(Excuse a slight cross-posting to RESNET-L and Incidents...) WENDY SHIH wrote: > Yes, we got quite a few of the OpenProxy complaints the past 2 weeks too. > We just saw a computer with MMTask.exe in XP. Most of the time, users > have BigBoss virus, Backdoor-AOT trojan (MPtask.exe) and plus some type of > wingate. We have seen them in Win98, 2000 and XP computers. Let me relay an edited follow-up I finished yesterday tracking a local spamming source in our dorms that turned out to be a similar proxy that matched Dex's description. After investigating the initial spam reports concerning the dorm spam, some other issues have come to light. On the RESNET-L list at <RESNET-Lat_private>, Dax <daxat_private> wrote: > Over the past 7 days, I've seen a tremendous surge in spam complaints > coming from my domain. After seeing about 10 or so in the course of > one week, I knew it had to be something of an epidemic. After > handfuls of my RCCs came up blank, I finally examined one machine > myself, and after a bit of diagnosis, was able to determine that > WinGate proxie was the culprit - or rather, a hacked backdoor/Trojan > of Wingate, similar to this example: > > http://www.megasecurity.org/Tools/Wingate3.09.html > > This is a semi-nasty one, and it opens up a web, ftp, and mail server > on the r00ted machine. What makes it difficult to locate (at least on > a Win9.x/ME box is that it disguises itself as MMTask.exe). There > were several other files (a couple .dlls and one more named > mptask.exe, or something like it. Since XP shouldn't have mmtask, > it's pretty obvious if an XP machine has become compromised. Of > course, the user I checked out had no idea what it was, how it got > there, or what in tarnation I was babbling on about. We're working on > developing an IDS signature, but don't have much yet. Another very > clear-cut indicator is nmap results that return this: > > 1180/tcp open unknown 1181/tcp open unknown 1182/tcp open unknown > 1183/tcp open unknown 1184/tcp open unknown 1185/tcp open unknown I ran a scan on the logs for March 2-4 against the internal IP searching for inbounds on 1180-1185. Presto, almost like clockwork, a match, on 1182, each connection followed by one from the infected machine to an outside SMTP server. Originally I had counts for outbound TCP connections for this host from March 2-4. These numbers look like this: [jeff@netsyslog jeff]$ wc -l johndoe[1-3] # March 4,3,2 38331 johndoe1 23019 johndoe2 5538 johndoe3 66888 total Next, I looked for proxy connections made to this host over the same time period. Aggregate counts for all days (I didn't run them separately) show a higher count: [jeff@netsyslog jeff]$ wc -l johndoe-proxy 88110 johndoe-proxy The proxy counts are inflated but for a good reason. I shut down the network port Tuesday afternoon, the last recorded SMTP open was March 4, 16:04:06. The proxy counts are inflated but for a good reason. The machine(s) connecting to the proxy continued going, and the constant traffic kept the address translation slot open. It just kept right on going all night and into Wednesday, finally giving up and releasing the translation slot at 12:38:34 as shown: Mar 5 11:39:58 utc-pix %PIX-6-302014: Teardown TCP connection 136320387 for outside:207.44.216.71/44356 to inside:172.28.220.181/1182 duration 0:02:01 bytes 0 SYN Timeout Mar 5 12:38:02 utc-pix %PIX-6-305010: Teardown dynamic translation from inside:172.28.220.181 to outside:aaa.bbb.ccc.ddd duration 67:30:25 (That outside source address is not obfuscated :-) ) And the damage inflicted? Another scan looking for connections opened to an SMTP port from the inside source that were closed by graceful TCP FINs: [jeff@netsyslog jeff]$ wc -l johndoe-damage 14929 johndoe-damage Almost 15000 spams delivered, to who knows how many actual recipients. It could have been much worse if we had the bandwidth to spare, and the dorms weren't already squelched by a PacketShaper. Still haven't isolated the method of infection or the actual proxy installed, I shutdown the port and notified student affairs. If anything comes up in forensics, I'll follow-up. Jeff ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Fri Mar 07 2003 - 07:51:39 PST