Re: New/old Trojan?

• Previous message: Jose Nazario: "RE: Odd addresses on my wireless network"
• In reply to: nixsec: "New/old Trojan?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 26 Nov 2004 19:32:24 -0800 (PST)
To: incidents@securityfocus.com

Paulo,

> ...sygate firewall detected this
> weird application
> trying to connect to remote site atm-bank.ru, tried
> looking on google
> for Mmnkijia.exe and could not find anything on it,

This isn't surprising, really. Files can be named
anything on Windows systems, and many bits of malware
install themselves with random names.

> this application
> hides itself in the folder when using windows
> explorer to view the
> folder C:\WINNT\system32\ the file would not show
> up,

Is the same true for 'dir'? How about if you map the
C:\ drive remotely and then look for the file?

Sounds like this malware may have rootkit-like
qualities. Given your later description involving a
DLL, I'd think it would be a user-mode rootkit, using
DLL injection.

> using tcpview from
> sysinternals i found several ports open:
>
> <Non-existant Process>:976 TCP xfiles:247
> xfiles:0
> LISTENING (searched on google and said this was a
> service called subntbcst_tftp)

This can often be misleading. Many times, people just
don't seem to understand that these things can be
bound to any port, so using a list of "well-known"
ports can be useless.

> (Tcpview.exe would crash when i attempted to kill
> the process, when i
> reopened it those ports would still be open i think
> i managed ot kill
> the process one time or crashed it somehow and few
> minutes later got back up and running)

Well, if TCPView is unable to get the process name or
PID, there may be trouble when trying to kill the
process, so this isn't unexpected.

Did you try using any other tools, such as fport or
openports?
 
> I loaded up windows in safe mode with command prompt
> and from there the
> file would be visible, i found also a DLL file which
> the exe uses called
> Mngepfne.dll (maybe loaded to hide processes and
> files?) , i backed
> these up for further examination and removed them
> from the system32
> folder, this seemed to fix the problem for now and
> all the ports are
> closed, but i got no idea where it came from!

Again, it sounds like it may be a user-mode rootkit of
some kind. Given that it didn't seem to be effective
when you booted to Safe Mode, I'd suggest checking the
ubiquitous "Run" key in the Registry (now that you've
removed the files, this shouldn't be a problem).

This may have found it's way onto your system via the
browser or some other package. Since you said you use
it for gaming, if you've got it online, the issue may
be someone guessing your password following username
enumeration.

Without more information about your system, it's hard
to tell.

One thing to try is this...if you haven't added
anything new to the system (haven't installed
software), you may be able to get an idea of when this
was installed by getting the LastWrite time from the
"Run" key (or whichever key the malware wrote it's
presence to...)

> Later i checked the page
> atm-bank.ru and the index page says page not found,
> so my only guess is
> it accesses that web site and the owners of it can
> check the web server
> log files to find infected IPs i did a whois on that
> server name and its
> a few months old only created: 2004.06.26. If
> anyone has info or would
> like a copy of the binary files to examine them let
> me know.

It seems from your logs that all you captured was the
SYN packet, the initial packet for TCP communications.
 To see which page the malware was requesting, you'd
have to let the process connect and complete the TCP
handshake, then get request the page it wants.

> Im thinking of maybe installing snort on the windows
> system and
> reactivate the trojan to see what happens, would
> like to learn more on
> windows forensics, any tips or other software good
> to be used to gather/examine data ?

Uh...get my book?? ;-)

If you have copies of the files, I'd appreciate
copies.

Harlan

=====
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/

"Meddle not in the affairs of dragons, for
you are crunchy, and good with ketchup."

"The simplicity of this game amuses me.
Bring me your finest meats and cheeses."
------------------------------------------

• Previous message: Jose Nazario: "RE: Odd addresses on my wireless network"
• In reply to: nixsec: "New/old Trojan?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]