Re: strange windows behaviour.
From: Jeff Kell (jeff-kell_at_utc.edu)
Date: 10/10/03
- Previous message: Dan Hanson: "Administrivia: strange windows behaviour."
- In reply to: J Mike Rollins: "RE: strange windows behaviour."
- Next in thread: J Mike Rollins: "Re: strange windows behaviour."
- Reply: J Mike Rollins: "Re: strange windows behaviour."
- Reply: Tobias Rice: "Re: strange windows behaviour."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 09 Oct 2003 19:13:09 -0400 To: J Mike Rollins <rollins@wfu.edu>
J Mike Rollins wrote:
> I have just tested the ideas expressed here and have to report that
> streams can still be a threat.
>
> When I try to make a copy of the dll stored within the stream, the virus
> scanning software does find it.
>
> However, when I run the contents of the dll stream by using rundll32 the
> program is not caught by the virus scanning software. And the trojan
> continues to execute undetected.
All I see is spam starting to spew from an otherwise quiet machine (most
cases) although we have also had two cases of machines spoofing source
addresses and attacking (a) an IRC server and (b) somebody's identd.
This is happening here and I have one machine under quarantine in the
testbed. Symantec NAV latest DATs doesn't detect anything. Spybot
latest signatures doesn't detect anything. Ad-Aware doesn't find
anything. McAfee's freebie Stinger doesn't find anything. Yet if it is
connected to the network when it boots, some process comes up, makes a
few connection attempts to remote addresses, port 80; then it opens up
two random high-numbered TCP ports and listens. Telnetting to them and
entering much of anything causes it to close the connection and respawn.
In ActivePorts it lists the owning process name as the same as some
other existant process in the list (e.g., explorer.exe, svchost.exe) but
will have a unique PID in the task list. Using ActivePort's terminate
process feature on it causes the two sockets to disappear, only to be
immediately followed by the original behavior -- connects to an outside
address port 80 (not always the same address, mind you), followed by two
different high-numbered ports opened and listening.
There is a strange registry key in /HKEY/LOCAL.../Run and .../RunOnce
which appears to be a random string, 'bzyrczu' or something similar, and
the key value is 'rundll32 C:\Windows\System32:bzyrczu.dll'. Of course
I can't find any file by that name by traditional means (before reading
this thread on NTFS streams).
Attempting to delete the registry keys for /Run and /RunOnce appear to
work, but when you go back to check, the keys have "reinstalled"
themselves. Even starting up in safe mode with network unplugged, you
can't delete the registry keys, even with System Restore disabled (this
is an XP Home Edition box).
I plan on getting a packet capture of the beast's activity tomorrow.
And assuming that the thing does exist as a stream, I'll try to capture
the binary.
Jeff
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Dan Hanson: "Administrivia: strange windows behaviour."
- In reply to: J Mike Rollins: "RE: strange windows behaviour."
- Next in thread: J Mike Rollins: "Re: strange windows behaviour."
- Reply: J Mike Rollins: "Re: strange windows behaviour."
- Reply: Tobias Rice: "Re: strange windows behaviour."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
