Threat Level: green Handler on Duty: Basil Alawi S.Taher

SANS ISC: TCP/UDP Port Activity - SANS Internet Storm Center TCP/UDP Port Activity


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sources
Targets
[show ascii data]


   

Port Information
Protocol Service Name
tcp Kuang2TheVirus [trojan] Kuang2 The Virus
[get complete service list]
User Comments
Submitted By Date
Comment
Gary Warner 2009-10-04 18:45:22
Birmingham Infragard's "Packet Ninjas" club met last night (until after 2AM this morning) and build a Kuang2 Lab. Here is the quickee version of what we think is going on. We have an enormous amount of data to analyze from last night, and that might change my assessment, but this is first thoughts. (Hopefully we will be releasing specific snort signatures that will differentiate between a "probe" and an "active exploitation"). This is a *THEORY* based on the assumption that this traffic may actually be the original Kuang2. The next phase of our project is to compare OUR capture streams from the lab with what is going on in the wild. If you have tcpdumps or other captures of active "wild" 17300 traffic, please let me know so we can use your data to help shape our findings. === Theory === Kuang2 was a no big deal virus in 1999. Basically, if you execute a Kuang2 infected executable, it will infect every .exe on your box that is capable of a "PE Insertion" infection. The code is very tight with regards to knowing what it can safely infect and what it can't, so the infected files, although larger by nearly 12k, still function in every way the same as the original. The problem with Kuang2, as compared to the email mass-mailers of today, was that it had very limited propagation. There was no way to spread it from machine to machine built in to the system. Enter Kaazaa and other Peer-to-Peer file sharing systems. Now a mal-ist can place a Kuang2 infected program in his kaazaa shares directory, and it can actually be a Very Hot Warez title. Perhaps it really is a copy of COmmand and Conquer Generals, or some other "hot game". Kaazaa folks tend to reshare their warez, so whoever acquires the program, when they run it (if they are not anti-virused) will infect every possible .EXE on their box. (Including all of the .EXE files in their kaazaa shares directory.) Every person who retrieves those files and runs them will have a listener on 17300. We tested the "old" Kuang2 on Windows 98, NT 4, and 2000 last night in our lab. An infected .EXE created on any of those platforms and shared to any of the other platforms WILL INFECT. It is not windows version dependent. (Windows 2000 did alert us on reboot that critical system files had been changed. I'm sure XP would do the same). The Kuang2 Virus/Trojan has three components: An "Infector" A "Virus Block" A "Client" Using the Infector, the mal-ist chooses a popular .exe file and infects it by inserting the block of virus code into the .exe. The .exe must then be executed by a target. Once that is done, the Client is launched by the mal-ist. The Client is a GUI that lists all files on the hard drive of the target in "explorer style" tree format. One can navigate the files, "Upload" "Download" or execute "Remote Command" from the GUI. There is also an "Antivirus" button in the GUI, which will remove all traces of the infection from the infected machine. So, our theory is that what we are seeing is a version of Kuang2 that actually has a means of spreading, but unlike the original Kuang2, where one emailed an intended victim and then checked to see if his machine was infected, the new spread method allows much wider propagation causing the mal-ist to have to do wide-spread searches for infected machines that he can remote control with the Kuang2 Client. Where a single 17300 query bounces off a non-listening port, there is no problem. What concerns me is where there is an extended session. Both the listening and the sending port of a Kuang2 session are 17300. If there is two way traffic, someone is actively using a trojan interface to this box. Looking at the Incidents.Org information, it is apparent that exploitation is actually occurring. When numbers of "Targets" and "Records" are similar in number, we can assume that a probe knocked on an IP addresses door, and was turned away because no one was listening. (Examples: Feb 3 -- 82 targets returned 121 records Feb 4 -- 214 targets returned 314 records ) When the number of "Records" greatly exceeds the number of "Targets", then the assumption is that a connection has been established and files have been transferred. (Examples: Feb 10 -- 1491 targets returned 18,557 records Feb 12 -- 3988 targets returned 71,997 records ) ============ *IF* the theory is correct, then we would do well to be Very Very Alarmed. Because, in this theory, the number of "Sources" indicates the sum of "Client Machines" and "Infected AND EXPLOITED Machines". Since both the client and the server are using port 17300, the fact that there are 995 sources listed on Feb 19 (SO FAR TODAY!!!!) can indicate either that a small number of mal-ists have successfully connected to a large number of targets -- (5 mal-ists could have established sessions to 990 infected machines). OR that we have a large and growing number of mal-ists. (The number COULD mean that 200 mal-ists hit a total of 795 infected machines.) Couple more scary facts: On Feb 15 there were 232,153 records from incidents.org's database related to this. On Feb 17 there were 1425 sources! The Birmingham InfraGard Packet Ninjas will provide updates as our analysis continues. In the meantime, if you would like to participate, please join the mailing list: http://birmingham-infragard.org/mailman/listinfo/packet-ninjas OR just contact myself (Gary Warner - gar@askgar.com) or Daniel Clemens, our Resident Packet Ninja (daniel_clemens@birmingham-infragard.org). We really need to see some "in the wild" packet captures to add to our information. _-_ gary warner birmingham infragard
Rick Ballard 2009-10-04 18:45:22
The inceased port 17300 scans may be due to the Milkit "parasitic meta-trojan". See http://www.lurhq.com/sig-milkit.html. It searches for systems already infected by the Kuang2 or SubSeven trojans, and injects itself through the already existing trojan.
2009-10-04 18:45:22
The name "Kuang2" comes from William Gibson's _Neuromancer_, where Kuang is a virus-like program used by a character to break into systems.
rhale 2004-01-27 18:16:26
On Wednesday 15 October 2003 04:11 pm, you wrote: >> Ref: http://www.lurhq.com/sig-milkit.html >> >> Are the Source IP addresses from machines infected or >> are they fictitious ? If you see traffic from a host on port 17300, it is likely that it was infected previously with Kuang2_the_Virus and is now hosting the spybot trojan which is doing the scanning. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ ====================================================== rhale note: I can now try to go after the sources. I'm still puzzled by the fact that the source IP never repeats, although this be accomplished by a simple counter or list that tracks failures.
john elmo 2004-01-15 22:41:48
kuang2 is a chinese 'pin yin' word having the possible meanings /conceited/mad/deceive/lie/ we have noted increasing activity on this port in the recent time and would suggest a more thorough analysis of this 'trojan'/'virus'
Marc Reibstein 2003-12-17 17:41:12
Much of the scanning on 17300 seems to be coming from machines running Kazaa.
2003-08-25 06:14:40
Every time this virus attempts to contact my computer (on 17300), it always tries again exactly 10 minutes later (from the same source machine).
Conrad Longmore 2003-05-22 15:41:57
Port 17300 is being used by the Milkit trojan, which exploits PCs with Kuang2_the_Virus or SubSeven backdoors already active. This trojan is detailed at http://www.lurhq.com/sig-milkit.html and was first spotted in April 2003. However, there seems to be a marked increase in activity from about the 20th May onwards indicating either an accelerated spread or perhaps a new variant.
Add a comment
CVE Links
CVE # Description