[unisog] Super-hidden spamming exploits?

Geoff LeBoldus leboldug at post.queensu.ca
Thu Sep 25 17:39:15 GMT 2003


At 10:37 AM 2003-09-25 -0400, Rita Seplowitz Saltz wrote:
>We've seen a number of student-owned MS Windows machines exploited by 
>spammers, even after the "usual suspects" have been addressed 
>(administrator password, backdoors, remote code, spyware, assorted 
>viruses) and the systems are believed to have been locked down securely.

We've had 15 spam proxies in the last 2 weeks. We're definitely seeing a 
new type, I believe, see further down.

I don't have any clues as to the infection route. I haven't found any 
strict commonality apart from not being completely patched with Windows 
Update. They all have a p2p program of some sort ( typically Kazaa but not 
all ) and some chat program ( typically MSN Messenger but not all ).

We are blocking 135-139, 445, 593 tcp+udp at our border, so that should 
rule out the RPC vulnerabilities.

Infected computers had 50-100 connections inbound. Blocking inbound to the 
IP stopped the outbound 25/tcp streams, as expected. We have since blocked 
25/tcp outbound for ResNet and are periodically logging to check for new 
proxies.

>Has anyone else seen this kind of thing?  And, if so,  have you any 
>helpful insights to offer?

The first proxies we saw were generally all different. Ports used were all 
different. Symantec Antivirus typically identified them generically as 
Backdoor.Trojan. We also saw Backdoor.SDbot ( with a dropper ) and 
Trojan.Adclicker.

We discovered 9 new proxies of the similar unknown type on Monday/Tuesday. 
There were not in the Symantec VDF. They also loosely had a dropper. 
Filenames were different, but all trojan files started with an asterisk. 
Ports were all different and seemingly randomly determined on boot.

Here's what we have for removal instructions for this new proxy, as 
determined by our Support folks. Tell me if this looks similar to your 
proxies.

1. Run Regedit.  Check
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce for a
key beginning with *.  Take note of that key name.

2. Reboot the computer into safe mode command prompt.

3. Change directory to c:\Documents and Settings\(Username)\Local
Settings\Temp

4. Delete the file in that directory with the same name as the key from
step 1.

5. While still in safe mode's command prompt, run regedit.  Delete the key
from RunOnce and Run.

6. Reboot.  Voila.

--
Geoff LeBoldus
Systems Programmer              Information Technology Services



More information about the unisog mailing list