Coordinated Scan

Sherry M. Rogers smrogers at socrates.Berkeley.EDU
Fri Mar 22 17:15:09 GMT 2002


We were one of the campuses with hosts involved in the scan Tracey
described.  Our network people blocked a couple of hosts because of what
looked like ddos activity and we were able to correlate this with odd
packets being flagged by our NIDS (bro) as excessive length ntp/port 123
traffic.

We identified 13 Windows hosts altogether.  When scanned with nmap there
were two interesting ports open - a port 99 which disappeared on
subsequent scans, and port 8888.  Connecting to port 8888 revealed that it
was running a program written by "darkIRC".

One of the departments involved sent us the following analysis. If
anyone else sees this exploit, we would really like to get more
information.  Also if you have knowledge of this darkIRC cohort - which
is new to us.  BTW, running a "darkIRC" virus scan on the box doesn't
find the files.


Analysis:

>Attached are all of the files I could find that I believe were put there
>by the hacker.  Below you will find both dates and times when the files
>where copied to the computer as well as a description of what each file
>seems to do.
>
>File creations-
>File: INDEX.dat Created on computer: 3/5/2002 8:13am Modified: 3/14/2002 9:51
>File: DDL32.exe Created on computer: 3/14/2002 8:12am
>File: VMN32.exe Created on computer: 3/14/2002 8:13am
>File: RUDL32.exe        Created on computer: 3/14/2002 8:13am
>File: DLL32NOS.exe      Created on computer: 3/14/2002 9:51am
>
>File's Action (Significance)
>File: INDEX.dat
>Taken from the web cache and seems to show dll32nos.exe being downloaded
>from http://home.earthlink.net/~robertberry/dll32nos.exe
>
>File: DDL32.exe
>Extracts (but does not launch) mirc file (and associates) named as
>temp.exe.  One of the files temp2.exe (which is a hidden file) seems to
>be used to hide the launching of temp.exe  Temp.exe listens on port 9088
>
>File: VMN32.exe
>Extract Serve-U FTP server.  The FTP server file is named lsass.exe (also
>the name of Microsofts Local Security Authority SubSystem file which is
>always running on WinNT-XP boxes and therefore might go unnoticed) and
>listens on port 43958.
>
>File: RUDL32.exe
>Creates and launches a file named sxeNN.tmp (where NN appears to be 1 or
>two randomly selected characters).  This tmp file is the darkirc client.
>
>File: DLL32NOS.exe
>Identical to DDL32.exe except that after extracting all of the files it
>launches the file temp.exe
>
>This afternoon the computer will be formatted and rebuilt so that it can
>be returned to the owner. If you have any thing for me to check on let me
>know quickly.


-------------------------------------------------------------------------
Sherry M. Rogers                 University of California, Berkeley
System & Network Security        phone (510)642-7157
-------------------------------------------------------------------------







More information about the unisog mailing list