follow-up on Microsoft Knowledge Base Article - Q328691
From: aladin (aladin168@hotmail.com)
Date: 09/08/02
- Next message: lightiv: "Issuing own certificates to hosted site?"
- Previous message: Chris Williams: "Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: aladin168@hotmail.com (aladin) Date: 8 Sep 2002 08:06:43 -0700
This is a follow-up to my original posting:
http://groups.google.com/groups?q=solution+irc+virus&hl=zh-TW&lr=&ie=UTF-8&oe=UTF-8&selm=bf0f8e77.0209050049.24860609%40posting.google.com&rnum=4ussion:6152
More Analysis on IRC Virus/Trojan Part 2:
By
++++++++++++++++++++
Kyle Lai, CISSP, CISA
Kyle Lai Consulting
Aladin168@hotmail.com
++++++++++++++++++++
++++++++++++++++++++++++++
Disclaimer:
First of all, I want to say that I have nothing against Microsoft. I
am just presenting my analysis.
This analysis is based on my examination of the IRC Trojan/virus as
referenced in Microsoft Knowledge Base Article - Q328691; however, I
am not to be held responsible for the information provided. Also, I
have not researched any of the previous IRC/flood Trojan/viruses;
therefore, I am not knowledgeable in all aspects of that topic. If
you think the information, in this posting, is not accurate, please
send me an email.
+++++++++++++++++++++++++++
This IRC Trojan/virus is vaguely similar to the earlier IRC/flood
Trojan/virus. However, this time it takes advantage of weak computer
systems security and performs a denial of service (DoS) attack. The
vulnerability is typically caused by the lack of corporate security
awareness.
Just some comments to Microsoft's response:
1. It uses port 445, which is SMB over TCP for attack. It doesn't use
port 139, so NT4 is not vulnerable to this particular Trojan.
However, port 139 is another typical hackers' target. Make sure your
firewall is locked down. If you don't have a firewall, get one!
2. OCXDLL.EXE is a self-extracting executable containing 17 files. To
totally remove the Trojan, you can read my original analysis where I
listed all the files that are "directly" involved
(http://groups.google.com/groups?q=solution+irc+virus&hl=zh-TW&lr=&ie=UTF-8&oe=UTF-8&selm=bf0f8e77.0209050049.24860609%40posting.google.com&rnum=4
Again, I can't tell if any files were added/deleted by the hackers
for all of you out there. Reason: Once the hacker(s) compromised
your machine(s), they own your entire system(s).
3. ncp.exe was included in ocxdll.exe. ncp.exe is actually the NetCat
program, which is one of hacker's favorite tools. Microsoft did not
identify this tool.
4. mt.exe was another program that requires cygwin.dll. If you use
Linux emulator via Cygwin, then this file would exist on your system.
In discussion with Symantec, one analyst said "mt.exe is just a rather
old Unix bot named knight.c that has been recompiled to use cygwin and
run on Windows. This is basically a DdoS bot." However, I cannot
confirm this because I have never dealt with it before. In the
scripts, I did not see any evidence of mt.exe being called, however, I
wouldn't rule out if the hacker executed this program remotely.
5. Microsoft said in the article Q328691 "NOTE: Paths to the files are
not listed because they may vary." This statement is correct,
however, probably 99% (just a guess) of the people setup with the
default Windows 2000 configuration, which will leave you at
"\WINNT\SYSTEM32", or. I suspect that ocxdll.exe were copied to the
folder where "services.exe" is located because when I tried to run the
psexec.exe similar to the ones in the script, it started the process
"services.exe" on the remote system, followed by "psexesvc.exe", then
followed by "services.exe". Guys, I didn't have time to try it out
and if you can, keep me updated with your test results. I can't find
psexesvc.exe on my system though… PSEXEC.EXE can be downloaded from
Sysinternals. (http://www.sysinternals.com/ntw2k/freeware/psexec.shtml)
Test procedure:
a. Download psexec.exe and save it at c:\test\.
b. Create a file called c:\test\test.bat with the following 2 lines
Echo done testing > test-1.txt
c. Type ( Net Use \\[computer_ip]\IPC$ "[password]"
/user:[administrator id]) to connect to the remote computer as a
system admin.
d. Type in "psexec \\[remote-system] -f –c –d test.bat –o" (to examine
where the files are copied to.)
e. Goto remote system, "cd %systemroot%\system32", search for test*.*
and you should find:
i. Test.bat
ii. Test-1.txt
f. Open test-1.txt, and you will see the following line in the file,
which proves that "test.bat" has been executed:
"done testing"
g. This showed basically how psexec.exe work, and how dangerous it
could be used when it's on the hacker's hand… psexec.exe copied the
test.bat file over to the remote system, and then executed right after
it was copied.
6. It tried to create a filelist of each filetype with the following
format .MPG, .AVI, .ASF, .RAR, .ZIP, .CUE. These instructions are in
httpsearch.ini. Since the machines I examined have this file
extracted from ocxdll.exe in 8.3 format ( "httpsear.ini"), I don't
believe this script was executed. Therefore, I did not see files such
as:
a. listmpg.txt
b. listavi.txt
c. listasf.txt
d. listrar.txt
e. listzip.txt
f. listcue.txt
g. warezlist.txt
h. medialist.txt
You probably want to check these files anyway though…
7. On my previous analysis, there is the content of TFTP8675, which
was the actual security template that was applied to the security
settings. This template actually changed user permissions/rights
policies. There are 3 major discoveries:
a. If you compare the Basic Microsoft default templates that ship with
Windows 2000, this hacker used the exact basic Microsoft template, but
added the [Permission Rights] section of the security template.
b. It trys to assign guest the right to "logon locally". The entry
was (seinteractivelogonright =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-1960408961-1637723038-1801674531-501).
*S-1-5-21-1960408961-1637723038-1801674531-501 is the guest user SID
it tried to add to the system ("501" at the last section of the SID
indicates the Guest account). On the systems I examined, the SID
value did not change when it was spreading, which meant guest accounts
were not added successfully.
c. The part where it replaced the "Access this computer from the
network" policy is (senetworklogonright = Microsoft). I noticed that
the designer of this Trojan/virus/malware used SID to assign user
rights besides this one… I think he/she is trying to make a point (?)
I don't think there can be a conclusion on what's lost if the systems
were compromised. However, in my humble opinion, the purpose of this
Trojan/virus/malware might be to show Microsoft that port 445 is open
on many Windows 2000 and XP systems out there, which are not
protected, and to show that a lot of people out there are not security
conscious on their Windows 2000 and XP systems, which require a little
bit more technical skills to lock down the systems.
I highly recommend that system administrators follow the Microsoft
security guidelines on hardening their Windows-based environment.
I also, would suggest that everyone infected by a Trojan/virus run
some anti-Trojan programs in addition to the Anti-Virus software.
Anti-Trojan programs like Anti-Trojan (http://www.anti-Trojan.net),
Pest Patrol (http://www.pestpatrol.com), and others to ensure there
are NO Trojan/hacker tools on your systems, which are sometimes missed
by Anti-virus programs.
Besides anti-Trojan software, you probably should to run something
like Ad-Aware (http://www.lavasoftusa.com/) to remove the adware that
were downloaded unintentionally when you are surfing the web…
I hope "Internet Security" is not oxymoron.
Kyle Lai, CISSP, CISA
Kyle Lai Consulting
Aladin168@hotmail.com
- Next message: lightiv: "Issuing own certificates to hosted site?"
- Previous message: Chris Williams: "Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
