How did my system get infected with a Trojan?

Hello all,

I run a Windows XP SP2 system at our site that I use as a honeypot of sorts
to help me better determine how to protect our site from intrusions. I
should note that I'm not any sort of security expert ... at all. I follow
the security best practices as suggested by Microsoft as best I can. The
system has an identical configuration to our protected systems except that
it doesn't sit behind any firewall since I'm interested in how quickly a
system would get infected without a firewall to protect it. The system is
running the Symantec Client Security suite (Antivirus v.10.0.2.2000 and
Firewall v.8.6.2.133) and is always fully patched.

Although it is not unusual for this host to be compromised when a new
exploit is discovered, yesterday the system got hit with what the AV engine
flagged as the W32.Spybot.Worm worm (although TrendMicro flags it as
WORM_RBOT.BJJ, which seems like a more accurate description) . What strikes
me as odd about this Trojan is that it is over a year old (according to
Symantec) and although the AV scanner flagged the compromised file
(c:\windows\system\w32svc.exe), it couldn't remove the file. Additionally,
the exploits that the Trojan makes use of, namely the RPCSS (MS03-039) and
LSASS (MS04-011) vulnerabilities, should have been patched on this system.
Even though a non-privileged user was logged in at the time and doing
essentially nothing, the worm was able to install itself as a service
running as localsystem. The system wasn't running anything out of the
ordinary such as P2P software. Also, there was neither an Email nor IM
application running at the time of the intrusion. The system security logs
show a failed account logon attempt to the NtLmSsp by the local system
account immediately prior to the worm starting its IRC Bot, but only one
failed attempt was logged.

Does anybody have any ideas as to how the attack was perpetrated? Like I
mentioned, what concerns me here is that according to the exploit
description, the system should have been protected. Any hints, tips or
suggestions would be appreciated.

Thanks.


.

Relevant Pages

  • Re: My words
    ... Internet Connection Firewall for SP1 and Windows Firewall for SP2 ... download all the security updates - Critical updates with Express ... Get into Safe Mode and password protect it. ...
    (microsoft.public.windowsxp.newusers)
  • [NEWS] Lotus Domino View ACL Bypass
    ... Lotus Domino View ACL Bypass ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A Lotus Notes database contains documents that are organized into views. ... nor are they intended to protect the documents they ...
    (Securiteam)
  • Re: BEWARE: New EULA lets MS ADMIN YOUR Systems!
    ... Microsoft and owners of content secured with Windows Media DRM to limit the ... Digital Rights Management (Security). ... You agree that in order to protect ... Microsoft may provide security related updates to the OS ...
    (microsoft.public.security)
  • Re: Front End/Back End communication
    ... I believe we should further protect the FE Exchange Server: ... the FE is located on the internal network with typical full-stack access to ... There is no such thing as security perfection. ...
    (Focus-Microsoft)
  • Re: Finally, a secure computer
    ... > security at the IBM website is compromised, ... Therefore it is extremely unlikely that any hacker ... > a tiny system served by IIS or the PWS protect himself with the same ... > ICF which does not listen on ports but only opens to responses to messages ...
    (microsoft.public.inetserver.iis.security)