Incidents
Malware/trojan attacks Oct 24 2006 02:53PM
Goetz, Richard (RGoetz Kronos com) (1 replies)
RE: Malware/trojan attacks Oct 26 2006 12:47PM
lucretias (lucretias shaw ca) (1 replies)
RE: Malware/trojan attacks Oct 26 2006 03:49PM
Harlan Carvey (keydet89 yahoo com) (1 replies)
James,

> In this case I think you have mislabed a trojan with
> a rootkit.

Just out of curiosity, what are you seeing that leads
you to say this? I'm not sure that I see anything in
Richard's original email that suggests a rootkit at
this point.

> You should determine (if possible) what rootkit has
> infected the machine.
> It sounds like a new variant or perhaps a new tool
> altogether.

Again, what leads you to think this, if you don't mind
me asking?

> I would suggest wiping the box and rebuilding it if
> you cannot determine
> exactly what is the culprit or any way to clean it.

Hhhmmm...if it is a rootkit, then perhaps
wiping/reinstalling may be the way to go, but I'd
suggest further investigation and a root cause
analysis first. Even if Richard were to find out what
the malware is (looks like an IRCbot at this point),
without a root cause analysis (and subsequent actions
as a result), the system will likely be reinfected all
over again.

>
> To answer your questions:
>
> 1. No, I have not seen this in our nets.
>
> 2. I answered this above.
>
> 3. Probably not. There is nothing law enforcement
> can do unless there is a
> substantial loss. You are ultimately responsible
> for what gets installed on
> your machines regardless of the method of
> installation. Now, if you find
> someone using data that you can prove could only
> have been acquired by this
> method, then you should discuss with your legal
> department about your
> options and what you will need to do to provide
> proof of this infringment.
>
>
> Cheers,
>
> James Friesen, CIO
> Lucretia Enterprises
> Our World Is Here
> info at lucretia dot ca
> http://lucretia.ca
>
>
> > -----Original Message-----
> > From: listbounce (at) securityfocus (dot) com [email concealed]
> > [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of
> Goetz, Richard
> > Sent: Tuesday, October 24, 2006 8:54 AM
> > To: incidents (at) securityfocus (dot) com [email concealed]
> > Subject: Malware/trojan attacks
> >
> > Over the last several months we have on more than
> one
> > occasion uncovered a number of Trojans that appear
> to be
> > seeking corporate information, sending that over a
> chat
> > session to/through several European sites and
> downloading
> > additional programs to the infected computer.
> Here's a short
> > synopsis of the type of conversations one of our
> people
> > uncovered on a laptop on the network:
> >
> >
> > Contacts 203.121.73.136 on port TCP/17555. IRC
> commands were
> > sent to the workstation to run a command
> "staticftp"
> > 70.84.109.84 to download a program x.exe.
> Instructed to
> > launch 5 scans (netapi on port 137, wkssvc port
> 445, asn on
> > port 445, dcom on port 135 and lsass on port 445).
> Connects
> > to 66.36.243.116 on TCP/80 and starts a PHP-based
> > conversation, giving the workstation credentials
> to the host
> > and receiving the following information:
> > CARGO:smtp_purple;
> > MOD:smtp;
> > PATH:http://niuqennaois.com/s2.5.exe;
> > SERVER:209.160.64.216;
> > REFRESH:2700;KEY:864a1bae77fc8053055d02550ed7b49c;
> > Connects to 195.49.141.23 on TCP/3144, retrieving
> unreadable
> > data Connects to 66.36.243.116 on TCP/80,
> exchanging
> > credentials via PHP:
> > To host:
> > uuid <wsname>_547611528
> > wv mag5_min0_build2195_Service_Pack_4
> > cargo
> > check purple
> > To workstation:
> > REFRESH:3600;
> > KEY: 864a1bae77fc8053055d02550ed7b49c;
> > HTTP connections are made to 66.45.232.66,
> 66.36.243.116 to
> > perform similar PHP and download conversations.
> > Three way TCP handshakes are attempted to
> 74.52.53.66,
> > 68.142.212.41and 68.142.212.93 on TCP/80, but no
> further
> > conversation was made.
> >
> >
> > My questions are:
> >
> > 1. Are other folks in the community seeing this
> kind of activity?
> > 2. What, aside from deleting what you can find
> what other
> > actions are recommended/required?
> > Who, if anyone, in the community or law
> enforcement should be
> > notified?
> >
> > If this post should be somewhere else, please let
> me know.
> >
> > Thanks,
> >
> > Richard Goetz
> > IT Security Officer
> > Kronos, Incorporated
> > Phone: 978-947-2819
> > Fax: 978-256-3919
> > RGoetz (at) Kronos (dot) com [email concealed]
> >
> > Experts at Improving the Performance of People and
> Business
> >
> >
> >
> >
>
--------------------------------------------------------------
> > ----------------
> > This List Sponsored by: Black Hat
> >
> > Attend the Black Hat Briefings & Training USA,
> July 29-August
> > 3 in Las Vegas.
> > World renowned security experts reveal tomorrow's
> threats
> > today. Free of vendor pitches, the Briefings are
> designed to
> > be pragmatic regardless of your security
> environment.
> > Featuring 36 hands-on training courses and 10
> conference
> > tracks, networking opportunities with over 2,500
> delegates
> > from 40+ nations.
> >
> > http://www.blackhat.com
> >
>
--------------------------------------------------------------
> > ----------------
> >
>
>
>
>
------------------------------------------------------------------------
------
> This List Sponsored by: Black Hat
>
> Attend the Black Hat Briefings & Training USA, July
> 29-August 3 in Las Vegas.
> World renowned security experts reveal tomorrow's
> threats today. Free of
> vendor pitches, the Briefings are designed to be
> pragmatic regardless of your
> security environment. Featuring 36 hands-on training
> courses and 10 conference
> tracks, networking opportunities with over 2,500
> delegates from 40+ nations.
>
> http://www.blackhat.com
>
------------------------------------------------------------------------
------
>
>

------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]
RE: Malware/trojan attacks Oct 27 2006 12:21AM
lucretias (lucretias shaw ca)


 

Privacy Statement
Copyright 2010, SecurityFocus