Re: strange windows behaviour.
From: Karl Levinson (levinson_k_at_despammed.com)
Date: 10/09/03
- Previous message: Pepijn Vissers: "RE: strange windows behaviour."
- Maybe in reply to: Peter Moody: "strange windows behaviour."
- Next in thread: Harlan Carvey: "Re: strange windows behaviour."
- Reply: Harlan Carvey: "Re: strange windows behaviour."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 9 Oct 2003 14:10:40 -0000 To: incidents@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <20031007170330.GI1196@sparky.finchhaven.net>
You've gotten some good advice already. FWIW, I would not first suspect adware in either of the cases below.
Regarding the university report, the fact that winservn.exe does not show up in a Google.com search plus the fact that it is listening for inbound connections does not make me think adware.
In both incidents, I would want to save and submit the responsible file to the anti-virus vendor for inspection.
Regarding the original poster's incident, knowing the ports and remote IP addresses involved would be helpful. If you haven't already, running one of the previously mentioned port inspecting tools such as Fport from Foundstone.com/knowledge that actually tells you what executable is generating the traffic should be done. Inspecting firewall and IDS logs for traffic from the affected machines or ports and/or running a sniffer such as Ethereal, Windump or Snort could be useful. [Windows Netstat utility doesn't give you that information unless you're running XP.] Plus pretty much all the standard procedures one would do for incident response and inspection of mystery executables, as detailed in the Osborne book "Incident Response," at www.cert.org/tech_tips, http://csrc.nist.gov, etc.
>Date: Tue, 7 Oct 2003 10:03:30 -0700
>From: John Sage <jsage@finchhaven.com>
>> I've got a bit of a problem, and I was wondering if anyone on this list
>> has seen similar things. Recently, we've been having student windows
>> machines on our residential network begin spewing large, massive (on the
>> order of hundreds of thousands in a few hours) spam messages at our mail
>> servers. We promptly disconnect the machines and head down to do some
>> forensic work on the boxes when we get a chance (usually after they call
>> to complain that the internet has died).
>From: Paul Russell <prussell@nd.edu>
>To: unisog@sans.org
>Subject: [unisog] Spam from student-owned computers
>Date: Mon, 06 Oct 2003 15:51:12 -0500
>
>Checking all of the programs that were automatically started at boot,
>it appeared as though the student had a lot of optional things running
>in the background, including winsrvn.exe. He believed that this
>particular program was installed as part of Purity Scanner, which,
>apparently, scans one's hard drive for inappropriate materials. It
>turns out that Purity is actually adware, and is often bundled with
>Grokster (P2P program). Further, it looked as though the student was
>using Grokster. From what I've been able to find with a web search,
>Grokster sometimes includes ancilary software that may contain back
>doors. I had the student email me a zip of the winsrvn.exe for later
>examination. The other mysterious process (system:4) seemed to
>disappear after I removed winservn.exe (perhaps the two were
>related?).
>
>/* end post fragment */
>
>
>HTH..
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Pepijn Vissers: "RE: strange windows behaviour."
- Maybe in reply to: Peter Moody: "strange windows behaviour."
- Next in thread: Harlan Carvey: "Re: strange windows behaviour."
- Reply: Harlan Carvey: "Re: strange windows behaviour."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
