>
> 	32dll.ocx (Backdoor.IRC.Flood.a)
> 	32dllxp.ocx (Backdoor.IRC.Flood.a)
>
> Also in /winnt/system32, complete nonsense script available
>
> 03/10/2002
>
> 	r32.exe (exact copy of below, name change)
> 	rudl32.exe (our dropper friend for the darkIRC services)
>
> Also in /winnt/system32
>
> 03/15/2002
>
> 	vmn32.exe (the complete package, w/ web server, irc server, ftp
> server, etc...)
>
> Also in /winnt/system32, this is where sua.bat of virii past executes
> after decompression
>
> 03/26/2002
>
> Check this out, something keeps trying to connect to ->
>
> 	http://home.earthlink.net/~e03913/dll32nos.exe
>
> and a file  gets created, but it is the error
> page of 'service overload' from Earthlink, so a bogus
> 32dllnos.exe get created in /winnt/system32/ ->
> it contains the html returned from Earthlink
>
> 03/30/2002
>
> Another failed attempt to connect to the above link
>
> 04/01/2002
>
> Success, LOL...  dll32nos.exe is acquired and its
> setup is executed, a new month of bandwidth provides ->
>
> 	2xvll.ocx (Backdoor.IRC.Cloner)
> 	32dll.ocx (Backdoor.IRC.Flood.a)
> 	32dllxp.ocx (Backdoor.IRC.Flood.a)
> 	fsearch.ini (scripts, finds all *.mpg, *.avi, etc. on host ->)
> 	gates.txt (a huge list of names, attached)
> 	oxcu.ini  (Backdoor.IRC.Flood.h)
> 	temp.exe (looks like MIRC icon, etc.)
> 	temp.scr (huge list of IRC user names?)
> 	temp2.exe (which F-Secure identifies as 'Destructive Code')
>
> 04/08/2002
>
> 	svchost.exe (from vmn32.exe) is invoked
>
> After the firewall
>
> I bring the ethernet online, and svchost.ext immediately
> tries to connect out to:
>
> 	ircu.bredband.com
> 	195.54.102.4:6667
>
> Also, unknown packets tcp are attempting to leave
> the client station....  LOL, rules created, I'll
> make a list of IPs in the morning...
> <END OF NOTES>
>
> - From the verbage on the error message at
> http://home.earthlink.net/~e03913/dll32nos.exe it would appear that
> this has been a popular website this month.
>
> - ---------------
> "Sorry...Page Temporarily Unavailable
>
> The Web page or file that you requested is temporarily unavailable.
> It has been so popular this month that it exceeded its free monthly
> traffic allotment. Access to this Web site will be restored on the
> first of next month. Please come back then.
>
> Thank you for your visit!"
> - -------------------------
>
> beast.npac.syr.edu, cheetah.bradley.edu,
> client42153.atl.mediaone.net, proxy.ihp.sinica.edu.tw,
> relarn-relay.tasur.edu.ru, & triton.pwsbia.edu.pl are the .edu sites
> I noticed from the attached gates.txt.  I'll call around in the
> morning and try to find out what these have in common.
>
> BTW if anyone has any good advice on how to sniff IRC channels and
> passwords from IRC bound traffic please let me know. Ideally when I
> spot one of these I'd like to be able to watch more carefully before
> turning a system off.  Any tools for snarfing just IRC commands sort
> of like Dug Songs urlsnarf?
>
>       H  u  b  a
>  - - - - --
>     ---   O      HUBA LEIDENFROST         Systems Security Analyst
>     --   <^-     huba at uidaho.edu   Information Technology Services
>    --  -\/\        www.its.uidaho.edu/info-security/runsafe.htm
>    ---     \     TEL: 208.885.2126               FAX: 208.885.7539
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPLP16kpG2S0cMeJwEQKFxgCgke9r38NzCYhX3z8s0WAttSaunyoAnjE2
> CfUs16tyo0XeguLdmiOEc5IH
> =a6Xo
> -----END PGP SIGNATURE-----
>



More information about the unisog mailing list