Re: IRAQ_OIL.EXE and Port 445 traffic
From: aladin (aladin168@hotmail.com)
Date: 12/20/02
- Next message: Jason Gallas: "Re: Account Lockouts"
- Previous message: COCO: "ctrl-alt-del"
- In reply to: Karl Levinson [x y] mvp: "Re: IRAQ_OIL.EXE and Port 445 traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: aladin168@hotmail.com (aladin) Date: 19 Dec 2002 15:12:59 -0800
www.klcconsulting.net
www.kylelai.com
Now the Anti-Virus community started seeing the impact of port 445
viruses, but port 445 virus/Trojans had attacked several times prior
to this incident, and many times, the Trojans generated DDos attack
zombies... If you got attacked this time, you probably want to check
if you were infected by other virus / Trojans that use the same attack
methods and guessed the administrator accounts and passwords.
It's sad that it has to take another virus to generate the
awareness... Lioten worm / virus is just another proof that port 445
virus and trojans can be very wild, dangerous and effective in
compromise systems. They are hard to control because many corporate
and home users do not set strong passwords on their systems.
I am not sure what activities were on the log, but port 445 probing
and attacks are not new at all. You can see my Trojan Analysis on
ocxdll.exe / taskmngr.exe (another port 445 mIRC Trojan that had swept
the world several times) at
http://www.klcconsulting.net/mIRC_Virus_Analysis.htm
The SMB over TCP (port 445) Trojan I am familiar with are ocxdll.exe
and its variants. The first ocxdll.exe trojan came out around late
August, 2002, second wave was around middle to late October, 2002.
Each one of them infected a lot of systems around the world, and
possibly tried to build a DDoS Zombies network for attacks. Some of
them were known to steal user account and password, and credit card
info that saved on the computers. Port 445 only effects Windows 2000
and XP, but what people don't really know is that when the a client is
connecting to Windows 2000 or XP shares (also Null Session), if port
445 is blocked on Windows 2000 or XP, Windows tries port 139 as an
alternate route. If port 139 is blocked, then the SMB traffic can't
get out. This means port 445 and 139 should be both blocked to
effectively stop port 445 type of Trojans. For more details on port
445, SMB over TCP, check http://ntsecurity.nu/papers/port445/
Regarding to ocxdll.exe (taskmngr.exe), Microsoft posted a knowledge
base article (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691)
but failed to discuss the port 445 impacts. I did expressed my
concern to one of the Microsoft PSS Security Analyst, the department
that released the KB article, but Microsoft and other anti-virus
companies didn't seem to worry about the impact of that Trojan and
port 445 activities… The ocxdll.exe Trojan from late August, 2002
only guessed 4 administrator accounts and passwords because it only
has 4 entries in the "password dictionary" file that was part of the
Trojan, and yet it got into large number of corporate and home
systems. There have been several variants out since, and the
variants, as well as the Lioten worm, have a lot more entries more
entries in the "password dictionary", which mean more systems with
weak passwords will be compromised. I believe that this is not the
end of the port 445 types of viruses..., it may be just the beginning
because these type of viruses were effective and there are still a lot
of weak systems out there.
I have tracked several ocxdll.exe / taskmngr.exe variants from people
that got infected (http://www.newbie.org/help/messages/2553.html), and
I know this Trojan is still in the wild and infecting a lot of
systems.
Many analysts mentioned removing Null session connections on Windows
2000 and XP systems to solve this type of attacks, but they probably
should put a Bigger Warning about testing the removal of Null session
before moving into the production environment. Many corporations are
not ready to unplug the Null sessions due to the mix of Windows OS
platforms.
As we can see here, Port 445 viruses / Trojans / worms are wild,
dangerous, and very effective in system compromises. Not all port 445
viruses are Lioten (Iraq oil) as you see; there are ocxdll.exe
(taskmngr.exe) and others out there. Hope the Windows 2000 and XP
users can get the computer security message about harden their
passwords, or get at least some message that someone could steal their
credit card and personal info that's left on the computer if they
don't set hard-to-guess passwords on all their computer and web
accounts.
I hope "Internet Security" is not an Oxymoron.
/Kyle
Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
617-921-5410
klai@klcconsulting.net
www.klcconsulting.net
- Next message: Jason Gallas: "Re: Account Lockouts"
- Previous message: COCO: "ctrl-alt-del"
- In reply to: Karl Levinson [x y] mvp: "Re: IRAQ_OIL.EXE and Port 445 traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
