Incidents
Malware/trojan attacks Oct 24 2006 02:53PM
Goetz, Richard (RGoetz Kronos com) (1 replies)
Over the last several months we have on more than one occasion uncovered a number of Trojans that appear to be seeking corporate information, sending that over a chat session to/through several European sites and downloading additional programs to the infected computer. Here's a short synopsis of the type of conversations one of our people uncovered on a laptop on the network:

Contacts 203.121.73.136 on port TCP/17555.  IRC commands were sent to the workstation to run a command "staticftp" 70.84.109.84 to download a program x.exe. 
Instructed to launch 5 scans (netapi on port 137, wkssvc port 445, asn on port 445, dcom on port 135 and lsass on port 445). 
Connects to 66.36.243.116 on TCP/80 and starts a PHP-based conversation, giving the workstation credentials to the host and receiving the following information:
CARGO:smtp_purple;
MOD:smtp;
PATH:http://niuqennaois.com/s2.5.exe;
SERVER:209.160.64.216;
REFRESH:2700;KEY:864a1bae77fc8053055d02550ed7b49c;
Connects to 195.49.141.23 on TCP/3144, retrieving unreadable data
Connects to 66.36.243.116 on TCP/80, exchanging credentials via PHP:
To host:
uuid <wsname>_547611528
wv mag5_min0_build2195_Service_Pack_4
cargo
check purple
To workstation:
REFRESH:3600;
KEY: 864a1bae77fc8053055d02550ed7b49c;
HTTP connections are made to 66.45.232.66, 66.36.243.116 to perform similar PHP and download conversations.
Three way TCP handshakes are attempted to 74.52.53.66, 68.142.212.41and 68.142.212.93 on TCP/80, but no further conversation was made.

My questions are:

1. Are other folks in the community seeing this kind of activity?
2. What, aside from deleting what you can find what other actions are recommended/required?
Who, if anyone, in the community or law enforcement should be notified?

If this post should be somewhere else, please let me know.

Thanks,

Richard Goetz
IT Security Officer
Kronos, Incorporated
Phone: 978-947-2819
Fax: 978-256-3919
RGoetz (at) Kronos (dot) com [email concealed]

Experts at Improving the Performance of People and Business
 

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]
RE: Malware/trojan attacks Oct 26 2006 12:47PM
lucretias (lucretias shaw ca) (1 replies)
RE: Malware/trojan attacks Oct 26 2006 03:49PM
Harlan Carvey (keydet89 yahoo com) (1 replies)
RE: Malware/trojan attacks Oct 27 2006 12:21AM
lucretias (lucretias shaw ca)


 

Privacy Statement
Copyright 2010, SecurityFocus