WinGate and W32.Sobig (was Re: [unisog] Spammers compromising systems)

Brian Reilly reillyb at georgetown.edu
Fri Mar 7 19:34:45 GMT 2003


After collecting some useful forensic information from a compromised
machine running a WinGate proxy, I've confirmed that WinGate was installed
as part of the payload of the W32.Sobig worm.  A few of the analyses of
W32.Sobig mentioned that it attempted to download a file, but did not
specifically mention WinGate.

Upon being infected with W32.Sobig, the host will open an Internet
Explorer connection to http://www.geocities.com/reteras/reteral.txt, which
contains the URL for the trojan program to be installed; the host then
connects to that URL and downloads and executes the referenced file.  
Until at least 2/21/03 13:48 EST, reteral.txt pointed to a WinGate
installer in a user account on www.loricoshop.com.

The URL in reteral.txt is currently "http://www.blahblahblahblah.com/" --
which I haven't been able to resolve or uncover accurate WHOIS
information.

So are spammers behind the spread of W32.Sobig and WinGate, or are they
just scavenging the compromised hosts?  I have no idea.  If you'd like to
compare notes on the spread and abuse of these WinGate proxies, drop me a
message offline.

--Brian

______________________________________________
Brian Reilly, CISSP
University Network Security Officer
Georgetown University Information Services
<reillyb at georgetown.edu>
+1 202.687.2775


On Thu, 6 Feb 2003, E. Larry Lidz wrote:

> 
> We've seen a couple of machines in the last couple of days which were
> compromised by intruders and which have had a program called WinGate
> installed on it. Part of WinGate appears to be an SMTP agent which the
> intruders use to send spam through the system.
> 
> I don't recall us ever having seen spammers actually break into
> systems before. It doesn't come as a major surprise, but I thought I'd
> mention it as I suspect it to become as common place as intruders
> breaking into machines to set up sites to distribute copyrighted
> materials.
> 
> -Larry
> 
> ---
> E. Larry Lidz                                        Phone: +1 773 702-2208
> Sr. Network Security Officer                         Fax:   +1 773 834-8444
> Network Security Center, The University of Chicago
> PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
> 










More information about the unisog mailing list