Re: strange windows behaviour.

From: John Sage (jsage_at_finchhaven.com)
Date: 10/07/03

  • Next message: Paul Farley: "FW: [INFRAGARD-ATLANTA] DoS on cisco.com" 
    Date: Tue, 7 Oct 2003 10:03:30 -0700
To: Peter Moody <peter@ucsc.edu>

    Peter:

    On Mon, Oct 06, 2003 at 01:05:13PM -0700, Peter Moody wrote:
    > Hello all,
    >
    > I've got a bit of a problem, and I was wondering if anyone on this list
    > has seen similar things. Recently, we've been having student windows
    > machines on our residential network begin spewing large, massive (on the
    > order of hundreds of thousands in a few hours) spam messages at our mail
    > servers. We promptly disconnect the machines and head down to do some
    > forensic work on the boxes when we get a chance (usually after they call
    > to complain that the internet has died).
    >
    > I've been trying to find information on this, but the most I've been
    > able to come up with is an advisory from symantec's threat management
    > system saying Mprox (some sort of MS proxy) is to blame. None of the
    > machines I've gone and examined have had this program running or on the
    > system anywhere for that matter.
    >
    > Has anyone else had similar problems of late? This all started for us
    > about a week ago and it's showing no signs of going away any time soon.

    You may be interested in this 09/06/03 post to the UNISOG maillist
    (unisog@sans.org):

    /* begin post fragment */

    From: Paul Russell <prussell@nd.edu>
    To: unisog@sans.org
    Subject: [unisog] Spam from student-owned computers
    Date: Mon, 06 Oct 2003 15:51:12 -0500

    In the past ten days, we have had five incidents in which
    student-owned computers in our residence hall network (ResNet) were
    used to send large quantities of spam. I have seen similar reports
    from other sites, so I thought some of you might be interested our
    experience. Appended below are the case notes from one of these
    incidents. The report has been edited to remove all personal
    identification information. The analysis of the student's workstation
    was performed by a member of our Information Security team. 

    --
Paul Russell
Senior Systems Administrator
University of Notre Dame
*** NOTES 10/06/2003 08:05:21 AM ******** Action Type: Add'tl
Info. Rec'd. Visited student's workstation last Friday afternoon. Upon
running 'tcpview' dozens of processes, all running as svchost.exe,
appeared to be listening to a variety of high-level ports.  Aftering
installing and updating McAfee Enterprise 7 VS, his machine was
gracefully powered down, then turned back on while unplugged from the
network.  A scan of all files on his workstation revealed no viruses.
Also, the machine was fully patched (he had automatic updates turned
on under XP).  All of the unusual svchost.exe processes disappeared
(which was expected given the lack of a network connection). I then
noticed a process named 'winsrvn.exe' listening on port 1033 UDP, as
well as 'system:4' listening on 1030 TCP.
Checking all of the programs that were automatically started at boot,
it appeared as though the student had a lot of optional things running
in the background, including winsrvn.exe.  He believed that this
particular program was installed as part of Purity Scanner, which,
apparently, scans one's hard drive for inappropriate materials.  It
turns out that Purity is actually adware, and is often bundled with
Grokster (P2P program).  Further, it looked as though the student was
using Grokster.  From what I've been able to find with a web search,
Grokster sometimes includes ancilary software that may contain back
doors.  I had the student email me a zip of the winsrvn.exe for later
examination.  The other mysterious process (system:4) seemed to
disappear after I removed winservn.exe (perhaps the two were
related?).
/* end post fragment */
HTH..
- John
-- 
"You are in a twisty maze of weblogs, all alike."
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Paul Farley: "FW: [INFRAGARD-ATLANTA] DoS on cisco.com"

    Relevant Pages

    • Re: [Full-disclosure] what can be done with botnet C&Cs? (fwd)
      ... > from the Windows machines. ... Would it be Javascript trickery on logging on to the network? ... >> a de facto monopoly because the student lives in the dorms - a Hobson's ... > Sandboxing suspicious activity might work better. ...
      (Full-Disclosure)
    • Re: strange windows behaviour.
      ... On September 25, 2003, I posted an article "Analysis of a Spam Trojan" ... We have a bunch of machines currently infected with something else ... we've been having student windows ... >>machines on our residential network begin spewing large, ...
      (Incidents)
    • Re: Internet Cafe
      ... We have it here on our network with about ... We "Freeze" all student use machines. ...
      (microsoft.public.windowsxp.general)
    • Re: Can find Vista box, cant share folders or printers.
      ... When I click 'Network' on the laptop the ... I've disabled Norton and Windows firewall entirely to make sure that's not ... public folder sharing - on ... start by running the Network Setup Wizard on all machines (see ...
      (microsoft.public.windows.vista.networking_sharing)
    • Re: XP to Vista -- only halfway there
      ... concerning networks that combine Vista and XP machines. ... I am setting up an inhouse network that links together three machines, ... by 1) a misconfigured firewall or overlooked firewall (including stateful ...
      (microsoft.public.windows.vista.networking_sharing)