OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: strange windows behaviour.

From: Tobias Rice (riceup.edu)
Date: Fri Oct 10 2003 - 11:05:21 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Could this be the "owned" systems in this article:
http://www.wired.com/news/business/0,1367,60747,00.html

Tobias

Jeff Kell wrote:

| J Mike Rollins wrote:
|
|> I have just tested the ideas expressed here and have to report that
|> streams can still be a threat.
|>
|> When I try to make a copy of the dll stored within the stream, the virus
|> scanning software does find it.
|>
|> However, when I run the contents of the dll stream by using rundll32 the
|> program is not caught by the virus scanning software. And the trojan
|> continues to execute undetected.
|
|
| All I see is spam starting to spew from an otherwise quiet machine (most
| cases) although we have also had two cases of machines spoofing source
| addresses and attacking (a) an IRC server and (b) somebody's identd.
|
| This is happening here and I have one machine under quarantine in the
| testbed. Symantec NAV latest DATs doesn't detect anything. Spybot
| latest signatures doesn't detect anything. Ad-Aware doesn't find
| anything. McAfee's freebie Stinger doesn't find anything. Yet if it is
| connected to the network when it boots, some process comes up, makes a
| few connection attempts to remote addresses, port 80; then it opens up
| two random high-numbered TCP ports and listens. Telnetting to them and
| entering much of anything causes it to close the connection and respawn.
|
| In ActivePorts it lists the owning process name as the same as some
| other existant process in the list (e.g., explorer.exe, svchost.exe) but
| will have a unique PID in the task list. Using ActivePort's terminate
| process feature on it causes the two sockets to disappear, only to be
| immediately followed by the original behavior -- connects to an outside
| address port 80 (not always the same address, mind you), followed by two
| different high-numbered ports opened and listening.
|
| There is a strange registry key in /HKEY/LOCAL.../Run and .../RunOnce
| which appears to be a random string, 'bzyrczu' or something similar, and
| the key value is 'rundll32 C:\Windows\System32:bzyrczu.dll'. Of course
| I can't find any file by that name by traditional means (before reading
| this thread on NTFS streams).
|
| Attempting to delete the registry keys for /Run and /RunOnce appear to
| work, but when you go back to check, the keys have "reinstalled"
| themselves. Even starting up in safe mode with network unplugged, you
| can't delete the registry keys, even with System Restore disabled (this
| is an XP Home Edition box).
|
| I plan on getting a packet capture of the beast's activity tomorrow. And
| assuming that the thing does exist as a stream, I'll try to capture the
| binary.
|
| Jeff
|
|
|
-
---------------------------------------------------------------------------
|
-
----------------------------------------------------------------------------

|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.gnupg.org

iD8DBQE/htjARJX8S0T0CkURAizUAKCfUwbZOu7MBdOweVR20OXfWx+A4gCggx5J
fWri+FbBklDwhFAEXUFG8mA=
=fmjG
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
----------------------------------------------------------------------------