NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2003-10

Re: strange windows behaviour.

From: J Mike Rollins (rollinswfu.edu)
Date: Thu Oct 09 2003 - 18:39:45 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have seen this before. I noticed that the Trojan performed a DNS lookup
on l0g.org. When the IP number was returned, the Trojan would then go to
the http://l0g.org/cgi-bin/ref.cgi script. (I suspect the Trojan has to
check-in with a server on the Internet.)

To thwart this communication, I propose the following as an Idea:

1. Modify you DNS servers to be authoritative for l0g.org
2. Create a webserver to respond as l0g.org and map l0g.org to
   this web server.
3. Create a cgi-bin/ref.cgi script to record the IP numbers
   of the REMOTE_HOST to a web page.
4. Now you have a web page recording all of your infected machines, and
   you have stopped the Trojan from checking in with the server on the
   Internet.

I think this will prevent some spam until the creator finds some new
ideas.

I have noticed that the IP number for l0g.org has been remapped a few
times over the past couple of weeks.

I currently have no ideas on how to clean the machine of the Trojan.

There seem to be two files associated with this:

A file which will install the Trojan on a machine:
        Filename: somename.exe
        Size: 58368 Bytes.
        MD5: c41e11cc50acd26915963e073981c682

The actual Trojan:
        Filename: C:\WINDOWS\System32:somename.dll
        Size: 113152 Bytes
        MD5: 42c94aa38c98b80c0c9c5ba0922fef52

On Thu, 9 Oct 2003, Jeff Kell wrote:

> J Mike Rollins wrote:
> > I have just tested the ideas expressed here and have to report that
> > streams can still be a threat.
> >
> > When I try to make a copy of the dll stored within the stream, the virus
> > scanning software does find it.
> >
> > However, when I run the contents of the dll stream by using rundll32 the
> > program is not caught by the virus scanning software. And the trojan
> > continues to execute undetected.
>
> All I see is spam starting to spew from an otherwise quiet machine (most
> cases) although we have also had two cases of machines spoofing source
> addresses and attacking (a) an IRC server and (b) somebody's identd.
>
> This is happening here and I have one machine under quarantine in the
> testbed. Symantec NAV latest DATs doesn't detect anything. Spybot
> latest signatures doesn't detect anything. Ad-Aware doesn't find
> anything. McAfee's freebie Stinger doesn't find anything. Yet if it is
> connected to the network when it boots, some process comes up, makes a
> few connection attempts to remote addresses, port 80; then it opens up
> two random high-numbered TCP ports and listens. Telnetting to them and
> entering much of anything causes it to close the connection and respawn.
>
> In ActivePorts it lists the owning process name as the same as some
> other existant process in the list (e.g., explorer.exe, svchost.exe) but
> will have a unique PID in the task list. Using ActivePort's terminate
> process feature on it causes the two sockets to disappear, only to be
> immediately followed by the original behavior -- connects to an outside
> address port 80 (not always the same address, mind you), followed by two
> different high-numbered ports opened and listening.
>
> There is a strange registry key in /HKEY/LOCAL.../Run and .../RunOnce
> which appears to be a random string, 'bzyrczu' or something similar, and
> the key value is 'rundll32 C:\Windows\System32:bzyrczu.dll'. Of course
> I can't find any file by that name by traditional means (before reading
> this thread on NTFS streams).
>
> Attempting to delete the registry keys for /Run and /RunOnce appear to
> work, but when you go back to check, the keys have "reinstalled"
> themselves. Even starting up in safe mode with network unplugged, you
> can't delete the registry keys, even with System Restore disabled (this
> is an XP Home Edition box).
>
> I plan on getting a packet capture of the beast's activity tomorrow.
> And assuming that the thing does exist as a stream, I'll try to capture
> the binary.
>
> Jeff
>
>

Mike

    Network Operations and Security, Wake Forest University
======================================================================
          J. Mike Rollins rollinswfu.edu
     Wake Forest University http://www.wfu.edu/~rollins
        Winston-Salem, NC work: (336) 758-1938
======================================================================

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]