new ddos client?

From: Andy Shelley (andy@cbeyond.net)
Date: 03/07/03

  • Next message: Alex Lambert: "Re: new ddos client?" 
    Date: Fri, 7 Mar 2003 17:51:30 -0500
From: Andy Shelley <andy@cbeyond.net>
To: incidents@securityfocus.com

    File listing at the end.. you'll see that it includes files common to
    other mIRC based trojans. More unique to this one is the inclusion of
    a blowfish library and some ActiveX controls. Perhaps my Google skills
    are not so finely honed, but I couldn't find any previous mention of
    this particular zombie. If someone has pointers to some in-depth
    analysis already performed on this package, I'd be interested.

    Snort actually spotted the initial login of the trojan. The packet
    payload included:
      length = 118

    000 : 4E 49 43 4B 20 5B 70 41 5D 2D 38 33 34 31 38 0A NICK [pA]-83418.
    010 : 55 53 45 52 20 50 65 61 5E 52 68 61 6D 61 6E 5E USER Pea^Rhaman^
    020 : 20 22 6E 61 74 30 31 2E 64 68 63 70 2D 31 32 30 "nat01.dhcp-120
    030 : 2E 63 6F 72 65 2D 32 2E 6F 63 34 38 2E 5B 70 41 .core-2.oc48.[pA
    040 : 5D 2D 32 32 31 36 33 2E 67 6F 76 22 20 22 6D 79 ]-22163.gov" "my
    050 : 67 69 72 6C 67 6F 74 2E 6E 61 69 6C 65 64 2E 6F girlgot.nailed.o
    060 : 72 67 22 20 3A 50 61 6E 69 63 20 41 74 74 61 63 rg" :Panic
    Attac
    070 : 6B 20 32 2E 30 0A k 2.0.

    For email clients that won't format that nicely, the text is:
    NICK [pA]-83418.
    USER Pea^Rhaman^
    "nat01.dhcp-120.core-2.oc48.[pA]-22163.gov" "mygirlgot.nailed.org"
    :Panic Attack 2.0.

    While I've made some attempt to delve the purpose of some of the
    components, I don't have the time to study it in detail. I present it
    here for the group.

    I've found the following files. All were found in the \winnt\fonts
    directory on a Win2k machine. Some of these files are common among
    other IRC kits.

    The OCX files are ActiveX files for various functions.
    DNS.oca
    DNS.ocx
    msccctl32.ocx
    MSWINSCK.OCX
    WhoIs.ocx
    WINSCK.OCX

    blowfish.dll - public domain blowfish encryption library
    bootdrv.dll - non-malicious mIRC library that returns machine
    information
    boywonder.dat - non-malicious text file
    d2colour.exe - utility to hide windows
    msfnt32i.exe - packet generator, used to generate the actual attack
    wget.exe - utility used to retrieve files via HTTP or FTP
    explorer.exe - modified version of the mIRC client.
    Libparse.exe - utility that shows running processes and allows killing
    of processes
    psexec.exe - utility that allows remote command execution
    STDE9.exe - remote installer
    svchost32.exe - another window hiding utility
    mcon.dll - configuration file
    moo.dll - library for mIRC that reports various machine statistics
    MSWINSCK.DEP - dependency file for setup wizard
    navdb.dbx - a list of names/words that the scripts use as IRC nicknames
    sysmal.ini - mostly empty config file, probably just needs to exist

    I have the above files in a tar.gz archive if previous examples are not
    available. 

    --
Andy Shelley
Cbeyond Communications
andy@cbeyond.net
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
  • Next message: Alex Lambert: "Re: new ddos client?"