|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Possible new Korgo variant. WAS: New SDBot variant
From: Christopher Harrington (charrington
nitrodata.com)
Date: Tue Aug 10 2004 - 16:17:38 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This appears to be a new Korgo variant based on the similarities in
behaviors, not an SDbot.
1. It uses the LSASS vuln to spread.
2. It connects to IRC.
3. It listens on port 113.
Stay tuned.....
--Chris
--
Christopher Harrington, CISSP
Director of Security Engineering
NitroData Systems, Inc.
603-766-8160, ext. 25
http://www.nitroguard.com
-----Original Message-----
From: Christopher Harrington [mailto:charringtonnitrodata.com]
Sent: Tuesday, August 10, 2004 3:00 PM
To: 'incidentssecurityfocus.com'
Subject: New SDBot variant
All,
We are seeing what may be a new variant of SDBot. This variant spreads by
exploiting the LSASS vulnerability. Once infected, the machine joins an IRC
Bot net via TCP 6667. Some of the infected machines then download an
executable via TFTP. This transfer is initiated over IRC. I have attached
the Bintext output and an md5 for the file. The executable is named
NTAPI32.exe and is downloaded to the system32 directory. The exe is 143.03
kb. I tried Symantec, Trend, F-Secure and Sophos...none could identify it.
In the IRC logs there these entries:
PRIVMSG #irc :[lsass]: Exploiting IP: 10.x.x.x.
PRIVMSG #irc :[TFTP]: File transfer started to IP: 10.x.x.x
(C:\WINDOWS\System32\ntapi32.exe)
A quick (and untested :)) signature below:
alert tcp any any -> any any ( msg: "LSASS expolit via IRC, possible SDBot
variant"; content: ":[lsass]: Exploiting IP:"; classtype: misc-activity;
rev: 1;)
I will post more when I have it.
Regards,
--Chris
--
Christopher Harrington, CISSP
Director of Security Engineering
NitroData Systems, Inc.
603-766-8160, ext. 25
http://www.nitroguard.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]