Nimda.E/unknown memory resident, internet-aware processes

[Matt Hornsby <mr.hornsby () attbi com>]

Hopefully someone else out there has run across something similar to 
this.  After searching the internet for more than a week and finding 
nothing, I am posting to this list in the event that this has been 
discovered before.

Recently, a client's NT 4.0 server was infected with what appeared to be 
Nimda.E.  Their ISP completely shut off their broadband connection after 
detecting large amounts of Nimda related traffic scanning for vulnerable 
systsms.

The first thing I noticed when I arrived on the scene was what appeared to 
be a complete system compromise.  Multiple backdoors and remote 
administration packages were installed.  Dameware, psyBNC, several 
backdoor daemons, an FTP server and several other exploits were present.  
Upon running a Nimda.E cleanup utility and discovering the extent of the 
compromise (this system had more holes than swiss cheese), I looked at the 
network traffic and saw several suspect connections.  One was to an ICQ 
server, one was to something on Port 6667(presumably an IRC server), and 
one other connection to port 2787.  

Finally, I noticed a box reading "MIRC Windows NT Security" popping up for 
a fraction of a second every minute or so.  Unfortunately it was not long 
enough for me to catch what process was spawning it.

Curious as to what was being communicated, I fired up a packet sniffer and 
discovered that the connection to port 2787 was actually to a private IRC 
server on an non-standard port.  This machine was being used as a drone 
along with about 500 other compromised systems on just that one IRC server.

Later on, I managed to find and log into the IRC server and caught the 
attention of a few people who claimed to be administrators of the IRC 
server and authors of the the code responsible for this compromise.

They claimed to be Russian coders who have been working on a program they 
called "sysnet.exe" for 1.5 to 2 years.  According to them, the program is 
a swiss army knife of backdoors and expoits, all automatically installed 
through IIS vulnerabilities.  I was not able to fine sysnet.exe anywhere 
on the affected system or in its registry.

Shortly after the conversation, the IRC server was shut down.  
Interestingly enough, when I turned the affected system back on, it was 
now connecting to another system, yandex.ru on the same port (2787).  Also 
of note were connections to a remote system on ports 59230 and 19736.

All other attempts to determine the source of these connections have 
failed.  FPORT would not display ANY connections, even legitimate ones.  
What little I have found on the subject seems to suggest that any time 
that FPort doesnt return any information is cause for great concern.

Unfortunately, since it was a production machine that belonged to a 
client, I was unable to study it further before doing a clean OS install.  
All attempts to discover the root of the infection came up dry.  The best 
I can surmise is that it was infected with Nimda.E, and then this exploit 
was used to install the rootkit and further compromise the system.  The 
system logs showed nothing except failed attempts at calls to cmd.exe.

Anyhow, this is the first time I have posted here, so if I have posted to 
the wrong place or overlooked some other rule of etiquette I apologize in 
advance.  I leave you with some snippets of network traffic that I was 
able to capture:

Packet data:
0000: 00 90 27 A4 9A D5 00 20 6F 14 CB 44 08 00 45 00 ..'.... o..D..E.
0010: 00 7E 9E 4F 40 00 31 06 71 2D 3F F1 B3 46 40 51 ...O@.1.q-?..F@Q
0020: 06 75 0A E3 04 9B 0D 6A 82 1B 00 02 1B D7 50 18 .u.....j......P.
0030: 0B 68 5F F5 00 00 3A 69 72 63 2E 43 68 61 6F 53 .h_...:irc.ChaoS
0040: 2E 4E 65 74 20 33 32 34 20 77 5F 33 33 37 38 36 .Net 324 w_33786
0050: 6C 5F 20 23 30 32 20 2B 73 6D 74 6E 20 0D 0A 3A l_ #02 +smtn ..:
0060: 69 72 63 2E 43 68 61 6F 53 2E 4E 65 74 20 33 32 irc.ChaoS.Net 32
0070: 39 20 77 5F 33 33 37 38 36 6C 5F 20 23 30 32 20 9 w_33786l_ #02 
0080: 31 30 34 39 38 38 38 32 39 31 0D 0A             1049888291..

this one shows some of the many systems logged in:

Packet data:
0000: 00 90 27 A4 9A D5 00 20 6F 14 CB 44 08 00 45 00 ..'.... o..D..E.
0010: 05 91 9C FA 40 00 31 06 6D 6F 3F F1 B3 46 40 51 ....@.1.mo?..F@Q
0020: 06 75 0A E3 04 9B 0D 6A 7C B2 00 02 1B CE 50 18 .u.....j|.....P.
0030: 0B 68 67 30 00 00 3A 77 5F 33 33 37 38 36 6C 5F .hg0..:w_33786l_
0040: 21 4D 30 32 34 37 35 31 58 40 41 38 35 38 42 42 !M024751X@A858BB
0050: 36 35 43 35 45 34 42 41 31 35 38 30 42 31 31 44 65C5E4BA1580B11D
0060: 46 43 42 42 44 36 33 44 78 20 4A 4F 49 4E 20 3A FCBBD63Dx JOIN :
0070: 23 30 32 0D 0A 3A 69 72 63 2E 43 68 61 6F 53 2E #02..:irc.ChaoS.
0080: 4E 65 74 20 33 35 33 20 77 5F 33 33 37 38 36 6C Net 353 w_33786l
0090: 5F 20 40 20 23 30 32 20 3A 77 5F 33 33 37 38 36 _ @ #02 :w_33786
00A0: 6C 5F 20 71 5F 36 38 31 33 31 7A 5F 20 6C 5F 35 l_ q_68131z_ l_5
00B0: 39 32 35 35 64 5F 20 71 5F 35 35 32 32 33 78 5F 9255d_ q_55223x_
00C0: 20 69 5F 37 37 32 34 35 7A 5F 20 61 5F 32 34 32  i_77245z_ a_242
00D0: 31 39 6A 5F 20 79 5F 35 39 39 32 34 6B 5F 20 71 19j_ y_59924k_ q
00E0: 5F 36 34 38 39 37 64 5F 20 78 5F 37 36 31 34 34 _64897d_ x_76144
00F0: 79 5F 20 64 5F 32 39 30 37 31 6A 5F 5B 73 63 61 y_ d_29071j_[sca
0100: 6E 5D 20 69 5F 38 34 34 33 36 65 5F 5B 73 63 61 n] i_84436e_[sca
0110: 6E 5D 20 6A 5F 35 35 30 34 32 7A 5F 20 6D 5F 31 n] j_55042z_ m_1
0120: 39 31 39 39 62 5F 20 6D 5F 38 33 35 35 36 63 5F 9199b_ m_83556c_
0130: 20 61 5F 39 33 30 36 34 6D 5F 20 63 5F 38 35 32  a_93064m_ c_852
0140: 33 31 78 5F 20 68 5F 35 34 34 35 38 66 5F 20 69 31x_ h_54458f_ i
0150: 5F 34 35 30 37 39 78 5F 20 40 4C 20 6E 5F 38 32 _45079x_ @L n_82
0160: 37 34 30 6B 5F 20 6D 5F 35 38 31 34 30 68 5F 20 740k_ m_58140h_ 
0170: 63 5F 34 35 30 39 33 76 5F 20 67 5F 37 34 39 35 c_45093v_ g_7495
0180: 34 6D 5F 20 62 5F 37 35 38 32 30 69 5F 20 72 5F 4m_ b_75820i_ r_
0190: 32 30 35 31 35 66 5F 20 76 5F 37 31 39 36 39 6C 20515f_ v_71969l
01A0: 5F 20 6E 5F 31 36 37 30 31 61 5F 20 67 5F 31 37 _ n_16701a_ g_17
01B0: 37 39 37 74 5F 20 63 5F 35 34 33 31 36 6D 5F 20 797t_ c_54316m_ 
01C0: 63 5F 34 35 37 36 37 65 5F 20 6C 5F 37 35 39 38 c_45767e_ l_7598
01D0: 32 71 5F 20 74 5F 37 37 30 33 37 6F 5F 20 6A 5F 2q_ t_77037o_ j_
01E0: 32 37 32 30 31 75 5F 20 69 5F 34 33 36 32 33 62 27201u_ i_43623b
01F0: 5F 5B 73 63 61 6E 5D 20 73 5F 36 30 31 36 38 69 _[scan] s_60168i
0200: 5F 20 76 5F 34 33 34 38 39 70 5F 20 68 5F 33 30 _ v_43489p_ h_30
0210: 37 39 37 6B 5F 20 6E 5F 32 35 30 33 32 71 5F 20 797k_ n_25032q_ 
0220: 6A 5F 35 34 35 38 32 63 5F 20 75 5F 32 32 36 34 j_54582c_ u_2264
0230: 30 73 5F 20 77 5F 34 31 38 36 38 6E 5F 20 79 5F 0s_ w_41868n_ y_
0240: 35 33 35 31 30 6C 5F 20 0D 0A 3A 69 72 63 2E 43 53510l_ ..:irc.C
0250: 68 61 6F 53 2E 4E 65 74 20 33 35 33 20 77 5F 33 haoS.Net 353 w_3
0260: 33 37 38 36 6C 5F 20 40 20 23 30 32 20 3A 6D 5F 3786l_ @ #02 :m_
0270: 31 31 34 32 37 79 5F 20 70 5F 39 34 30 33 30 70 11427y_ p_94030p
0280: 5F 20 68 5F 39 32 38 37 38 65 5F 20 75 5F 31 36 _ h_92878e_ u_16
0290: 31 35 31 70 5F 20 78 5F 35 34 30 34 35 6F 5F 20 151p_ x_54045o_ 
02A0: 72 5F 39 33 30 34 37 6E 5F 20 65 5F 32 37 39 39 r_93047n_ e_2799
02B0: 33 79 5F 5B 73 63 61 6E 5D 20 67 5F 37 31 33 39 3y_[scan] g_7139
02C0: 37 6A 5F 5B 73 63 61 6E 5D 20 6F 5F 37 38 34 39 7j_[scan] o_7849
02D0: 31 6E 5F 20 73 5F 39 37 34 36 36 70 5F 20 6A 5F 1n_ s_97466p_ j_
02E0: 32 30 31 34 36 79 5F 20 69 5F 39 39 37 34 36 6C 20146y_ i_99746l
02F0: 5F 5B 73 63 61 6E 5D 20 64 5F 32 36 33 36 35 67 _[scan] d_26365g
0300: 5F 5B 73 63 61 6E 5D 20 76 5F 32 39 37 30 36 6F _[scan] v_29706o
0310: 5F 20 70 5F 31 34 30 35 31 69 5F 20 72 5F 33 35 _ p_14051i_ r_35
0320: 32 37 39 6F 5F 20 6E 5F 34 30 31 35 39 72 5F 20 279o_ n_40159r_ 
0330: 64 5F 33 38 32 34 31 68 5F 5B 73 63 61 6E 5D 20 d_38241h_[scan] 
0340: 66 5F 35 33 31 34 39 70 5F 20 73 5F 37 37 36 36 f_53149p_ s_7766
0350: 38 6B 5F 20 79 5F 31 35 33 31 37 68 5F 20 6C 5F 8k_ y_15317h_ l_
0360: 33 38 33 38 38 63 5F 20 76 5F 31 35 31 31 33 79 38388c_ v_15113y
0370: 5F 20 64 5F 33 38 39 32 37 74 5F 5B 73 63 61 6E _ d_38927t_[scan
0380: 5D 20 73 5F 35 31 34 37 38 74 5F 20 6E 5F 33 30 ] s_51478t_ n_30
0390: 34 32 39 7A 5F 20 71 5F 35 39 39 36 33 76 5F 20 429z_ q_59963v_ 
03A0: 66 5F 32 36 34 36 34 65 5F 5B 73 63 61 6E 5D 20 f_26464e_[scan] 
03B0: 64 5F 31 36 32 35 32 74 5F 5B 73 63 61 6E 5D 20 d_16252t_[scan] 
03C0: 66 5F 36 31 32 33 34 67 5F 5B 73 63 61 6E 5D 20 f_61234g_[scan] 
03D0: 72 5F 33 34 34 34 39 66 5F 20 63 5F 36 36 34 32 r_34449f_ c_6642
03E0: 36 79 5F 5B 73 63 61 6E 5D 20 69 5F 31 37 32 37 6y_[scan] i_1727
03F0: 33 6E 5F 5B 73 63 61 6E 5D 20 77 5F 36 39 30 39 3n_[scan] w_6909
0400: 38 6D 5F 20 66 5F 33 34 37 33 32 72 5F 20 76 5F 8m_ f_34732r_ v_
0410: 39 36 37 31 35 77 5F 20 0D 0A 3A 69 72 63 2E 43 96715w_ ..:irc.C
0420: 68 61 6F 53 2E 4E 65 74 20 33 35 33 20 77 5F 33 haoS.Net 353 w_3
0430: 33 37 38 36 6C 5F 20 40 20 23 30 32 20 3A 73 5F 3786l_ @ #02 :s_
0440: 37 39 35 34 31 76 5F 20 73 5F 32 39 34 38 32 77 79541v_ s_29482w
0450: 5F 20 61 5F 33 36 33 39 30 71 5F 20 74 5F 39 36 _ a_36390q_ t_96
0460: 32 36 38 66 5F 20 7A 5F 34 37 34 34 37 79 5F 5B 268f_ z_47447y_[
0470: 73 63 61 6E 5D 20 75 5F 31 39 35 39 33 79 5F 20 scan] u_19593y_ 
0480: 61 5F 36 31 33 39 30 68 5F 5B 73 63 61 6E 5D 20 a_61390h_[scan] 
0490: 63 5F 31 37 36 37 34 72 5F 5B 73 63 61 6E 5D 20 c_17674r_[scan] 
04A0: 79 5F 33 31 31 35 37 62 5F 20 73 5F 38 30 33 39 y_31157b_ s_8039
04B0: 38 6A 5F 20 65 5F 38 37 38 35 36 70 5F 5B 73 63 8j_ e_87856p_[sc
04C0: 61 6E 5D 20 62 5F 31 34 34 32 35 77 5F 5B 73 63 an] b_14425w_[sc
04D0: 61 6E 5D 20 68 5F 32 36 35 31 32 6A 5F 5B 73 63 an] h_26512j_[sc
04E0: 61 6E 5D 20 65 5F 34 35 36 35 36 6F 5F 5B 73 63 an] e_45656o_[sc
04F0: 61 6E 5D 20 76 5F 32 38 36 32 36 69 5F 20 64 5F an] v_28626i_ d_
0500: 34 33 37 32 34 6E 5F 5B 73 63 61 6E 5D 20 6D 5F 43724n_[scan] m_
0510: 37 38 33 37 35 69 5F 20 73 5F 35 38 36 36 30 6E 78375i_ s_58660n
0520: 5F 5B 73 63 61 6E 5D 20 66 5F 35 39 38 32 30 68 _[scan] f_59820h
0530: 5F 5B 73 63 61 6E 5D 20 73 5F 33 33 30 32 35 75 _[scan] s_33025u
0540: 5F 20 74 5F 37 37 35 38 34 6F 5F 20 6F 5F 33 32 _ t_77584o_ o_32
0550: 35 32 36 62 5F 20 64 5F 36 39 37 30 37 64 5F 5B 526b_ d_69707d_[
0560: 73 63 61 6E 5D 20 0D 0A 3A 69 72 63 2E 43 68 61 scan] ..:irc.Cha
0570: 6F 53 2E 4E 65 74 20 33 36 36 20 77 5F 33 33 37 oS.Net 366 w_337
0580: 38 36 6C 5F 20 23 30 32 20 3A 45 6E 64 20 6F 66 86l_ #02 :End of
0590: 20 2F 4E 41 4D 45 53 20 6C 69 73 74 2E 0D 0A     /NAMES list...

The ones with [scan] in them, according the the coder I spoke with, were 
those systems that were in the process of scanning the net for new 
vulnerable hosts.

Anyone seen this before?

Cheers!
Matt Hornsby




----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>