Malware/trojan attacks



Over the last several months we have on more than one occasion uncovered a number of Trojans that appear to be seeking corporate information, sending that over a chat session to/through several European sites and downloading additional programs to the infected computer. Here's a short synopsis of the type of conversations one of our people uncovered on a laptop on the network:


Contacts 203.121.73.136 on port TCP/17555.  IRC commands were sent to the workstation to run a command "staticftp" 70.84.109.84 to download a program x.exe. 
Instructed to launch 5 scans (netapi on port 137, wkssvc port 445, asn on port 445, dcom on port 135 and lsass on port 445). 
Connects to 66.36.243.116 on TCP/80 and starts a PHP-based conversation, giving the workstation credentials to the host and receiving the following information:
CARGO:smtp_purple;
MOD:smtp;
PATH:http://niuqennaois.com/s2.5.exe;
SERVER:209.160.64.216;
REFRESH:2700;KEY:864a1bae77fc8053055d02550ed7b49c;
Connects to 195.49.141.23 on TCP/3144, retrieving unreadable data
Connects to 66.36.243.116 on TCP/80, exchanging credentials via PHP:
To host:
uuid <wsname>_547611528
wv mag5_min0_build2195_Service_Pack_4
cargo
check purple
To workstation:
REFRESH:3600;
KEY: 864a1bae77fc8053055d02550ed7b49c;
HTTP connections are made to 66.45.232.66, 66.36.243.116 to perform similar PHP and download conversations.
Three way TCP handshakes are attempted to 74.52.53.66, 68.142.212.41and 68.142.212.93 on TCP/80, but no further conversation was made.


My questions are:

1. Are other folks in the community seeing this kind of activity?
2. What, aside from deleting what you can find what other actions are recommended/required?
Who, if anyone, in the community or law enforcement should be notified?

If this post should be somewhere else, please let me know.

Thanks,

Richard Goetz
IT Security Officer
Kronos, Incorporated
Phone: 978-947-2819
Fax: 978-256-3919
RGoetz@xxxxxxxxxx

Experts at Improving the Performance of People and Business
 


------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------