New SDBot variant

From: Christopher Harrington (charrington_at_nitrodata.com)
Date: 08/10/04

  • Next message: Christopher Harrington: "Possible new Korgo variant. WAS: New SDBot variant"
    To: <incidents@securityfocus.com>
    Date: Tue, 10 Aug 2004 14:59:58 -0400
    
    
    

    All,

    We are seeing what may be a new variant of SDBot. This variant spreads by
    exploiting the LSASS vulnerability. Once infected, the machine joins an IRC
    Bot net via TCP 6667. Some of the infected machines then download an
    executable via TFTP. This transfer is initiated over IRC. I have attached
    the Bintext output and an md5 for the file. The executable is named
    NTAPI32.exe and is downloaded to the system32 directory. The exe is 143.03
    kb. I tried Symantec, Trend, F-Secure and Sophos...none could identify it.

    In the IRC logs there these entries:

    PRIVMSG #irc :[lsass]: Exploiting IP: 10.x.x.x.
    PRIVMSG #irc :[TFTP]: File transfer started to IP: 10.x.x.x
    (C:\WINDOWS\System32\ntapi32.exe)

    A quick (and untested :)) signature below:

    alert tcp any any -> any any ( msg: "LSASS expolit via IRC, possible SDBot
    variant"; content: ":[lsass]: Exploiting IP:"; classtype: misc-activity;
    rev: 1;)
     
    I will post more when I have it.

    Regards,

    --Chris

    --
    Christopher Harrington, CISSP
    Director of Security Engineering
    NitroData Systems, Inc.
    603-766-8160, ext. 25
    http://www.nitroguard.com
    
    
    




  • Next message: Christopher Harrington: "Possible new Korgo variant. WAS: New SDBot variant"