Re: MSBlast and other known exploits..

From: John Ives (jivesat_private)
Date: Wed Aug 13 2003 - 08:27:37 PDT

Next message: Evans, Arian: "RE: Blaster Worm Rebooting Patched Machines!"

Previous message: Jeremiah Cornelius: "Re: [Full-Disclosure] Re: [Dshield] new msblaster on the loose?"
In reply to: Micheal Patterson: "MSBlast and other known exploits.."
Next in thread: Phil Roginski: "Re: MSBlast and other known exploits.."
Next in thread: James C. Slora, Jr.: "RE: MSBlast and other known exploits.."
Reply: Phil Roginski: "Re: MSBlast and other known exploits.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The khat2 download has a binary infector, source code and a file called 
macto.txt.  The macro file has some information for downloading hacker 
defender (hxdef), a user level root kit, that if installed as part of the 
exploit could run at start up and do a very good job of hiding itself.  The 
best way to learn about hxdef to download the zip file 
http://rootkit.host.sk.  What your describing doesn't sound like hxdef, 
unless something went wrong in the execution, but rather like a stability 
problem that comes along when the rpc service crashes but the system hasn't 
been restarted.  Unfortunately the best way to discover hxdef on a system 
is with an off-line analysis.
I've used FIRE to mount the disk of a rootkited windows box and then 
compared the files with what it said were there when it was on-line.  You 
just have to be careful to make sure that you keep in mind normal hidden 
files.  In my case there were a group of files starting with MsMgr that 
didn't appear elsewhere.  This is of course the very short version of what 
I went through to find it.

John

At 07:44 AM 8/13/2003 -0500, you wrote:
>I've got reports of msblast infection that I've checked and they indeed do
>have msblast. Also, these systems all have what appears to be a corrupted
>control panel applet. The normal control panel shows up in a left hand frame
>and the contents of add/remove programs is missing. Also, various popup
>windows simply will not open.  I've read that there was a known root kit
>that utilized the same dcom exploit called khat2 (spelling) but I'm not
>having much luck in locating the symptoms of systems that have been rooted
>in this manner. Any information would be appreciated. I will be recommending
>that these systems be blown away and reinstalled from clean media, I'm just
>looking for some info to verify what's eaten away at these things.
>
>Thank you.
>
>--
>
>Micheal Patterson
>Network Administration
>Cancer Care Network
>405-733-2230
>
>
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------

-------------------------------------------------
John Ives, GCWN, GSEC
Systems Administrator
College of Chemistry
(510) 643-1033

"If you spend more on coffee than on IT security,  Then you will be hacked. 
What's more,  you deserve to be hacked."   - Richard Clarke

Any opinions expressed are my own and not those of the Regents of the 
University of California. 

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Evans, Arian: "RE: Blaster Worm Rebooting Patched Machines!"
Previous message: Jeremiah Cornelius: "Re: [Full-Disclosure] Re: [Dshield] new msblaster on the loose?"
In reply to: Micheal Patterson: "MSBlast and other known exploits.."
Next in thread: Phil Roginski: "Re: MSBlast and other known exploits.."
Next in thread: James C. Slora, Jr.: "RE: MSBlast and other known exploits.."
Reply: Phil Roginski: "Re: MSBlast and other known exploits.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 17:31:42 PDT