OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: strange windows behaviour.

From: Brian Eckman (eckmanumn.edu)
Date: Tue Oct 07 2003 - 12:52:25 CDT

On September 25, 2003, I posted an article "Analysis of a Spam Trojan"
to the full-disclosure and focus-virus Listservs. It details one
particular spam trojan we found at the University of Minnesota. The
full-disclosure archive can be viewed at:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010914.html

We have a bunch of machines currently infected with something else
called Autoproxy or a close variant, but I've never seen one used for
Spam quite yet. I hope to go visit one later today to do analysis on it.
For details on that beast, check out:
http://www.lurhq.com/autoproxy.html

Brian

John Sage wrote:
> Peter:
>
> On Mon, Oct 06, 2003 at 01:05:13PM -0700, Peter Moody wrote:
>
>>Hello all,
>>
>>I've got a bit of a problem, and I was wondering if anyone on this list
>>has seen similar things. Recently, we've been having student windows
>>machines on our residential network begin spewing large, massive (on the
>>order of hundreds of thousands in a few hours) spam messages at our mail
>>servers. We promptly disconnect the machines and head down to do some
>>forensic work on the boxes when we get a chance (usually after they call
>>to complain that the internet has died).
>>
>>I've been trying to find information on this, but the most I've been
>>able to come up with is an advisory from symantec's threat management
>>system saying Mprox (some sort of MS proxy) is to blame. None of the
>>machines I've gone and examined have had this program running or on the
>>system anywhere for that matter.
>>
>>Has anyone else had similar problems of late? This all started for us
>>about a week ago and it's showing no signs of going away any time soon.
>
>
> You may be interested in this 09/06/03 post to the UNISOG maillist
> (unisogsans.org):
>
> /* begin post fragment */
>
> From: Paul Russell <prussellnd.edu>
> To: unisogsans.org
> Subject: [unisog] Spam from student-owned computers
> Date: Mon, 06 Oct 2003 15:51:12 -0500
>
> In the past ten days, we have had five incidents in which
> student-owned computers in our residence hall network (ResNet) were
> used to send large quantities of spam. I have seen similar reports
> from other sites, so I thought some of you might be interested our
> experience. Appended below are the case notes from one of these
> incidents. The report has been edited to remove all personal
> identification information. The analysis of the student's workstation
> was performed by a member of our Information Security team.
>
> --
> Paul Russell
> Senior Systems Administrator
> University of Notre Dame
>
> *** NOTES 10/06/2003 08:05:21 AM ******** Action Type: Add'tl
> Info. Rec'd. Visited student's workstation last Friday afternoon. Upon
> running 'tcpview' dozens of processes, all running as svchost.exe,
> appeared to be listening to a variety of high-level ports. Aftering
> installing and updating McAfee Enterprise 7 VS, his machine was
> gracefully powered down, then turned back on while unplugged from the
> network. A scan of all files on his workstation revealed no viruses.
> Also, the machine was fully patched (he had automatic updates turned
> on under XP). All of the unusual svchost.exe processes disappeared
> (which was expected given the lack of a network connection). I then
> noticed a process named 'winsrvn.exe' listening on port 1033 UDP, as
> well as 'system:4' listening on 1030 TCP.
>
> Checking all of the programs that were automatically started at boot,
> it appeared as though the student had a lot of optional things running
> in the background, including winsrvn.exe. He believed that this
> particular program was installed as part of Purity Scanner, which,
> apparently, scans one's hard drive for inappropriate materials. It
> turns out that Purity is actually adware, and is often bundled with
> Grokster (P2P program). Further, it looked as though the student was
> using Grokster. From what I've been able to find with a web search,
> Grokster sometimes includes ancilary software that may contain back
> doors. I had the student email me a zip of the winsrvn.exe for later
> examination. The other mysterious process (system:4) seemed to
> disappear after I removed winservn.exe (perhaps the two were
> related?).
>
> /* end post fragment */
>
>
> HTH..
>
>
> - John

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."

---------------------------------------------------------------------------
----------------------------------------------------------------------------