Re: Possilbe New Arp DoS - dosprmwin.exe

From: H Carvey (keydet89_at_yahoo.com)
Date: 06/17/04

  • Next message: DeGennaro, Gregory: "RE: Novice asks "OpenBSD best firewall?""
    Date: 17 Jun 2004 11:59:46 -0000
    To: security-basics@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20040616150756.5056.qmail@www.securityfocus.com>

    David,

    I read through your post, and I've got some questions regarding what you've presented...

    > We noticed on Monday a large amount of random arp traffic throughout our
    > network. After a number of false starts, we linked this traffic to an
    > executable named dosprmwin.exe.

    What did you do to be able to accomplish this? I think it would be educational to the list if you could elaborate just a little on how you went about doing this.

    > We have not been able to find information about this program anywhere.

    All in all, that's not unusual. It could very be something new, or something not-so-new, but renamed.

    > The registry key where dosprmwin.exe was found had ?Micro Process? in
    > the name field.

    Ok...what's the significance of this?

    > This only seemed to be exploiting Windows XP machines without the MS04-
    > 015 (kb840374) update. Also, all infected computers are up to date with
    > Norton Anti-Virus Corporate Edition. We are not sure how the program was
    > propagating, but it was sending out arp traffic to random hosts.

    I'm still not entirely clear on your line of reasoning here...what am I missing? I get the first two sentences, but if you were able to tie the activity to a particular KB article as you did, wouldn't that then tell how you the program was propagating?

    > We were able to solve the problem by running Windows Updates and then
    > stopping the dosprmwin.exe process and removing the file from
    > \windows\system32. The file was marked as hidden, read-only, and system.

    Do you have a copy of this file available for someone to look at?

    > Running fport or netstat ?a while the process was still running would
    > show a large number of listening TCP ports. After the process was
    > killed, these listening ports disappeared.

    Does this mean that the output of fport explicitly tied the open ports to this executable file?

    Thanks,

    Harlan

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: DeGennaro, Gregory: "RE: Novice asks "OpenBSD best firewall?""

    Relevant Pages

    • RE: Removing Local Admin Rights...
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: HIPAA_Compliance
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Cisco CSA
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Minimum password requirements
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • Betr.: RE: fax software in the domain
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... pen testing experience in our state of the art hacking lab. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)