RE: Proxy attackers/hijackers
From: Carey, Steve T GARRISON (steven-carey_at_us.army.mil)
Date: 10/17/03
- Previous message: Alvin Wong: "Re: New Rootkit?"
- Maybe in reply to: Jeff Kell: "Proxy attackers/hijackers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: 'Joe Stewart ' <jstewart@lurhq.com>, 'General DShield Discussion List ' <list@dshield.org> Date: Fri, 17 Oct 2003 12:00:14 -0500
The autoproxy Trojan you mentioned is detected by Norton Anti-virus as
'backdoor.coreflood Trojan', per the write-up from the site you provided, but
there is another autoproxy Trojan that is not identified as a Trojan. There is
a new site (216.247.117.225 - shows up as chinesenaming.com and wvw.goling.com
(wvw is not a misprint))that is running malicious code when users connect to it
(with ActiveX enabled). We do not have a copy of the E-Mail that initiated it,
however, look for http traffic to that site that changes to port 53 (same IP but
the site name changes between the two above). There are files called stop.bat
and ftp.txt (this file is brought in from 216.40.224.210 - ftp.goling.com)and a
program called ap216.exe. This program is the autoproxy Trojan. When
everything is run there are two other files created - one without an extension
and one (same name, which is random) that is a dll. Also creates a registry key
called
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McAfeeFramework\Start",4,"
REG_DWORD".
The last thing ran is the stop.bat file which disables all Anti-virus and
personal firewalls, then deletes itself (but they forgot and the may be a copy
in the temp folder.
Still working at the Forensics on this, so don't know everything yet. We do
know that the random named file, with no extension, date/time stamp can change
(but the size remains the same), apparently depending on what the user is doing
on the web.
The difference between this version and the one in the write-up appears to be
there is no porn site references in the browser (probably taken out) and there
are early indications that this Trojan is collecting personal ID and credit card
information. Also, if your ActiveX controls are disabled (or hopefully you are
patched but have not tested that) and you go to the site, you do not see
everything on the site (approximately 200 bytes of data returned with ActiveX
disabled and over 500 if enabled.
Also, does not appear to work on Windows9x, the stop.bat file is there, but none
of the others. NT, W2K, and XP (XP varies) are affected.
Steve Carey
-----Original Message-----
From: Joe Stewart
To: General DShield Discussion List
Cc: Jeff Kell; incidents@securityfocus.com
Sent: 10/17/2003 9:15 AM
Subject: Re: Proxy attackers/hijackers
On Thursday 16 October 2003 11:31 pm, Jeff Kell wrote:
> We had an attempted proxy rape today on a trojanned dorm machine. No
> mail escaped thanks to firewalling but I did track down the culprits
> and the compromised ports (which appear random, they changed when the
> machine was rebooted). Do not have the machine (yet) for forensics
> to see what infected it, but it was providing two proxy ports on
> random ports that change when the machine is rebooted (apparently,
> given the time difference between the pairs of proxy ports below).
If the two proxy ports start at a random port but themselves are
sequential, it could be the Autoproxy trojan. A rash of these was
installed yesterday by a second mass-hack of a large webhosting
provider. Autoproxy can be detected when it attempts to make outbound
HTTP control connections (one is to a CGI script where it reports its
port numbers and stats, the other is to an uninvolved third-party
website for connectivity checking). In these connections it sets its
User-Agent header to "Autoproxy/0.2". The snort signature below will
catch these connections leaving your network and let you know if you
have any infected hosts.
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Autoproxy Trojan
control connection"; flags:A+; content: "|0d 0a 55 73 65 72 2d 41 67 65
6e 74 3a 20 41 75 74 6f 70 72 6f 78 79 2f|";
reference:url,www.lurhq.com/autoproxy.html; classtype:trojan-activity;
sid:1000028; rev:1;)
-Joe
-- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ ------------------------------------------------------------------------ --- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_incidents_031015 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_incidents_031015 ----------------------------------------------------------------------------
- Previous message: Alvin Wong: "Re: New Rootkit?"
- Maybe in reply to: Jeff Kell: "Proxy attackers/hijackers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
