[unisog] Re: Coordinated Scan

Ed Zawacki edz at uic.edu
Fri Mar 22 18:53:13 GMT 2002


We have also had several machines on campus hit with this. We're still
trying to determine the method of infection and would love details.

Ed Zawacki

At 09:15 AM 3/22/2002 -0800, Sherry M. Rogers wrote:

>We were one of the campuses with hosts involved in the scan Tracey
>described.  Our network people blocked a couple of hosts because of what
>looked like ddos activity and we were able to correlate this with odd
>packets being flagged by our NIDS (bro) as excessive length ntp/port 123
>traffic.
>
>We identified 13 Windows hosts altogether.  When scanned with nmap there
>were two interesting ports open - a port 99 which disappeared on
>subsequent scans, and port 8888.  Connecting to port 8888 revealed that it
>was running a program written by "darkIRC".
>
>One of the departments involved sent us the following analysis. If
>anyone else sees this exploit, we would really like to get more
>information.  Also if you have knowledge of this darkIRC cohort - which
>is new to us.  BTW, running a "darkIRC" virus scan on the box doesn't
>find the files.
>
>
>Analysis:
>
> >Attached are all of the files I could find that I believe were put there
> >by the hacker.  Below you will find both dates and times when the files
> >where copied to the computer as well as a description of what each file
> >seems to do.
> >
> >File creations-
> >File: INDEX.dat Created on computer: 3/5/2002 8:13am Modified: 3/14/2002 
> 9:51
> >File: DDL32.exe Created on computer: 3/14/2002 8:12am
> >File: VMN32.exe Created on computer: 3/14/2002 8:13am
> >File: RUDL32.exe        Created on computer: 3/14/2002 8:13am
> >File: DLL32NOS.exe      Created on computer: 3/14/2002 9:51am
> >
> >File's Action (Significance)
> >File: INDEX.dat
> >Taken from the web cache and seems to show dll32nos.exe being downloaded
> >from http://home.earthlink.net/~robertberry/dll32nos.exe
> >
> >File: DDL32.exe
> >Extracts (but does not launch) mirc file (and associates) named as
> >temp.exe.  One of the files temp2.exe (which is a hidden file) seems to
> >be used to hide the launching of temp.exe  Temp.exe listens on port 9088
> >
> >File: VMN32.exe
> >Extract Serve-U FTP server.  The FTP server file is named lsass.exe (also
> >the name of Microsofts Local Security Authority SubSystem file which is
> >always running on WinNT-XP boxes and therefore might go unnoticed) and
> >listens on port 43958.
> >
> >File: RUDL32.exe
> >Creates and launches a file named sxeNN.tmp (where NN appears to be 1 or
> >two randomly selected characters).  This tmp file is the darkirc client.
> >
> >File: DLL32NOS.exe
> >Identical to DDL32.exe except that after extracting all of the files it
> >launches the file temp.exe
> >
> >This afternoon the computer will be formatted and rebuilt so that it can
> >be returned to the owner. If you have any thing for me to check on let me
> >know quickly.
>
>
>-------------------------------------------------------------------------
>Sherry M. Rogers                 University of California, Berkeley
>System & Network Security        phone (510)642-7157
>-------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------------
Edward Zawacki                                  University of Illinois at 
Chicago
Security Officer                                        (312) 996-0658
ACCC



More information about the unisog mailing list