NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2003-10

Re: strange windows behaviour.

From: J Mike Rollins (rollinswfu.edu)
Date: Wed Oct 08 2003 - 12:45:38 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

One trick that hackers are exploiting is to store executable files as NTFS
Streams. You should check you registry for programs set to run at startup
with the following format

rundll32.exe C:\Some\Directory:trojan.dll

The : in front of the trojan signifies that the file is really an NTFS
Stream. Trojans stored in this format may not be detected by many virus
scanners.

NTFS Streams cannot be listed by the dir command. What you can do to
verify the existence of one of the Streams is to do

notepad.exe C:\Some\Directory:trojan.dll

If you see content, then the stream is really there.

On Mon, 6 Oct 2003, Peter Moody wrote:

> Hello all,
>
> I've got a bit of a problem, and I was wondering if anyone on this list
> has seen similar things. Recently, we've been having student windows
> machines on our residential network begin spewing large, massive (on the
> order of hundreds of thousands in a few hours) spam messages at our mail
> servers. We promptly disconnect the machines and head down to do some
> forensic work on the boxes when we get a chance (usually after they call
> to complain that the internet has died).
>
> I've been trying to find information on this, but the most I've been
> able to come up with is an advisory from symantec's threat management
> system saying Mprox (some sort of MS proxy) is to blame. None of the
> machines I've gone and examined have had this program running or on the
> system anywhere for that matter.
>
> Has anyone else had similar problems of late? This all started for us
> about a week ago and it's showing no signs of going away any time soon.
>
> Thanks.
>
> -Peter
>
> --
> Peter Moody <peterucsc.edu>
> Information Security Administrator 831/459.5409
> Communications and Technology Services. http://mustard.ucsc.edu/pubkey
> UC, Santa Cruz.
> :wq
>

Mike

    Network Operations and Security, Wake Forest University
======================================================================
          J. Mike Rollins rollinswfu.edu
     Wake Forest University http://www.wfu.edu/~rollins
        Winston-Salem, NC work: (336) 758-1938
======================================================================

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]