Nimda.E/unknown memory resident, internet-aware processes

• Previous message: Leon Havin: "Re: SPM2000$ Rouge Share - Information"
• Next in thread: Johannes Ullrich: "Re: Nimda.E/unknown memory resident, internet-aware processes"
• Reply: Johannes Ullrich: "Re: Nimda.E/unknown memory resident, internet-aware processes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 20 Mar 2003 06:10:54 -0000
From: Matt Hornsby <mr.hornsby@attbi.com>
To: incidents@securityfocus.com

Hopefully someone else out there has run across something similar to
this. After searching the internet for more than a week and finding
nothing, I am posting to this list in the event that this has been
discovered before.

Recently, a client's NT 4.0 server was infected with what appeared to be
Nimda.E. Their ISP completely shut off their broadband connection after
detecting large amounts of Nimda related traffic scanning for vulnerable
systsms.

The first thing I noticed when I arrived on the scene was what appeared to
be a complete system compromise. Multiple backdoors and remote
administration packages were installed. Dameware, psyBNC, several
backdoor daemons, an FTP server and several other exploits were present.
Upon running a Nimda.E cleanup utility and discovering the extent of the
compromise (this system had more holes than swiss cheese), I looked at the
network traffic and saw several suspect connections. One was to an ICQ
server, one was to something on Port 6667(presumably an IRC server), and
one other connection to port 2787.

Finally, I noticed a box reading "MIRC Windows NT Security" popping up for
a fraction of a second every minute or so. Unfortunately it was not long
enough for me to catch what process was spawning it.

Curious as to what was being communicated, I fired up a packet sniffer and
discovered that the connection to port 2787 was actually to a private IRC
server on an non-standard port. This machine was being used as a drone
along with about 500 other compromised systems on just that one IRC server.

Later on, I managed to find and log into the IRC server and caught the
attention of a few people who claimed to be administrators of the IRC
server and authors of the the code responsible for this compromise.

They claimed to be Russian coders who have been working on a program they
called "sysnet.exe" for 1.5 to 2 years. According to them, the program is
a swiss army knife of backdoors and expoits, all automatically installed
through IIS vulnerabilities. I was not able to fine sysnet.exe anywhere
on the affected system or in its registry.

Shortly after the conversation, the IRC server was shut down.
Interestingly enough, when I turned the affected system back on, it was
now connecting to another system, yandex.ru on the same port (2787). Also
of note were connections to a remote system on ports 59230 and 19736.

All other attempts to determine the source of these connections have
failed. FPORT would not display ANY connections, even legitimate ones.
What little I have found on the subject seems to suggest that any time
that FPort doesnt return any information is cause for great concern.

Unfortunately, since it was a production machine that belonged to a
client, I was unable to study it further before doing a clean OS install.
All attempts to discover the root of the infection came up dry. The best
I can surmise is that it was infected with Nimda.E, and then this exploit
was used to install the rootkit and further compromise the system. The
system logs showed nothing except failed attempts at calls to cmd.exe.

Anyhow, this is the first time I have posted here, so if I have posted to
the wrong place or overlooked some other rule of etiquette I apologize in
advance. I leave you with some snippets of network traffic that I was
able to capture:

Packet data:
0000: 00 90 27 A4 9A D5 00 20 6F 14 CB 44 08 00 45 00 ..'.... o..D..E.
0010: 00 7E 9E 4F 40 00 31 06 71 2D 3F F1 B3 46 40 51 ...O@.1.q-?..F@Q
0020: 06 75 0A E3 04 9B 0D 6A 82 1B 00 02 1B D7 50 18 .u.....j......P.
0030: 0B 68 5F F5 00 00 3A 69 72 63 2E 43 68 61 6F 53 .h_...:irc.ChaoS
0040: 2E 4E 65 74 20 33 32 34 20 77 5F 33 33 37 38 36 .Net 324 w_33786
0050: 6C 5F 20 23 30 32 20 2B 73 6D 74 6E 20 0D 0A 3A l_ #02 +smtn ..:
0060: 69 72 63 2E 43 68 61 6F 53 2E 4E 65 74 20 33 32 irc.ChaoS.Net 32
0070: 39 20 77 5F 33 33 37 38 36 6C 5F 20 23 30 32 20 9 w_33786l_ #02
0080: 31 30 34 39 38 38 38 32 39 31 0D 0A 1049888291..

this one shows some of the many systems logged in:

Packet data:
0000: 00 90 27 A4 9A D5 00 20 6F 14 CB 44 08 00 45 00 ..'.... o..D..E.
0010: 05 91 9C FA 40 00 31 06 6D 6F 3F F1 B3 46 40 51 ....@.1.mo?..F@Q
0020: 06 75 0A E3 04 9B 0D 6A 7C B2 00 02 1B CE 50 18 .u.....j|.....P.
0030: 0B 68 67 30 00 00 3A 77 5F 33 33 37 38 36 6C 5F .hg0..:w_33786l_
0040: 21 4D 30 32 34 37 35 31 58 40 41 38 35 38 42 42 !M024751X@A858BB
0050: 36 35 43 35 45 34 42 41 31 35 38 30 42 31 31 44 65C5E4BA1580B11D
0060: 46 43 42 42 44 36 33 44 78 20 4A 4F 49 4E 20 3A FCBBD63Dx JOIN :
0070: 23 30 32 0D 0A 3A 69 72 63 2E 43 68 61 6F 53 2E #02..:irc.ChaoS.
0080: 4E 65 74 20 33 35 33 20 77 5F 33 33 37 38 36 6C Net 353 w_33786l
0090: 5F 20 40 20 23 30 32 20 3A 77 5F 33 33 37 38 36 _ @ #02 :w_33786
00A0: 6C 5F 20 71 5F 36 38 31 33 31 7A 5F 20 6C 5F 35 l_ q_68131z_ l_5
00B0: 39 32 35 35 64 5F 20 71 5F 35 35 32 32 33 78 5F 9255d_ q_55223x_
00C0: 20 69 5F 37 37 32 34 35 7A 5F 20 61 5F 32 34 32 i_77245z_ a_242
00D0: 31 39 6A 5F 20 79 5F 35 39 39 32 34 6B 5F 20 71 19j_ y_59924k_ q
00E0: 5F 36 34 38 39 37 64 5F 20 78 5F 37 36 31 34 34 _64897d_ x_76144
00F0: 79 5F 20 64 5F 32 39 30 37 31 6A 5F 5B 73 63 61 y_ d_29071j_[sca
0100: 6E 5D 20 69 5F 38 34 34 33 36 65 5F 5B 73 63 61 n] i_84436e_[sca
0110: 6E 5D 20 6A 5F 35 35 30 34 32 7A 5F 20 6D 5F 31 n] j_55042z_ m_1
0120: 39 31 39 39 62 5F 20 6D 5F 38 33 35 35 36 63 5F 9199b_ m_83556c_
0130: 20 61 5F 39 33 30 36 34 6D 5F 20 63 5F 38 35 32 a_93064m_ c_852
0140: 33 31 78 5F 20 68 5F 35 34 34 35 38 66 5F 20 69 31x_ h_54458f_ i
0150: 5F 34 35 30 37 39 78 5F 20 40 4C 20 6E 5F 38 32 _45079x_ @L n_82
0160: 37 34 30 6B 5F 20 6D 5F 35 38 31 34 30 68 5F 20 740k_ m_58140h_
0170: 63 5F 34 35 30 39 33 76 5F 20 67 5F 37 34 39 35 c_45093v_ g_7495
0180: 34 6D 5F 20 62 5F 37 35 38 32 30 69 5F 20 72 5F 4m_ b_75820i_ r_
0190: 32 30 35 31 35 66 5F 20 76 5F 37 31 39 36 39 6C 20515f_ v_71969l
01A0: 5F 20 6E 5F 31 36 37 30 31 61 5F 20 67 5F 31 37 _ n_16701a_ g_17
01B0: 37 39 37 74 5F 20 63 5F 35 34 33 31 36 6D 5F 20 797t_ c_54316m_
01C0: 63 5F 34 35 37 36 37 65 5F 20 6C 5F 37 35 39 38 c_45767e_ l_7598
01D0: 32 71 5F 20 74 5F 37 37 30 33 37 6F 5F 20 6A 5F 2q_ t_77037o_ j_
01E0: 32 37 32 30 31 75 5F 20 69 5F 34 33 36 32 33 62 27201u_ i_43623b
01F0: 5F 5B 73 63 61 6E 5D 20 73 5F 36 30 31 36 38 69 _[scan] s_60168i
0200: 5F 20 76 5F 34 33 34 38 39 70 5F 20 68 5F 33 30 _ v_43489p_ h_30
0210: 37 39 37 6B 5F 20 6E 5F 32 35 30 33 32 71 5F 20 797k_ n_25032q_
0220: 6A 5F 35 34 35 38 32 63 5F 20 75 5F 32 32 36 34 j_54582c_ u_2264
0230: 30 73 5F 20 77 5F 34 31 38 36 38 6E 5F 20 79 5F 0s_ w_41868n_ y_
0240: 35 33 35 31 30 6C 5F 20 0D 0A 3A 69 72 63 2E 43 53510l_ ..:irc.C
0250: 68 61 6F 53 2E 4E 65 74 20 33 35 33 20 77 5F 33 haoS.Net 353 w_3
0260: 33 37 38 36 6C 5F 20 40 20 23 30 32 20 3A 6D 5F 3786l_ @ #02 :m_
0270: 31 31 34 32 37 79 5F 20 70 5F 39 34 30 33 30 70 11427y_ p_94030p
0280: 5F 20 68 5F 39 32 38 37 38 65 5F 20 75 5F 31 36 _ h_92878e_ u_16
0290: 31 35 31 70 5F 20 78 5F 35 34 30 34 35 6F 5F 20 151p_ x_54045o_
02A0: 72 5F 39 33 30 34 37 6E 5F 20 65 5F 32 37 39 39 r_93047n_ e_2799
02B0: 33 79 5F 5B 73 63 61 6E 5D 20 67 5F 37 31 33 39 3y_[scan] g_7139
02C0: 37 6A 5F 5B 73 63 61 6E 5D 20 6F 5F 37 38 34 39 7j_[scan] o_7849
02D0: 31 6E 5F 20 73 5F 39 37 34 36 36 70 5F 20 6A 5F 1n_ s_97466p_ j_
02E0: 32 30 31 34 36 79 5F 20 69 5F 39 39 37 34 36 6C 20146y_ i_99746l
02F0: 5F 5B 73 63 61 6E 5D 20 64 5F 32 36 33 36 35 67 _[scan] d_26365g
0300: 5F 5B 73 63 61 6E 5D 20 76 5F 32 39 37 30 36 6F _[scan] v_29706o
0310: 5F 20 70 5F 31 34 30 35 31 69 5F 20 72 5F 33 35 _ p_14051i_ r_35
0320: 32 37 39 6F 5F 20 6E 5F 34 30 31 35 39 72 5F 20 279o_ n_40159r_
0330: 64 5F 33 38 32 34 31 68 5F 5B 73 63 61 6E 5D 20 d_38241h_[scan]
0340: 66 5F 35 33 31 34 39 70 5F 20 73 5F 37 37 36 36 f_53149p_ s_7766
0350: 38 6B 5F 20 79 5F 31 35 33 31 37 68 5F 20 6C 5F 8k_ y_15317h_ l_
0360: 33 38 33 38 38 63 5F 20 76 5F 31 35 31 31 33 79 38388c_ v_15113y
0370: 5F 20 64 5F 33 38 39 32 37 74 5F 5B 73 63 61 6E _ d_38927t_[scan
0380: 5D 20 73 5F 35 31 34 37 38 74 5F 20 6E 5F 33 30 ] s_51478t_ n_30
0390: 34 32 39 7A 5F 20 71 5F 35 39 39 36 33 76 5F 20 429z_ q_59963v_
03A0: 66 5F 32 36 34 36 34 65 5F 5B 73 63 61 6E 5D 20 f_26464e_[scan]
03B0: 64 5F 31 36 32 35 32 74 5F 5B 73 63 61 6E 5D 20 d_16252t_[scan]
03C0: 66 5F 36 31 32 33 34 67 5F 5B 73 63 61 6E 5D 20 f_61234g_[scan]
03D0: 72 5F 33 34 34 34 39 66 5F 20 63 5F 36 36 34 32 r_34449f_ c_6642
03E0: 36 79 5F 5B 73 63 61 6E 5D 20 69 5F 31 37 32 37 6y_[scan] i_1727
03F0: 33 6E 5F 5B 73 63 61 6E 5D 20 77 5F 36 39 30 39 3n_[scan] w_6909
0400: 38 6D 5F 20 66 5F 33 34 37 33 32 72 5F 20 76 5F 8m_ f_34732r_ v_
0410: 39 36 37 31 35 77 5F 20 0D 0A 3A 69 72 63 2E 43 96715w_ ..:irc.C
0420: 68 61 6F 53 2E 4E 65 74 20 33 35 33 20 77 5F 33 haoS.Net 353 w_3
0430: 33 37 38 36 6C 5F 20 40 20 23 30 32 20 3A 73 5F 3786l_ @ #02 :s_
0440: 37 39 35 34 31 76 5F 20 73 5F 32 39 34 38 32 77 79541v_ s_29482w
0450: 5F 20 61 5F 33 36 33 39 30 71 5F 20 74 5F 39 36 _ a_36390q_ t_96
0460: 32 36 38 66 5F 20 7A 5F 34 37 34 34 37 79 5F 5B 268f_ z_47447y_[
0470: 73 63 61 6E 5D 20 75 5F 31 39 35 39 33 79 5F 20 scan] u_19593y_
0480: 61 5F 36 31 33 39 30 68 5F 5B 73 63 61 6E 5D 20 a_61390h_[scan]
0490: 63 5F 31 37 36 37 34 72 5F 5B 73 63 61 6E 5D 20 c_17674r_[scan]
04A0: 79 5F 33 31 31 35 37 62 5F 20 73 5F 38 30 33 39 y_31157b_ s_8039
04B0: 38 6A 5F 20 65 5F 38 37 38 35 36 70 5F 5B 73 63 8j_ e_87856p_[sc
04C0: 61 6E 5D 20 62 5F 31 34 34 32 35 77 5F 5B 73 63 an] b_14425w_[sc
04D0: 61 6E 5D 20 68 5F 32 36 35 31 32 6A 5F 5B 73 63 an] h_26512j_[sc
04E0: 61 6E 5D 20 65 5F 34 35 36 35 36 6F 5F 5B 73 63 an] e_45656o_[sc
04F0: 61 6E 5D 20 76 5F 32 38 36 32 36 69 5F 20 64 5F an] v_28626i_ d_
0500: 34 33 37 32 34 6E 5F 5B 73 63 61 6E 5D 20 6D 5F 43724n_[scan] m_
0510: 37 38 33 37 35 69 5F 20 73 5F 35 38 36 36 30 6E 78375i_ s_58660n
0520: 5F 5B 73 63 61 6E 5D 20 66 5F 35 39 38 32 30 68 _[scan] f_59820h
0530: 5F 5B 73 63 61 6E 5D 20 73 5F 33 33 30 32 35 75 _[scan] s_33025u
0540: 5F 20 74 5F 37 37 35 38 34 6F 5F 20 6F 5F 33 32 _ t_77584o_ o_32
0550: 35 32 36 62 5F 20 64 5F 36 39 37 30 37 64 5F 5B 526b_ d_69707d_[
0560: 73 63 61 6E 5D 20 0D 0A 3A 69 72 63 2E 43 68 61 scan] ..:irc.Cha
0570: 6F 53 2E 4E 65 74 20 33 36 36 20 77 5F 33 33 37 oS.Net 366 w_337
0580: 38 36 6C 5F 20 23 30 32 20 3A 45 6E 64 20 6F 66 86l_ #02 :End of
0590: 20 2F 4E 41 4D 45 53 20 6C 69 73 74 2E 0D 0A /NAMES list...

The ones with [scan] in them, according the the coder I spoke with, were
those systems that were in the process of scanning the net for new
vulnerable hosts.

Anyone seen this before?

Cheers!
Matt Hornsby

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

• Previous message: Leon Havin: "Re: SPM2000$ Rouge Share - Information"
• Next in thread: Johannes Ullrich: "Re: Nimda.E/unknown memory resident, internet-aware processes"
• Reply: Johannes Ullrich: "Re: Nimda.E/unknown memory resident, internet-aware processes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]