Re: Possilbe New Arp DoS - dosprmwin.exe
From: H Carvey (keydet89_at_yahoo.com)
Date: 06/17/04
- Previous message: Shawn Jackson: "RE: 192.168.x.x oddities"
- Maybe in reply to: dsalasche_at_brinkshofer.com: "Possilbe New Arp DoS - dosprmwin.exe"
- Next in thread: Salasche, David: "RE: Possilbe New Arp DoS - dosprmwin.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 17 Jun 2004 11:59:46 -0000 To: security-basics@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <20040616150756.5056.qmail@www.securityfocus.com>
David,
I read through your post, and I've got some questions regarding what you've presented...
> We noticed on Monday a large amount of random arp traffic throughout our
> network. After a number of false starts, we linked this traffic to an
> executable named dosprmwin.exe.
What did you do to be able to accomplish this? I think it would be educational to the list if you could elaborate just a little on how you went about doing this.
> We have not been able to find information about this program anywhere.
All in all, that's not unusual. It could very be something new, or something not-so-new, but renamed.
> The registry key where dosprmwin.exe was found had ?Micro Process? in
> the name field.
Ok...what's the significance of this?
> This only seemed to be exploiting Windows XP machines without the MS04-
> 015 (kb840374) update. Also, all infected computers are up to date with
> Norton Anti-Virus Corporate Edition. We are not sure how the program was
> propagating, but it was sending out arp traffic to random hosts.
I'm still not entirely clear on your line of reasoning here...what am I missing? I get the first two sentences, but if you were able to tie the activity to a particular KB article as you did, wouldn't that then tell how you the program was propagating?
> We were able to solve the problem by running Windows Updates and then
> stopping the dosprmwin.exe process and removing the file from
> \windows\system32. The file was marked as hidden, read-only, and system.
Do you have a copy of this file available for someone to look at?
> Running fport or netstat ?a while the process was still running would
> show a large number of listening TCP ports. After the process was
> killed, these listening ports disappeared.
Does this mean that the output of fport explicitly tied the open ports to this executable file?
Thanks,
Harlan
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
- Previous message: Shawn Jackson: "RE: 192.168.x.x oddities"
- Maybe in reply to: dsalasche_at_brinkshofer.com: "Possilbe New Arp DoS - dosprmwin.exe"
- Next in thread: Salasche, David: "RE: Possilbe New Arp DoS - dosprmwin.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
