Malware/trojan attacks Oct 24 2006 02:53PM
Goetz, Richard (RGoetz Kronos com) (1 replies)
Over the last several months we have on more than one occasion uncovered a number of Trojans that appear to be seeking corporate information, sending that over a chat session to/through several European sites and downloading additional programs to the infected computer. Here's a short synopsis of the type of conversations one of our people uncovered on a laptop on the network:

Contacts on port TCP/17555.  IRC commands were sent to the workstation to run a command "staticftp" to download a program x.exe. 
Instructed to launch 5 scans (netapi on port 137, wkssvc port 445, asn on port 445, dcom on port 135 and lsass on port 445). 
Connects to on TCP/80 and starts a PHP-based conversation, giving the workstation credentials to the host and receiving the following information:
Connects to on TCP/3144, retrieving unreadable data
Connects to on TCP/80, exchanging credentials via PHP:
To host:
uuid <wsname>_547611528
wv mag5_min0_build2195_Service_Pack_4
check purple
To workstation:
KEY: 864a1bae77fc8053055d02550ed7b49c;
HTTP connections are made to, to perform similar PHP and download conversations.
Three way TCP handshakes are attempted to, on TCP/80, but no further conversation was made.

My questions are:

1. Are other folks in the community seeing this kind of activity?
2. What, aside from deleting what you can find what other actions are recommended/required?
Who, if anyone, in the community or law enforcement should be notified?

If this post should be somewhere else, please let me know.


Richard Goetz
IT Security Officer
Kronos, Incorporated
Phone: 978-947-2819
Fax: 978-256-3919
RGoetz (at) Kronos (dot) com [email concealed]

Experts at Improving the Performance of People and Business

This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

[ reply ]
RE: Malware/trojan attacks Oct 26 2006 12:47PM
lucretias (lucretias shaw ca) (1 replies)
RE: Malware/trojan attacks Oct 26 2006 03:49PM
Harlan Carvey (keydet89 yahoo com) (1 replies)
RE: Malware/trojan attacks Oct 27 2006 12:21AM
lucretias (lucretias shaw ca)


Privacy Statement
Copyright 2010, SecurityFocus