Nimda.E/unknown memory resident, internet-aware processes

From: Matt Hornsby (mr.hornsbyat_private)
Date: Wed Mar 19 2003 - 22:10:54 PST

Next message: Johannes Ullrich: "Re: Nimda.E/unknown memory resident, internet-aware processes"

Previous message: Leon Havin: "Re: SPM2000$ Rouge Share - Information"
Next in thread: Johannes Ullrich: "Re: Nimda.E/unknown memory resident, internet-aware processes"
Reply: Johannes Ullrich: "Re: Nimda.E/unknown memory resident, internet-aware processes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Hopefully someone else out there has run across something similar to this. After searching the internet for more than a week and finding nothing, I am posting to this list in the event that this has been discovered before. Recently, a client's NT 4.0 server was infected with what appeared to be Nimda.E. Their ISP completely shut off their broadband connection after detecting large amounts of Nimda related traffic scanning for vulnerable systsms. The first thing I noticed when I arrived on the scene was what appeared to be a complete system compromise. Multiple backdoors and remote administration packages were installed. Dameware, psyBNC, several backdoor daemons, an FTP server and several other exploits were present. Upon running a Nimda.E cleanup utility and discovering the extent of the compromise (this system had more holes than swiss cheese), I looked at the network traffic and saw several suspect connections. One was to an ICQ server, one was to something on Port 6667(presumably an IRC server), and one other connection to port 2787. Finally, I noticed a box reading "MIRC Windows NT Security" popping up for a fraction of a second every minute or so. Unfortunately it was not long enough for me to catch what process was spawning it. Curious as to what was being communicated, I fired up a packet sniffer and discovered that the connection to port 2787 was actually to a private IRC server on an non-standard port. This machine was being used as a drone along with about 500 other compromised systems on just that one IRC server. Later on, I managed to find and log into the IRC server and caught the attention of a few people who claimed to be administrators of the IRC server and authors of the the code responsible for this compromise. They claimed to be Russian coders who have been working on a program they called "sysnet.exe" for 1.5 to 2 years. According to them, the program is a swiss army knife of backdoors and expoits, all automatically installed through IIS vulnerabilities. I was not able to fine sysnet.exe anywhere on the affected system or in its registry. Shortly after the conversation, the IRC server was shut down. Interestingly enough, when I turned the affected system back on, it was now connecting to another system, yandex.ru on the same port (2787). Also of note were connections to a remote system on ports 59230 and 19736. All other attempts to determine the source of these connections have failed. FPORT would not display ANY connections, even legitimate ones. What little I have found on the subject seems to suggest that any time that FPort doesnt return any information is cause for great concern. Unfortunately, since it was a production machine that belonged to a client, I was unable to study it further before doing a clean OS install. All attempts to discover the root of the infection came up dry. The best I can surmise is that it was infected with Nimda.E, and then this exploit was used to install the rootkit and further compromise the system. The system logs showed nothing except failed attempts at calls to cmd.exe. Anyhow, this is the first time I have posted here, so if I have posted to the wrong place or overlooked some other rule of etiquette I apologize in advance. I leave you with some snippets of network traffic that I was able to capture: Packet data: 0000: 00 90 27 A4 9A D5 00 20 6F 14 CB 44 08 00 45 00 ..'.... o..D..E. 0010: 00 7E 9E 4F 40 00 31 06 71 2D 3F F1 B3 46 40 51 ...O@.1.q-?..F@Q 0020: 06 75 0A E3 04 9B 0D 6A 82 1B 00 02 1B D7 50 18 .u.....j......P. 0030: 0B 68 5F F5 00 00 3A 69 72 63 2E 43 68 61 6F 53 .h_...:irc.ChaoS 0040: 2E 4E 65 74 20 33 32 34 20 77 5F 33 33 37 38 36 .Net 324 w_33786 0050: 6C 5F 20 23 30 32 20 2B 73 6D 74 6E 20 0D 0A 3A l_ #02 +smtn ..: 0060: 69 72 63 2E 43 68 61 6F 53 2E 4E 65 74 20 33 32 irc.ChaoS.Net 32 0070: 39 20 77 5F 33 33 37 38 36 6C 5F 20 23 30 32 20 9 w_33786l_ #02 0080: 31 30 34 39 38 38 38 32 39 31 0D 0A 1049888291.. this one shows some of the many systems logged in: Packet data: 0000: 00 90 27 A4 9A D5 00 20 6F 14 CB 44 08 00 45 00 ..'.... o..D..E. 0010: 05 91 9C FA 40 00 31 06 6D 6F 3F F1 B3 46 40 51 ....@.1.mo?..F@Q 0020: 06 75 0A E3 04 9B 0D 6A 7C B2 00 02 1B CE 50 18 .u.....j|.....P. 0030: 0B 68 67 30 00 00 3A 77 5F 33 33 37 38 36 6C 5F .hg0..:w_33786l_ 0040: 21 4D 30 32 34 37 35 31 58 40 41 38 35 38 42 42 !M024751X@A858BB 0050: 36 35 43 35 45 34 42 41 31 35 38 30 42 31 31 44 65C5E4BA1580B11D 0060: 46 43 42 42 44 36 33 44 78 20 4A 4F 49 4E 20 3A FCBBD63Dx JOIN : 0070: 23 30 32 0D 0A 3A 69 72 63 2E 43 68 61 6F 53 2E #02..:irc.ChaoS. 0080: 4E 65 74 20 33 35 33 20 77 5F 33 33 37 38 36 6C Net 353 w_33786l 0090: 5F 20 40 20 23 30 32 20 3A 77 5F 33 33 37 38 36 _ @ #02 :w_33786 00A0: 6C 5F 20 71 5F 36 38 31 33 31 7A 5F 20 6C 5F 35 l_ q_68131z_ l_5 00B0: 39 32 35 35 64 5F 20 71 5F 35 35 32 32 33 78 5F 9255d_ q_55223x_ 00C0: 20 69 5F 37 37 32 34 35 7A 5F 20 61 5F 32 34 32 i_77245z_ a_242 00D0: 31 39 6A 5F 20 79 5F 35 39 39 32 34 6B 5F 20 71 19j_ y_59924k_ q 00E0: 5F 36 34 38 39 37 64 5F 20 78 5F 37 36 31 34 34 _64897d_ x_76144 00F0: 79 5F 20 64 5F 32 39 30 37 31 6A 5F 5B 73 63 61 y_ d_29071j_[sca 0100: 6E 5D 20 69 5F 38 34 34 33 36 65 5F 5B 73 63 61 n] i_84436e_[sca 0110: 6E 5D 20 6A 5F 35 35 30 34 32 7A 5F 20 6D 5F 31 n] j_55042z_ m_1 0120: 39 31 39 39 62 5F 20 6D 5F 38 33 35 35 36 63 5F 9199b_ m_83556c_ 0130: 20 61 5F 39 33 30 36 34 6D 5F 20 63 5F 38 35 32 a_93064m_ c_852 0140: 33 31 78 5F 20 68 5F 35 34 34 35 38 66 5F 20 69 31x_ h_54458f_ i 0150: 5F 34 35 30 37 39 78 5F 20 40 4C 20 6E 5F 38 32 _45079x_ @L n_82 0160: 37 34 30 6B 5F 20 6D 5F 35 38 31 34 30 68 5F 20 740k_ m_58140h_ 0170: 63 5F 34 35 30 39 33 76 5F 20 67 5F 37 34 39 35 c_45093v_ g_7495 0180: 34 6D 5F 20 62 5F 37 35 38 32 30 69 5F 20 72 5F 4m_ b_75820i_ r_ 0190: 32 30 35 31 35 66 5F 20 76 5F 37 31 39 36 39 6C 20515f_ v_71969l 01A0: 5F 20 6E 5F 31 36 37 30 31 61 5F 20 67 5F 31 37 _ n_16701a_ g_17 01B0: 37 39 37 74 5F 20 63 5F 35 34 33 31 36 6D 5F 20 797t_ c_54316m_ 01C0: 63 5F 34 35 37 36 37 65 5F 20 6C 5F 37 35 39 38 c_45767e_ l_7598 01D0: 32 71 5F 20 74 5F 37 37 30 33 37 6F 5F 20 6A 5F 2q_ t_77037o_ j_ 01E0: 32 37 32 30 31 75 5F 20 69 5F 34 33 36 32 33 62 27201u_ i_43623b 01F0: 5F 5B 73 63 61 6E 5D 20 73 5F 36 30 31 36 38 69 _[scan] s_60168i 0200: 5F 20 76 5F 34 33 34 38 39 70 5F 20 68 5F 33 30 _ v_43489p_ h_30 0210: 37 39 37 6B 5F 20 6E 5F 32 35 30 33 32 71 5F 20 797k_ n_25032q_ 0220: 6A 5F 35 34 35 38 32 63 5F 20 75 5F 32 32 36 34 j_54582c_ u_2264 0230: 30 73 5F 20 77 5F 34 31 38 36 38 6E 5F 20 79 5F 0s_ w_41868n_ y_ 0240: 35 33 35 31 30 6C 5F 20 0D 0A 3A 69 72 63 2E 43 53510l_ ..:irc.C 0250: 68 61 6F 53 2E 4E 65 74 20 33 35 33 20 77 5F 33 haoS.Net 353 w_3 0260: 33 37 38 36 6C 5F 20 40 20 23 30 32 20 3A 6D 5F 3786l_ @ #02 :m_ 0270: 31 31 34 32 37 79 5F 20 70 5F 39 34 30 33 30 70 11427y_ p_94030p 0280: 5F 20 68 5F 39 32 38 37 38 65 5F 20 75 5F 31 36 _ h_92878e_ u_16 0290: 31 35 31 70 5F 20 78 5F 35 34 30 34 35 6F 5F 20 151p_ x_54045o_ 02A0: 72 5F 39 33 30 34 37 6E 5F 20 65 5F 32 37 39 39 r_93047n_ e_2799 02B0: 33 79 5F 5B 73 63 61 6E 5D 20 67 5F 37 31 33 39 3y_[scan] g_7139 02C0: 37 6A 5F 5B 73 63 61 6E 5D 20 6F 5F 37 38 34 39 7j_[scan] o_7849 02D0: 31 6E 5F 20 73 5F 39 37 34 36 36 70 5F 20 6A 5F 1n_ s_97466p_ j_ 02E0: 32 30 31 34 36 79 5F 20 69 5F 39 39 37 34 36 6C 20146y_ i_99746l 02F0: 5F 5B 73 63 61 6E 5D 20 64 5F 32 36 33 36 35 67 _[scan] d_26365g 0300: 5F 5B 73 63 61 6E 5D 20 76 5F 32 39 37 30 36 6F _[scan] v_29706o 0310: 5F 20 70 5F 31 34 30 35 31 69 5F 20 72 5F 33 35 _ p_14051i_ r_35 0320: 32 37 39 6F 5F 20 6E 5F 34 30 31 35 39 72 5F 20 279o_ n_40159r_ 0330: 64 5F 33 38 32 34 31 68 5F 5B 73 63 61 6E 5D 20 d_38241h_[scan] 0340: 66 5F 35 33 31 34 39 70 5F 20 73 5F 37 37 36 36 f_53149p_ s_7766 0350: 38 6B 5F 20 79 5F 31 35 33 31 37 68 5F 20 6C 5F 8k_ y_15317h_ l_ 0360: 33 38 33 38 38 63 5F 20 76 5F 31 35 31 31 33 79 38388c_ v_15113y 0370: 5F 20 64 5F 33 38 39 32 37 74 5F 5B 73 63 61 6E _ d_38927t_[scan 0380: 5D 20 73 5F 35 31 34 37 38 74 5F 20 6E 5F 33 30 ] s_51478t_ n_30 0390: 34 32 39 7A 5F 20 71 5F 35 39 39 36 33 76 5F 20 429z_ q_59963v_ 03A0: 66 5F 32 36 34 36 34 65 5F 5B 73 63 61 6E 5D 20 f_26464e_[scan] 03B0: 64 5F 31 36 32 35 32 74 5F 5B 73 63 61 6E 5D 20 d_16252t_[scan] 03C0: 66 5F 36 31 32 33 34 67 5F 5B 73 63 61 6E 5D 20 f_61234g_[scan] 03D0: 72 5F 33 34 34 34 39 66 5F 20 63 5F 36 36 34 32 r_34449f_ c_6642 03E0: 36 79 5F 5B 73 63 61 6E 5D 20 69 5F 31 37 32 37 6y_[scan] i_1727 03F0: 33 6E 5F 5B 73 63 61 6E 5D 20 77 5F 36 39 30 39 3n_[scan] w_6909 0400: 38 6D 5F 20 66 5F 33 34 37 33 32 72 5F 20 76 5F 8m_ f_34732r_ v_ 0410: 39 36 37 31 35 77 5F 20 0D 0A 3A 69 72 63 2E 43 96715w_ ..:irc.C 0420: 68 61 6F 53 2E 4E 65 74 20 33 35 33 20 77 5F 33 haoS.Net 353 w_3 0430: 33 37 38 36 6C 5F 20 40 20 23 30 32 20 3A 73 5F 3786l_ @ #02 :s_ 0440: 37 39 35 34 31 76 5F 20 73 5F 32 39 34 38 32 77 79541v_ s_29482w 0450: 5F 20 61 5F 33 36 33 39 30 71 5F 20 74 5F 39 36 _ a_36390q_ t_96 0460: 32 36 38 66 5F 20 7A 5F 34 37 34 34 37 79 5F 5B 268f_ z_47447y_[ 0470: 73 63 61 6E 5D 20 75 5F 31 39 35 39 33 79 5F 20 scan] u_19593y_ 0480: 61 5F 36 31 33 39 30 68 5F 5B 73 63 61 6E 5D 20 a_61390h_[scan] 0490: 63 5F 31 37 36 37 34 72 5F 5B 73 63 61 6E 5D 20 c_17674r_[scan] 04A0: 79 5F 33 31 31 35 37 62 5F 20 73 5F 38 30 33 39 y_31157b_ s_8039 04B0: 38 6A 5F 20 65 5F 38 37 38 35 36 70 5F 5B 73 63 8j_ e_87856p_[sc 04C0: 61 6E 5D 20 62 5F 31 34 34 32 35 77 5F 5B 73 63 an] b_14425w_[sc 04D0: 61 6E 5D 20 68 5F 32 36 35 31 32 6A 5F 5B 73 63 an] h_26512j_[sc 04E0: 61 6E 5D 20 65 5F 34 35 36 35 36 6F 5F 5B 73 63 an] e_45656o_[sc 04F0: 61 6E 5D 20 76 5F 32 38 36 32 36 69 5F 20 64 5F an] v_28626i_ d_ 0500: 34 33 37 32 34 6E 5F 5B 73 63 61 6E 5D 20 6D 5F 43724n_[scan] m_ 0510: 37 38 33 37 35 69 5F 20 73 5F 35 38 36 36 30 6E 78375i_ s_58660n 0520: 5F 5B 73 63 61 6E 5D 20 66 5F 35 39 38 32 30 68 _[scan] f_59820h 0530: 5F 5B 73 63 61 6E 5D 20 73 5F 33 33 30 32 35 75 _[scan] s_33025u 0540: 5F 20 74 5F 37 37 35 38 34 6F 5F 20 6F 5F 33 32 _ t_77584o_ o_32 0550: 35 32 36 62 5F 20 64 5F 36 39 37 30 37 64 5F 5B 526b_ d_69707d_[ 0560: 73 63 61 6E 5D 20 0D 0A 3A 69 72 63 2E 43 68 61 scan] ..:irc.Cha 0570: 6F 53 2E 4E 65 74 20 33 36 36 20 77 5F 33 33 37 oS.Net 366 w_337 0580: 38 36 6C 5F 20 23 30 32 20 3A 45 6E 64 20 6F 66 86l_ #02 :End of 0590: 20 2F 4E 41 4D 45 53 20 6C 69 73 74 2E 0D 0A /NAMES list... The ones with [scan] in them, according the the coder I spoke with, were those systems that were in the process of scanning the net for new vulnerable hosts. Anyone seen this before? Cheers! Matt Hornsby ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Johannes Ullrich: "Re: Nimda.E/unknown memory resident, internet-aware processes"
Previous message: Leon Havin: "Re: SPM2000$ Rouge Share - Information"
Next in thread: Johannes Ullrich: "Re: Nimda.E/unknown memory resident, internet-aware processes"
Reply: Johannes Ullrich: "Re: Nimda.E/unknown memory resident, internet-aware processes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 20 2003 - 07:44:53 PST