[unisog] RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files

Daniel G. Epstein depstein at uchicago.edu
Wed Mar 27 05:46:33 GMT 2002


On Thu, Mar 14, 2002 at 08:42:35AM -0500, bukys at rochester.edu wrote:
> We have experienced an unusually tenacious set of destructive attacks
> on very many machines here, in three waves over the last several weeks.
> 
> Last month it was port 1433 SQL server blank admin password attacks,
> resulting in blasting of systems down to empty C: drives. Closely
> following by another set of attacks (method unknown) from the same set
> of hosts (in China), resulting in installation of the RemoteNC backdoor
> (usually listening on TCP ports 4 or 6), and often ending in
> destruction of the C: drive.
> 
> This month, it looks like ping and port 524 probes, followed by a mix
> of port 21, 139, and 445 activity.  Also including installation of
> RemoteNC and/or wiping of C: drive, or at least removal of kernel
> file.  Disabling of port 524 traffic still resulted in successful
> attacks that apparently worked around lack of port 524 information
> leaks.  We have known brute-force password attempts.  We DON'T KNOW
> whether all entry is solely via weak passwords, or something else.
> 
> I suspect they may be something called "Fluxay" which was published on
> the same Chinese site (netxeyes) that publishes RemoteNC.  Last month
> it was not downloadable to me.  Since then a few people have turned up
> some copies for me.
> 
> RemoteNC is easy to detect, as a TCP connection to it gets a "RemoteNC
> password:" prompt.  Executable file on compromised machines is usually
> "TCPMUX.EXE" or "TCPMX.EXE".  ISS shows the "tcpmux" or "tcpmx" service
> running.  Recent antivirus software detects it (since we submitted it
> to AV vendors last month).
> 
> 
> *** If anybody is experiencing the same, CAN COMPARE NOTES? ***
> 
> 
> Liudvikas Bukys
> University of Rochester
> bukys at rochester.edu

Sorry it has taken me so long to respond on this thread, we're pretty
busy here of late.  Yes, we are seeing similar patterns of attack with
less than ten confirmed compromises to date.  So far the compromised
machines seem to be being broken through poor or non-existent passwords
on user accounts.  Going off the network logs and guesswork, the
attackers seem to follow a pattern of sequentially scanning a subnet
(or group thereof), dumping the SAM accounts and shares as they find
Windows hosts, and then attempting brute-force attacks against NetBIOS,
Microsoft-ds, and FTP.  I think we're seeing these scans originating
from all over, but maybe Conor or Larry will correct me.

A lot of the successes have been in dorms or on stand-alone
workstations.  Unfortunately, machines maintained at this level also do
not usually have security auditing enabled and are often broken with
other viruses/worms/trojans, making it difficult to be absolutely sure
of what really happened.  We're also having trouble convincing people
to let us have their machines for too long before they rebuild them.
:)

On some machines we've found RemoteNC, but others are infected with
files which have either 'Fluxay' or 'FluxShadow' showing up in the
strings output, along with an author going by the name of Assassin.  We
have seen these as trojaned versions of C:\WINNT\system32\W32Time.exe
and MSTask.exe, but they don't return such an obvious prompt as you
describe.

If we're correct on how this thing is spreading, I doubt it will become
*too* serious of a problem for us in this incarnation <knock on wood>,
since most of our larger Windows shops are enforcing some sort of
password policy.  In fact, the most serious consequence I've seen from
these attacks was the DoS of a domain which had account locking set
after five failed retries in a half hour.  For those who have been
compromised, our response has been to tell them to format and reinstall
and to caution them about using better passwords.  I've also added a
page to our site explaining the problem and how to deal with it (other
than by firewalling).  It is designed with semi-technical users in
mind.  Feel free to take a look:
<http://security.uchicago.edu/windows/netbios/index.shtml>.
Incidentally, we also have a page for the MSSQL null-password issue:
<http://security.uchicago.edu/windows/mssql/index.shtml>

Take care,

Dan

-- 

A boast of "I have been's,"  | Daniel G. Epstein
quoted from foolscap tomes,  | Network Security Officer,
is a shadow brushed away     | Network Security & Enterprise
by an acorn from an oak tree |  Network Systems Administration
or a salmon in a pool.       | NSIT, The University of Chicago
                             | depstein at uchicago.edu

For PGP key see http://security.uchicago.edu/centerinfo/pgpkeys.shtml



More information about the unisog mailing list