[unisog] Re: Coordinated Scan

Jon Karl Miyake miyake at darkwing.uoregon.edu
Fri Mar 22 18:10:02 GMT 2002


The "darkirc" intrusions that we encountered also had the following files
also installed.

(i copied the files over to a linux system to prod at them. as such the
slash are leaning the wrong way for a windows system.  The directory
structure is based off of the root of the c: drive.)  :)

Documents_and_Settings/All_Users/Start_Menu/Programs/Startup/rudl32.exe
Documents_and_Settings/All_Users/Start_Menu/Programs/Startup/sxe77.tmp
Documents_and_Settings/All_Users/Start_Menu/Programs/Startup/sxe7A.tmp
WINNT/system32/2XVLL.OCX
WINNT/system32/32DLL.OCX
WINNT/system32/32DLLXP.OCX
WINNT/system32/16dll.ini
WINNT/system32/ddl32.exe
WINNT/system32/rundl32.exe
WINNT/system32/vmn32.exe
WINNT/system32/TEMP.EXE
WINNT/system32/TEMP2.EXE
WINNT/system32/GATES.TXT
WINNT/system32/FSEARCH.INI
WINNT/system32/OCXU.INI
WINNT/system32/mirc.ini
WINNT/system32/TEMP.SCR
WINNT/system32/vmn32/32DLLEMU.TXT
WINNT/system32/vmn32/BARM8.GIF
WINNT/system32/vmn32/FIREDAEM.EXE
WINNT/system32/vmn32/INETSERV.EXE
WINNT/system32/vmn32/KILL.EXE
WINNT/system32/vmn32/LSASS.EXE
WINNT/system32/vmn32/PULIST.EXE
WINNT/system32/vmn32/SERVICES.EXE
WINNT/system32/vmn32/TAR.EXE
WINNT/system32/vmn32/ASP/CYGWIN1.DLL
WINNT/system32/vmn32/ASP/IR.CON
WINNT/system32/vmn32/ASP/SVHOST.EXE
WINNT/system32/vmn32/ASP/TAR.EXE
WINNT/system32/vmn32/ASPC/CYGWIN1.DLL
WINNT/system32/vmn32/ASPC/IR.CON
WINNT/system32/vmn32/ASPC/SVHOST.EXE

URL's that I came across that are writeups about similiar packages based
off of Mirc.

http://www.safersite.com/PestInfo/I/ICQPageBomb.asp
http://cert.uni-stuttgart.de/archive/incidents/2000/11/msg00027.html
http://bots.lockdowncorp.com/gtbot.html


It also seems after doing a brief look at at some of the scripts that the
compromised host talks with . . .

noreics.scieron.com (217.10.143.237)
aka. flyboy7.ukshells.co.uk

The "noreics.scieron.com" string was referenced in the following
script/config files.

/WINNT/system32/32DLLXP.OCX
/WINNT/system32/16dll.ini
/WINNT/system32/OCXU.INI


Jon Miyake

voice #: (541) 346-1635
Computing Center Room 225
University of Oregon


On Fri, 22 Mar 2002, Sherry M. Rogers wrote:

>
> We were one of the campuses with hosts involved in the scan Tracey
> described.  Our network people blocked a couple of hosts because of what
> looked like ddos activity and we were able to correlate this with odd
> packets being flagged by our NIDS (bro) as excessive length ntp/port 123
> traffic.
>
> We identified 13 Windows hosts altogether.  When scanned with nmap there
> were two interesting ports open - a port 99 which disappeared on
> subsequent scans, and port 8888.  Connecting to port 8888 revealed that it
> was running a program written by "darkIRC".
>
> One of the departments involved sent us the following analysis. If
> anyone else sees this exploit, we would really like to get more
> information.  Also if you have knowledge of this darkIRC cohort - which
> is new to us.  BTW, running a "darkIRC" virus scan on the box doesn't
> find the files.
>
>
> Analysis:
>
> >Attached are all of the files I could find that I believe were put there
> >by the hacker.  Below you will find both dates and times when the files
> >where copied to the computer as well as a description of what each file
> >seems to do.
> >
> >File creations-
> >File: INDEX.dat Created on computer: 3/5/2002 8:13am Modified: 3/14/2002 9:51
> >File: DDL32.exe Created on computer: 3/14/2002 8:12am
> >File: VMN32.exe Created on computer: 3/14/2002 8:13am
> >File: RUDL32.exe        Created on computer: 3/14/2002 8:13am
> >File: DLL32NOS.exe      Created on computer: 3/14/2002 9:51am
> >
> >File's Action (Significance)
> >File: INDEX.dat
> >Taken from the web cache and seems to show dll32nos.exe being downloaded
> >from http://home.earthlink.net/~robertberry/dll32nos.exe
> >
> >File: DDL32.exe
> >Extracts (but does not launch) mirc file (and associates) named as
> >temp.exe.  One of the files temp2.exe (which is a hidden file) seems to
> >be used to hide the launching of temp.exe  Temp.exe listens on port 9088
> >
> >File: VMN32.exe
> >Extract Serve-U FTP server.  The FTP server file is named lsass.exe (also
> >the name of Microsofts Local Security Authority SubSystem file which is
> >always running on WinNT-XP boxes and therefore might go unnoticed) and
> >listens on port 43958.
> >
> >File: RUDL32.exe
> >Creates and launches a file named sxeNN.tmp (where NN appears to be 1 or
> >two randomly selected characters).  This tmp file is the darkirc client.
> >
> >File: DLL32NOS.exe
> >Identical to DDL32.exe except that after extracting all of the files it
> >launches the file temp.exe
> >
> >This afternoon the computer will be formatted and rebuilt so that it can
> >be returned to the owner. If you have any thing for me to check on let me
> >know quickly.
>
>
> -------------------------------------------------------------------------
> Sherry M. Rogers                 University of California, Berkeley
> System & Network Security        phone (510)642-7157
> -------------------------------------------------------------------------
>
>
>
>
>




More information about the unisog mailing list