Re: Open mail relay surge

From: Jeff Kell (jeff-kellat_private)
Date: Thu Mar 06 2003 - 22:11:18 PST

  • Next message: Christopher Cramer: "Re: Open mail relay surge"

    (Excuse a slight cross-posting to RESNET-L and Incidents...)
    
    WENDY SHIH wrote:
    > Yes, we got quite a few of the OpenProxy complaints the past 2 weeks too.
    > We just saw a computer with  MMTask.exe in XP.   Most of the time, users
    > have BigBoss virus, Backdoor-AOT trojan (MPtask.exe) and plus some type of
    > wingate.  We have seen them in Win98, 2000 and XP computers.
    
    Let me relay an edited follow-up I finished yesterday tracking a local 
    spamming source in our dorms that turned out to be a similar proxy that 
    matched Dex's description.
    
    After investigating the initial spam reports concerning the dorm spam, 
    some other issues have come to light.  On the RESNET-L list at 
    <RESNET-Lat_private>, Dax <daxat_private> wrote:
    
     > Over the past 7 days, I've seen a tremendous surge in spam complaints
     > coming from my domain. After seeing about 10 or so in the course of
     > one week, I knew it had to be something of an epidemic. After
     > handfuls of my RCCs came up blank, I finally examined one machine
     > myself, and after a bit of diagnosis, was able to determine that
     > WinGate proxie was the culprit - or rather, a hacked backdoor/Trojan
     > of Wingate, similar to this example:
     >
     > http://www.megasecurity.org/Tools/Wingate3.09.html
     >
     > This is a semi-nasty one, and it opens up a web, ftp, and mail server
     > on the r00ted machine. What makes it difficult to locate (at least on
     > a Win9.x/ME box is that it disguises itself as MMTask.exe). There
     > were several other files (a couple .dlls and one more named
     > mptask.exe, or something like it. Since XP shouldn't have mmtask,
     > it's pretty obvious if an XP machine has become compromised. Of
     > course, the user I checked out had no idea what it was, how it got
     > there, or what in tarnation I was babbling on about. We're working on
     > developing an IDS signature, but don't have much yet. Another very
     > clear-cut indicator is nmap results that return this:
     >
     > 1180/tcp open unknown   1181/tcp open unknown   1182/tcp open unknown
     > 1183/tcp open unknown   1184/tcp open unknown   1185/tcp open unknown
    
    I ran a scan on the logs for March 2-4 against the internal IP searching 
    for inbounds on 1180-1185.  Presto, almost like clockwork, a match, on 
    1182, each connection followed by one from the infected machine to an 
    outside SMTP server.
    
    Originally I had counts for outbound TCP connections for this host from 
    March 2-4.  These numbers look like this:
    
    [jeff@netsyslog jeff]$ wc -l johndoe[1-3]    # March 4,3,2
       38331 johndoe1
       23019 johndoe2
        5538 johndoe3
       66888 total
    
    Next, I looked for proxy connections made to this host over the same 
    time period.  Aggregate counts for all days (I didn't run them 
    separately) show a higher count:
    
    [jeff@netsyslog jeff]$ wc -l johndoe-proxy
       88110 johndoe-proxy
    
    The proxy counts are inflated but for a good reason.  I shut down the 
    network port Tuesday afternoon, the last recorded SMTP open was March 4, 
    16:04:06.  The proxy counts are inflated but for a good reason.  The 
    machine(s) connecting to the proxy continued going, and the constant 
    traffic kept the address translation slot open.  It just kept right on 
    going all night and into Wednesday, finally giving up and releasing the 
    translation slot at 12:38:34 as shown:
    
    Mar  5 11:39:58 utc-pix %PIX-6-302014: Teardown TCP connection 136320387 
    for outside:207.44.216.71/44356 to inside:172.28.220.181/1182 duration 
    0:02:01 bytes 0 SYN Timeout
    Mar  5 12:38:02 utc-pix %PIX-6-305010: Teardown dynamic translation from 
    inside:172.28.220.181 to outside:aaa.bbb.ccc.ddd duration 67:30:25
    
    (That outside source address is not obfuscated :-) )
    
    And the damage inflicted?  Another scan looking for connections opened 
    to an SMTP port from the inside source that were closed by graceful TCP 
    FINs:
    
    [jeff@netsyslog jeff]$ wc -l johndoe-damage
       14929 johndoe-damage
    
    Almost 15000 spams delivered, to who knows how many actual recipients. 
    It could have been much worse if we had the bandwidth to spare, and the 
    dorms weren't already squelched by a PacketShaper.
    
    Still haven't isolated the method of infection or the actual proxy 
    installed, I shutdown the port and notified student affairs.  If 
    anything comes up in forensics, I'll follow-up.
    
    Jeff
    
    
    ----------------------------------------------------------------------------
    
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
    



    This archive was generated by hypermail 2b30 : Fri Mar 07 2003 - 07:51:39 PST