|
|
Interesting little piece of malware...: msg#00032security.intrusions
I have been out of town for the past 5-6 days, so I don't know if this has been covered here or not... hopefully not a waste of bits. On a couple of machines today (started first thing this morning), I started noticing Welchia type scanning (local class B preference, port 135, etc). I also noticed some IRC command and control traffic from the machines that were responsible for the scanning. The scanning activity were all from were all WinXP and Win2K machines. Symantec anti-virus running, updated sigs in the last few days. Symantec wasn't flagging anything. I notified the netblock owner of the IP address space where the IRC server was running. The IRC server was full -- it indicated that the maximum number of connections. The IRC server was running on port 7000. I have packets from the IRC sessions, but they are not handy at the moment (ping, pong, [Scan], several hundred invisible clients, "Exploiting x.x.x.x", and so forth). Using pstools, I took a listing of the running processes. Each of the machines seem to have a process running with what appeared to be a randomly generated name of around 6 or 7 characters. I pushed fport over to the infected machine, and retrieved the name of the executeable responsible (<process name>.exe) -- a hidden executeable in system root (attributes SHR). From an external perspective, I ran a quick portscan and noticed that 113/tcp was listening -- which I thought odd since the machines were WinXP/Win2K. I telnet'd to port 113, and hit return a few times. The response I got back was similar to: $ telnet x.x.163.195 113 Trying x.x.163.195... Connected to x.x.163.195. Escape character is '^]'. : USERID : UNIX : <some random characters> I did a quick google, and nothing jumped out at me. I assume someone has seen this? The indicators did not seem to line up exactly with Agobot or Phatbot... No "127.0.0.1" in the hosts file, filename was not napatch.exe or wauclt.exe. I should have a copy of the executeable in a few hours. If no-one can point me to an existing, documented piece of malware -- I will submit it for analysis. -bech _______________________________________________ Intrusions mailing list Intrusions@xxxxxxxxxxxxxx http://www.dshield.org/mailman/listinfo/intrusions |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | [LOGS] Summary of large-scale portscanning detects: 00032, Ken . Connelly |
|---|---|
| Next by Date: | [LOGS] Summary of large-scale portscanning detects: 00032, Ken . Connelly |
| Previous by Thread: | f0r0r dir in windows system32i: 00032, Roger Roberts |
| Next by Thread: | RE: Interesting little piece of malware...: 00032, allan . vanleeuwen |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |