[unisog] 10.10.10.10:36278

Paul Dokas dokas at cs.umn.edu
Wed Feb 18 21:50:48 GMT 2004


On Wed, 18 Feb 2004 14:13:46 -0500 "Fred Portnoy" <fportnoy at mail.plymouth.edu> wrote:
> Has anyone seen something like this? I've stopped over 14,000 of these in
> the last hour coming out of our ResNet. Here's a sample:
> 
> 14:02:49.983715 resnet172-163.zzzz.xxxx.2274 > 10.10.10.10.36278: S
> 348716395:348716395(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:50.027129 resnet172-163.zzzz.xxxx.2278 > 10.10.10.10.36278: S
> 351253825:351253825(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:50.514267 resnet168-238.zzzz.xxxx.4029 > 10.10.10.10.36278: S
> 450499653:450499653(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:50.660068 resnet172-163.zzzz.xxxx.2279 > 10.10.10.10.36278: S
> 351456133:351456133(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:51.104998 resnet172-163.zzzz.xxxx.2275 > 10.10.10.10.36278: S
> 349055959:349055959(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:51.208971 resnet172-163.zzzz.xxxx.2280 > 10.10.10.10.36278: S
> 351634594:351634594(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 
> tia
> 
> -fp

I've finally managed to get a copy of a worm/virus that does this.

It appears to be an old 'bot of some sort.  NAV days that portions of it
are w32.spybot.worm and other portions as trojan.download.chekin.

Here's a snapshot of some of the files recovered from a Win98 machine:

total 284
drwxr-xr-x  3 dokas  users    512 Feb 18 15:29 ./
drwxr-xr-x  6 dokas  users    512 Feb 18 15:29 ../
-rw-r--r--  1 dokas  users  36390 Jan 12 06:56 MSGSRV32.exe
-rw-rw-rw-  1 dokas  users  68608 Feb 20  2003 SbSrch_V2.dll
-rw-rw-rw-  1 dokas  users  71680 Apr 21  2003 SbSrch_V22.dll
drwxr-xr-x  2 dokas  users    512 Feb 18 15:28 kazaabackupfiles/
-rw-r--r--  1 dokas  users  58880 Feb 20  2003 sub2_1C.exe
-rw-r--r--  1 dokas  users  46624 Jan 12 11:09 wupdate.exe

./kazaabackupfiles:
total 464
drwxr-xr-x  2 dokas  users    512 Feb 18 15:28 ./
drwxr-xr-x  3 dokas  users    512 Feb 18 15:29 ../
-rw-r--r--  1 dokas  users  46624 Jan 12 11:09 AVP_Crack.exe
-rw-r--r--  1 dokas  users  46624 Jan 12 11:09 AquaNox2 Crack.exe
-rw-r--r--  1 dokas  users  46624 Jan 12 11:09 Battlefield1942_bloodpatch.exe
-rw-r--r--  1 dokas  users  46624 Jan 12 11:09 C&C Generals_crack.exe
-rw-r--r--  1 dokas  users  46624 Jan 12 11:09 FIFA2003 crack.exe
-rw-r--r--  1 dokas  users  46624 Jan 12 11:09 NBA2003_crack.exe
-rw-r--r--  1 dokas  users  46624 Jan 12 11:09 Porn.exe
-rw-r--r--  1 dokas  users  46624 Jan 12 11:09 UT2003_bloodpatch.exe
-rw-r--r--  1 dokas  users  46624 Jan 12 11:09 Unreal2_bloodpatch.exe
-rw-r--r--  1 dokas  users  46624 Jan 12 11:09 zoneallarm_pro_crack.exe

Given that it appears to try to spread through KaZaA, I also suspect that
it attempts to spread through Ares and possibly other P2Ps.  As Brian noted,
we've seen a *strong* correlation between traffic to 10.10.10.10 and machines
running Ares.


The reason that I have a strong suspicion that this is creating at least some
of the traffic to 10.10.10.10 is that inside of wupdate.exe is the string
"irc-d.sytes.net".  That hostname resolves to 10.10.10.10:

  % host irc-d.sytes.net
  irc-d.sytes.net has address 10.10.10.10


It's interesting to note that today, we noticed traffic going to 10.0.1.128
also.  That IP seems to be triggered by a version of Gaobot that attempts to
reach lar.ath.cx, which resolves to 10.0.1.128.

Paul
-- 
Paul Dokas                                            dokas at cs.umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."



More information about the unisog mailing list