Security Incidents mailing list archives
Re: strange windows behaviour.
From: Brian Eckman <eckman () umn edu>
Date: Tue, 07 Oct 2003 12:52:25 -0500
On September 25, 2003, I posted an article "Analysis of a Spam Trojan" to the full-disclosure and focus-virus Listservs. It details one particular spam trojan we found at the University of Minnesota. The full-disclosure archive can be viewed at:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010914.htmlWe have a bunch of machines currently infected with something else called Autoproxy or a close variant, but I've never seen one used for Spam quite yet. I hope to go visit one later today to do analysis on it. For details on that beast, check out:
http://www.lurhq.com/autoproxy.html Brian John Sage wrote:
Peter: On Mon, Oct 06, 2003 at 01:05:13PM -0700, Peter Moody wrote:Hello all, I've got a bit of a problem, and I was wondering if anyone on this list has seen similar things. Recently, we've been having student windows machines on our residential network begin spewing large, massive (on the order of hundreds of thousands in a few hours) spam messages at our mail servers. We promptly disconnect the machines and head down to do some forensic work on the boxes when we get a chance (usually after they call to complain that the internet has died). I've been trying to find information on this, but the most I've been able to come up with is an advisory from symantec's threat management system saying Mprox (some sort of MS proxy) is to blame. None of the machines I've gone and examined have had this program running or on the system anywhere for that matter. Has anyone else had similar problems of late? This all started for us about a week ago and it's showing no signs of going away any time soon.You may be interested in this 09/06/03 post to the UNISOG maillist (unisog () sans org): /* begin post fragment */ From: Paul Russell <prussell () nd edu> To: unisog () sans org Subject: [unisog] Spam from student-owned computers Date: Mon, 06 Oct 2003 15:51:12 -0500 In the past ten days, we have had five incidents in which student-owned computers in our residence hall network (ResNet) were used to send large quantities of spam. I have seen similar reports from other sites, so I thought some of you might be interested our experience. Appended below are the case notes from one of these incidents. The report has been edited to remove all personal identification information. The analysis of the student's workstationwas performed by a member of our Information Security team.-- Paul Russell Senior Systems Administrator University of Notre Dame *** NOTES 10/06/2003 08:05:21 AM ******** Action Type: Add'tl Info. Rec'd. Visited student's workstation last Friday afternoon. Upon running 'tcpview' dozens of processes, all running as svchost.exe, appeared to be listening to a variety of high-level ports. Aftering installing and updating McAfee Enterprise 7 VS, his machine was gracefully powered down, then turned back on while unplugged from the network. A scan of all files on his workstation revealed no viruses. Also, the machine was fully patched (he had automatic updates turned on under XP). All of the unusual svchost.exe processes disappeared (which was expected given the lack of a network connection). I then noticed a process named 'winsrvn.exe' listening on port 1033 UDP, as well as 'system:4' listening on 1030 TCP. Checking all of the programs that were automatically started at boot, it appeared as though the student had a lot of optional things running in the background, including winsrvn.exe. He believed that this particular program was installed as part of Purity Scanner, which, apparently, scans one's hard drive for inappropriate materials. It turns out that Purity is actually adware, and is often bundled with Grokster (P2P program). Further, it looked as though the student was using Grokster. From what I've been able to find with a web search, Grokster sometimes includes ancilary software that may contain back doors. I had the student email me a zip of the winsrvn.exe for later examination. The other mysterious process (system:4) seemed to disappear after I removed winservn.exe (perhaps the two were related?). /* end post fragment */ HTH.. - John
-- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 "There are 10 types of people in this world. Those who understand binary and those who don't." --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- strange windows behaviour. Peter Moody (Oct 07)
- Re: strange windows behaviour. John Sage (Oct 07)
- Re: strange windows behaviour. Jeff Kell (Oct 08)
- Re: strange windows behaviour. Magosányi Árpád (Oct 09)
- Re: strange windows behaviour. Brian Eckman (Oct 08)
- Re: strange windows behaviour. Fabio Panigatti (Oct 10)
- Re: strange windows behaviour. J Mike Rollins (Oct 10)
- Re: strange windows behaviour. Tomasz Papszun (Oct 10)
- Re: strange windows behaviour. Jeff Kell (Oct 08)
- Re: strange windows behaviour. John Sage (Oct 07)
- <Possible follow-ups>
- Re: strange windows behaviour. H Carvey (Oct 08)
- Re: strange windows behaviour. Peter Moody (Oct 08)
- Re: strange windows behaviour. Harlan Carvey (Oct 08)
- Re: strange windows behaviour. Peter Moody (Oct 08)
- Re: strange windows behaviour. Derek (Oct 08)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)