IERK Survey

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 01/30/03

  • Next message: Matt Scarborough: "Re: IERK Survey" 
    Date:         Thu, 30 Jan 2003 15:15:04 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Folks,

    Here's an off-the-cuff premise that I'd like you to consider, and help
    me prove or disprove.

    There have been a few posts (10 or so) from people who say they've found
    IERK on their SQL boxes after dealing with Slammer. What if IERK were
    placed on SQL boxes first, then, in order to get the driver installed
    they launched Slammer to force people to reboot their boxes. By not
    including anything in Slammer which dropped to the box, people wouldn't
    be doing much to check the contents of the box after rebooting. If they
    successfully placed IERK beforehand, its more likely they'd get it up
    and running undetected.

    Would you please check your boxes as per this information;

    a) The IERK driver can be seen (without entering safe mode) by looking
    at system information and then choosing Software environment and then
    Drivers IERK will be listed. This situation only exists if the machine
    has been rebooted.

    and/or

    b) Try to look at Services. If you have IPSEC Helper Services there
    running, you have the Trojan.

    and/or

    c) Look for %systemroot%\system32\ipsechlp.dll

    and/or

    d) Run NETSTAT -AN and see if you are listening on port 449.

    Please, do me a favor, be brief in your response. Just tell me the
    following information;

    1. What OS/SP

    2. What Server application is on it (SQL/IIS/Exchange) if any (if none,
    say whether its a Workstation or Server)

    3. How you discovered it (which of the above methods worked, a, b, c,
    and/or d)

    4. Whether you were listening on 449 *and* you found it using method a,
    b, and/or c. This thing may not consistently listen on the same port.

    Reply to this message with your information.

    Cheers,
    Russ - NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo