In the process of scanning PIX logs for possible open proxies on campus (after one hacked WinGate discovery some weeks ago) I ran across several hosts that were sending mail to "several" different sites, apparently direct-to-MX, bypassing our site mail servers. They weren't sending "a lot" of mail (relatively speaking), but enough of it and directed at too many destinations to be using an outside account for regular mail. Summarizing by source, then destination, and sorting by source volume started turning up the same outside combinations for different source addresses. Especially strange was an almost "signature" destination address of 25.0.0.0:25. The common elements to almost every case were, for example (source:destination): > 10.4.8.145:194.133.125.101 9 items 0 bytes av2.ornis.com > 10.4.8.145:194.179.41.3 2 items 566 bytes recibir.arquired.es > 10.4.8.145:206.46.170.11 9 items 280091 bytes smtp.gte.net > 10.4.8.145:206.46.170.7 4 items 155455 bytes smtp.gte.net > 10.4.8.145:25.0.0.0 38 items 0 bytes A lucky Google search on the domains turned up a news article: http://groups.google.com/groups?q=ornis.com+arquired.es+25.0.0.0 The thread eventually wrote it off to Klez, but it wasn't really. It did however reveal a trojan executable WINKER.EXE. Searching around for this I found two hits at Symantec: Backdor.SilentSpy: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.silentspy.html or Backdoor.Mirab: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.mirab.html These are apparent matches, but mention a backdoor port left open, and I could not find the ports open on the machines I scanned (have not yet had the opportunity for hands-on forensics). The scary part is that this is a keylogger, and can periodically e-mail the logs to various addresses. And using the '25.0.0.0:25' signature, I have found traces in my oldest online logs (Nov 2002). At any rate, I would be interested in any further information anyone might have on this particular beast. And some of you might want to add an alert to any SMTP traffic destined to 25.0.0.0 Jeff ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Apr 19 2003 - 21:51:44 PDT