OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [ISSForum] Events that zotob triggers?

From: Soldatov, Sergey V. (SVSoldatovtnk-bp.ru)
Date: Wed Aug 17 2005 - 01:08:56 CDT

Hi.
Let's look for its description (the whole article see on symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.a.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.e.html

... Attempts to open a back door through Port 8080 by connecting to the
following IP address:
72.20.27.115
TODO: create connection event for this.

...Connects to an IRC server on the domain
[http://]diabl0.turkcoders.net/[REMOVED] on TCP port 8080. This allows
unauthorized remote access to the compromised computer.
TODO: 1. create connection event for diabl0.turkcoders.net 8080/tcp. If
you'll catch a luck in resolving this name, please let me know, because
now I don't know what address is associated with diabl0.turkcoders.net
2. Monitor all IRC traffic. I'm not sure (please, someone form ISS, let
us know about this) if sensor will detect IRC traffic if it is flowing
through non-IRC ports, in this case - 8080

... Opens an FTP server on TCP port 33333.
TODO: create appropriate connection event. Use nmap to see if there are
workstation with this port opened in your LAN.

... Generates random IP address from the current IP address. The worm
does this by keeping the first two octets of the IP address on the
system and randomize the last two octets. For example, if the IP address
of the system is 192.168.0.1, the worm will attempt to infect IP
addresses beginning with 192.168.x.x.
...Sends packets to IP addresses generated at random based on the IP
address of the infected machine. The IP addresses use the first 2 octets
of the compromised computer, and randomly generated values for the third
and fourth octets. It will switch to entirely random IPs, after 32
failures on local IPs or after 512 failures, if it was successful at
least once.
TODO: In this case you'll see a great number of this events:
*_Port_Scan, *_Probe_*, *_Service_Sweep, Ping_Sweep, so, you should
monitor these events and pay attention on hosts that generate a lot of
such events.

... Attempts to spread by exploiting the following remote vulnerability:
The Microsoft Windows Plug and Play Buffer Overflow Vulnerability
(described in Microsoft Security Bulletin MS05-039), using TCP port 445.
TODO: In this case you'll see SMB_Service_Sweep and PlugAndPlay_BO.
Monitor this signatures.

... Attempts to spread to computers with the above random IP address by
opening a backdoor using TCP port 8888 on the remote computer.
TODO: create a connection event on this port. Use nmap (because, I think
that it's the fastest way) to see if there are workstation with 8888/tcp
opened in your LAN.

Please, correct me if I somewhere wrong.

ANY feedback will be appreciated.

Thank you.
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50
tel +7 095 777 77 07 (1613)

> -----Original Message-----
> From: issforum-bouncesiss.net
> [mailto:issforum-bouncesiss.net] On Behalf Of Lawrence, Gabriel
> Sent: Monday, August 15, 2005 7:13 PM
> To: ISSForumiss.net
> Subject: [ISSForum] Events that zotob triggers?
>
> Howdy,
>
> I'm wondering if anyone out there has figured out the set of
> events that are fired when a machine infected with either of
> the zotob variants attempts to attack a machine with sever
> sensor and a machine with proventia desktop on them.
>
> Thanks,
> -gabe
>
> ------------------------------------
> Gabriel Lawrence
> ACT Data Security Manager, UC San Diego
>
>
> _______________________________________________
> ISSForum mailing list
> ISSForumiss.net
>
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> https://atla-mm1.iss.net/mailman/listinfo/issforum
>
> To contact the ISSForum Moderator, send email to mod-issforumiss.net
>
> The ISSForum mailing list is hosted and managed by Internet
> Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
>

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforumiss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.