[unisog] Re: Coordinated Scan
Jon Karl Miyake
miyake at darkwing.uoregon.edu
Fri Mar 22 18:10:02 GMT 2002
The "darkirc" intrusions that we encountered also had the following files
(i copied the files over to a linux system to prod at them. as such the
slash are leaning the wrong way for a windows system. The directory
structure is based off of the root of the c: drive.) :)
URL's that I came across that are writeups about similiar packages based
off of Mirc.
It also seems after doing a brief look at at some of the scripts that the
compromised host talks with . . .
The "noreics.scieron.com" string was referenced in the following
voice #: (541) 346-1635
Computing Center Room 225
University of Oregon
On Fri, 22 Mar 2002, Sherry M. Rogers wrote:
> We were one of the campuses with hosts involved in the scan Tracey
> described. Our network people blocked a couple of hosts because of what
> looked like ddos activity and we were able to correlate this with odd
> packets being flagged by our NIDS (bro) as excessive length ntp/port 123
> We identified 13 Windows hosts altogether. When scanned with nmap there
> were two interesting ports open - a port 99 which disappeared on
> subsequent scans, and port 8888. Connecting to port 8888 revealed that it
> was running a program written by "darkIRC".
> One of the departments involved sent us the following analysis. If
> anyone else sees this exploit, we would really like to get more
> information. Also if you have knowledge of this darkIRC cohort - which
> is new to us. BTW, running a "darkIRC" virus scan on the box doesn't
> find the files.
> >Attached are all of the files I could find that I believe were put there
> >by the hacker. Below you will find both dates and times when the files
> >where copied to the computer as well as a description of what each file
> >seems to do.
> >File creations-
> >File: INDEX.dat Created on computer: 3/5/2002 8:13am Modified: 3/14/2002 9:51
> >File: DDL32.exe Created on computer: 3/14/2002 8:12am
> >File: VMN32.exe Created on computer: 3/14/2002 8:13am
> >File: RUDL32.exe Created on computer: 3/14/2002 8:13am
> >File: DLL32NOS.exe Created on computer: 3/14/2002 9:51am
> >File's Action (Significance)
> >File: INDEX.dat
> >Taken from the web cache and seems to show dll32nos.exe being downloaded
> >from http://home.earthlink.net/~robertberry/dll32nos.exe
> >File: DDL32.exe
> >Extracts (but does not launch) mirc file (and associates) named as
> >temp.exe. One of the files temp2.exe (which is a hidden file) seems to
> >be used to hide the launching of temp.exe Temp.exe listens on port 9088
> >File: VMN32.exe
> >Extract Serve-U FTP server. The FTP server file is named lsass.exe (also
> >the name of Microsofts Local Security Authority SubSystem file which is
> >always running on WinNT-XP boxes and therefore might go unnoticed) and
> >listens on port 43958.
> >File: RUDL32.exe
> >Creates and launches a file named sxeNN.tmp (where NN appears to be 1 or
> >two randomly selected characters). This tmp file is the darkirc client.
> >File: DLL32NOS.exe
> >Identical to DDL32.exe except that after extracting all of the files it
> >launches the file temp.exe
> >This afternoon the computer will be formatted and rebuilt so that it can
> >be returned to the owner. If you have any thing for me to check on let me
> >know quickly.
> Sherry M. Rogers University of California, Berkeley
> System & Network Security phone (510)642-7157
More information about the unisog