Re: Help - a possible bot

From: Ryan Yagatich (ryany@pantek.com)
Date: 11/26/02

  • Next message: Aaron Lewis: "RE: wu-ftpd attack ???" 
    Date: Tue, 26 Nov 2002 09:52:36 -0500 (EST)
From: Ryan Yagatich <ryany@pantek.com>
To: Moshe Aelion <ma0934@hotmail.com>

    Hi,
            You are seeing standard internet traffic originating from your
    LAN/system. In fact, a couple years ago I remember seeing posts similar to
    this which talked about the same concept... I don't remember what list it
    was on, nor when it occured, but i do remember that it talked about WINS.

    Basically, the flow looks like this:

    1) network online
    2) user types in www.pantek.com in their browser.
    3) DNS responds with pantek.com as 64.208.104.215
    4) windows system reverse maps address via NetBIOS/WINS/DNS
            - here is where you are seeing the traffic
    5) windows system connects to 64.208.104.215
    6) browser displays the happy page

    you mentioned that its only on hosts that do not resolve. This is because
    there was no reverse mapping for the targetted address via DNS and thus,
    the workstation attempted to use alternate methods to resolve the host.

    >Is this behavior similar to any known bot infection?
    well, a couple more years ago (cant remember when/where/what list) i also
    remember seeing a post about a particular .vbs worm that was working
    around doing things like this, that worm however, was not very popular and
    didn't really get very far.

    Of course, i could be completely wrong, but I could be right. To verify
    any of this as being accurate or incorrect, download ethereal
    (www.ethereal.org) and install it on your system in full capture mode.
    Then do the following:

    1) disconnect from the internet
            - so we can get a 'clean slate'
    2) start the capture
            - you should only see leftover connection
              attempts from previous connection, and
              some netbios broadcasts.
    3) connect to the internet
    4) do nothing for a little while to see if any traffic occurs
            - you shouldn't really see anything here
              unless you have things that connect to
              get system updates (like windowsupdate
              etc.)
    5) browse the web
    6) disconnect from the internet
    7) wait a few minutes
            - this will make everything cease except
              for the occasional broadcast.
    8) stop the capture

    with the contents of the capture you should see that all port 137
    connection attempts come immediately after an init. sequence of either a
    web browser or other update software. If however, it is a bot or some
    trojan, you should see far more traffic than that of what you are
    generating, and in this case, clear your zone alarm settings and watch
    which application is trying to make the requests.

    Thanks,
    Ryan Yagatich <support@pantek.com>
            Pantek, Incorporated
     (877) LINUX-FIX - (440) 519-1802
      http://www.pantek.com/library/
    ===================================
    E4 8B F0 68 9E 4F 34 9D 23 7D 62 1C
    EA AD 45 E3 C3 13 A9 9D BB 8B A1 6F
    ===================================
     A formal parsing algorithm should
     not always be used. -- D. Gries

    On Fri, 22 Nov 2002, Moshe Aelion wrote:

    >HC
    >
    >Referring to parts of your message:
    >
    >>"However, the fact that your system is responding would be indicative of
    >something else, possibly w/ your ZA installation".
    >What do you mean by that, and how can I confirm/disprove it?
    >
    >>Also, since your logs don't show an ICMP port unreachable response (your
    >system sent out a UDP datagram), that would indicate that, in fact, >the
    >source IPs are NOT spoofed.
    >The source addresses are completely random, and they turn up absolutely
    >nothing in a reverse resolution and WHOIS queries. In fact, this is
    >happening only with the source IP addresses of the probes to which the PC is
    >trying to respond; the other probes, ignored by the PC, have a resolved host
    >name (you can see it in the ZA log attached). I think this is very
    >suspicious - in fact, it's a pretty unique and discernible behavior - is
    >anyone familiar with a bot/Trojan behaving this way?
    >
    >>Is there anything besides the traffic you posted that would lead you to
    >believe that you had something installed on your system?
    >Like I mentioned above: 1. The immediate response attempt to the probe; and
    >2. The fact that when the Internet is on-line, the explorer and svchost
    >processes are constantly active, with I/O of 25-30 kbps. This ceases when I
    >go off-line.
    >
    >Is this behavior similar to any known bot infection?
    >
    >Thanks in advance
    >
    >Moshe
    >
    >
    >---------------------------------- Original
    >Message ----- ----------------------------------------
    >From: H C
    >To: incidents@securityfocus.com
    >Sent: Saturday, November 16, 2002 3:10 PM
    >Subject: re: Help - a possible bot
    >
    >
    >> The problem is, I am detecting a suspicious
    >hit/respond
    >> activity, which, in my opinion, points to an active
    >> bot.
    >
    >No offense, dude, but you're freaking out over
    >nothing. Based on the information you provided, there
    >IS no bot (remember "The Matrix"? "There is no
    >spoon").
    >
    >> Here's the evidence: when inspecting ZA logs, you
    >can
    >> see a blocked scan (coming every couple of minutes,
    >> from arbitrary addresses
    >
    >The "scans" you're referring to look like NetBIOS name
    >scans...queries to UDP port 137. On normal MS
    >networks, these "scans" would originate from UDP port
    >137, as well. So...they MAY be scans of some kind.
    >However, the fact that your system is responding would
    >be indicative of something else, possibly w/ your ZA
    >installation.
    >
    >> - I bet they're spoofed
    >
    >Well, that's not "evidence", now, is it? Also, since
    >your logs don't show an ICMP port unreachable response
    >(your system sent out a UDP datagram), that would
    >indicate that, in fact, the source IPs are NOT
    >spoofed.
    >
    >Also, there's nothing in the netstat and fport outputs
    >that you sent that seem to indicate that you have any
    >sort of bot or trojan at all. Is there anything
    >besides the traffic you posted that would lead you to
    >believe that you had something installed on your
    >system?
    >
    >HTH
    >
    >
    >
    >
    >
    >
    >__________________________________________________
    >Do you Yahoo!?
    >Yahoo! Web Hosting - Let the expert host your site
    >http://webhosting.yahoo.com
    >
    >----------------------------------------------------------------------------
    >This list is provided by the SecurityFocus ARIS analyzer service.
    >For more information on this free incident handling, management
    >and tracking system please see: http://aris.securityfocus.com
    >

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    • Quantcast