Security Incidents mailing list archives
Re: strange windows behaviour.
From: Tobias Rice <rice () up edu>
Date: Fri, 10 Oct 2003 09:05:21 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Could this be the "owned" systems in this article: http://www.wired.com/news/business/0,1367,60747,00.html Tobias Jeff Kell wrote: | J Mike Rollins wrote: | |> I have just tested the ideas expressed here and have to report that |> streams can still be a threat. |> |> When I try to make a copy of the dll stored within the stream, the virus |> scanning software does find it. |> |> However, when I run the contents of the dll stream by using rundll32 the |> program is not caught by the virus scanning software. And the trojan |> continues to execute undetected. | | | All I see is spam starting to spew from an otherwise quiet machine (most | cases) although we have also had two cases of machines spoofing source | addresses and attacking (a) an IRC server and (b) somebody's identd. | | This is happening here and I have one machine under quarantine in the | testbed. Symantec NAV latest DATs doesn't detect anything. Spybot | latest signatures doesn't detect anything. Ad-Aware doesn't find | anything. McAfee's freebie Stinger doesn't find anything. Yet if it is | connected to the network when it boots, some process comes up, makes a | few connection attempts to remote addresses, port 80; then it opens up | two random high-numbered TCP ports and listens. Telnetting to them and | entering much of anything causes it to close the connection and respawn. | | In ActivePorts it lists the owning process name as the same as some | other existant process in the list (e.g., explorer.exe, svchost.exe) but | will have a unique PID in the task list. Using ActivePort's terminate | process feature on it causes the two sockets to disappear, only to be | immediately followed by the original behavior -- connects to an outside | address port 80 (not always the same address, mind you), followed by two | different high-numbered ports opened and listening. | | There is a strange registry key in /HKEY/LOCAL.../Run and .../RunOnce | which appears to be a random string, 'bzyrczu' or something similar, and | the key value is 'rundll32 C:\Windows\System32:bzyrczu.dll'. Of course | I can't find any file by that name by traditional means (before reading | this thread on NTFS streams). | | Attempting to delete the registry keys for /Run and /RunOnce appear to | work, but when you go back to check, the keys have "reinstalled" | themselves. Even starting up in safe mode with network unplugged, you | can't delete the registry keys, even with System Restore disabled (this | is an XP Home Edition box). | | I plan on getting a packet capture of the beast's activity tomorrow. And | assuming that the thing does exist as a stream, I'll try to capture the | binary. | | Jeff | | |- ---------------------------------------------------------------------------
|- ----------------------------------------------------------------------------
| | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.gnupg.org iD8DBQE/htjARJX8S0T0CkURAizUAKCfUwbZOu7MBdOweVR20OXfWx+A4gCggx5J fWri+FbBklDwhFAEXUFG8mA= =fmjG -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: strange windows behaviour., (continued)
- Re: strange windows behaviour. Tomasz Papszun (Oct 10)
- Re: strange windows behaviour. J Mike Rollins (Oct 08)
- Re: strange windows behaviour. H Carvey (Oct 08)
- Re: strange windows behaviour. Peter Moody (Oct 08)
- Re: strange windows behaviour. Harlan Carvey (Oct 08)
- Re: strange windows behaviour. Peter Moody (Oct 08)
- Re: strange windows behaviour. Derek (Oct 08)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- Re: strange windows behaviour. Jeff Kell (Oct 09)
- Re: strange windows behaviour. J Mike Rollins (Oct 09)
- Re: strange windows behaviour. Tobias Rice (Oct 10)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. Harlan Carvey (Oct 09)
- Administrivia: strange windows behaviour. Dan Hanson (Oct 09)
- RE: strange windows behaviour. Chris Brenton (Oct 09)
- RE: strange windows behaviour. Pepijn Vissers (Oct 09)
- Re: strange windows behaviour. Karl Levinson (Oct 09)
- Re: strange windows behaviour. Harlan Carvey (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. Harley David (Oct 10)
- RE: strange windows behaviour. Harley David (Oct 10)