I have a couple of PCs (running XP) which I'm sure are infected with
some kind of malware. Common anti-virus such as OfficeScan and
Symantec do not detect them. They seem to be irc bots. They try to
connect to IRC servers, using a password, and receive from there
instructions on what to do, namely scan for LSASS vulnerabilities by
scanning the entire IP subnet in random. I sniffed the IRC servers IPs
and passwords, and confirmed my suspicions, after entering in those
IRC servers (and being banned as soon as detected by the
admins). Moreover, they open backdoors, which accoriding to the kind
of responses to a telnet, seem spam relayers, or FTP servers (not sure
which).
(My response to this threat was to block the IPs of the suspicious IRC
servers in the firewall. This calmed down the packet storms I've been
watching...)
My question is, what do you think is the best procedure to track down
the executables responsible for this behavior? After tracking them
down, I could submit the sample to several online scanners in order to
determine which specific malware is affecting the PCs.
It it were UNIX, I could use commands like socklist and netstat to
track down the malware processes. But in Windows XP, I don't know what
to use. Are there any built-in utilities? Some freeware stuff? All
help is welcome.
And regarding the IRC server IPs, is it worthwhile to report them to
the authorities specified in the whois databases?
Cheers,
Rodrigo
--
*** Rodrigo Martins de Matos Ventura <yoda (at) isr.ist.utl (dot) pt [email concealed]>
*** Web page: http://www.isr.ist.utl.pt/~yoda
*** Teaching Assistant and PhD Student at ISR:
*** Instituto de Sistemas e Robotica, Polo de Lisboa
*** Instituto Superior Tecnico, Lisboa, PORTUGAL
*** PGP fingerprint = 0119 AD13 9EEE 264A 3F10 31D3 89B3 C6C4 60C6 4585
I have a couple of PCs (running XP) which I'm sure are infected with
some kind of malware. Common anti-virus such as OfficeScan and
Symantec do not detect them. They seem to be irc bots. They try to
connect to IRC servers, using a password, and receive from there
instructions on what to do, namely scan for LSASS vulnerabilities by
scanning the entire IP subnet in random. I sniffed the IRC servers IPs
and passwords, and confirmed my suspicions, after entering in those
IRC servers (and being banned as soon as detected by the
admins). Moreover, they open backdoors, which accoriding to the kind
of responses to a telnet, seem spam relayers, or FTP servers (not sure
which).
(My response to this threat was to block the IPs of the suspicious IRC
servers in the firewall. This calmed down the packet storms I've been
watching...)
My question is, what do you think is the best procedure to track down
the executables responsible for this behavior? After tracking them
down, I could submit the sample to several online scanners in order to
determine which specific malware is affecting the PCs.
It it were UNIX, I could use commands like socklist and netstat to
track down the malware processes. But in Windows XP, I don't know what
to use. Are there any built-in utilities? Some freeware stuff? All
help is welcome.
And regarding the IRC server IPs, is it worthwhile to report them to
the authorities specified in the whois databases?
Cheers,
Rodrigo
--
*** Rodrigo Martins de Matos Ventura <yoda (at) isr.ist.utl (dot) pt [email concealed]>
*** Web page: http://www.isr.ist.utl.pt/~yoda
*** Teaching Assistant and PhD Student at ISR:
*** Instituto de Sistemas e Robotica, Polo de Lisboa
*** Instituto Superior Tecnico, Lisboa, PORTUGAL
*** PGP fingerprint = 0119 AD13 9EEE 264A 3F10 31D3 89B3 C6C4 60C6 4585
[ reply ]