lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <200409021049.55314.jstewart@lurhq.com>
From: jstewart at lurhq.com (Joe Stewart)
Subject: Microsoft Update Loader msrtwd.exe

On Thu, 2 Sep 2004 10:16:30 -0400, S.A. Birl wrote:
>Does anyone know how it infects?

Primarily via the LSASS exploit over port 445, but variants have been 
seen with the following additional exploits/password brute-force 
spreading modules:

WebDav
Lsass135
Lsass1025
NetBios
NTPass
Dcom135
Dcom445
Dcom1025
MSSQL
Beagle1
Beagle2
MyDoom
Optix
UPNP
NetDevil
DameWare
Kuang2
Sub7

After the exploit, the bot is copied to the victim using the Windows 
tftp client.

> http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen

Yes, some AV companies identify Rbot as SDbot, even though the two look 
almost nothing alike. It could be that Rbot was derived from SDbot, but 
it has grown substantially, and is almost on par with Agobot in terms 
of functionality.

Because there are so many variants, each with a different exe name, it's 
sometimes hard to keep track of them. Just so it can be indexed for 
future reference, here is a list of Rbot exe names we've seen during 
exploit captures, and dates we've seen them spreading over the last 3 
months:

Dates Seen               Exe Name
---------------------------------
2004/06/06 - 2004/06/27  lsrv.exe
2004/06/06 - 2004/08/28  wuapdate16.exe
2004/06/07 - 2004/06/15  sndcfg16.exe
2004/06/07 - 2004/08/30  wuamgrd.exe
2004/06/08 - 2004/06/27  lsac.exe
2004/06/10 - 2004/06/10  winupdos.exe
2004/06/10 - 2004/06/26  dosprmwin.exe
2004/06/11 - 2004/06/11  systemse.exe
2004/06/11 - 2004/08/18  scrgrd.exe
2004/06/13 - 2004/06/13  dude.exe
2004/06/14 - 2004/06/14  esplorer.exe
2004/06/14 - 2004/06/14  landriver32.exe
2004/06/14 - 2004/06/14  mpd.exe
2004/06/14 - 2004/06/14  updatez.exe
2004/06/14 - 2004/06/25  svssshost.exe
2004/06/14 - 2004/08/26  jacfg2.exe
2004/06/17 - 2004/06/26  wuammgr32.exe
2004/06/18 - 2004/06/18  svhost.exe
2004/06/18 - 2004/06/18  wuamgrd32.exe
2004/06/18 - 2004/06/23  wuamagrd.exe
2004/06/20 - 2004/06/20  wloader.exe
2004/06/21 - 2004/08/29  pidserv.exe
2004/06/22 - 2004/09/01  navscan32.exe
2004/06/23 - 2004/06/23  hpsysmon.exe
2004/06/24 - 2004/06/24  winipcfgs.exe
2004/06/24 - 2004/06/24  wwwstream.exe
2004/06/25 - 2004/06/25  lcsrv64.exe
2004/06/25 - 2004/06/25  srvhost.exe
2004/06/25 - 2004/06/25  systemnt.exe
2004/06/25 - 2004/06/25  win64.exe
2004/06/27 - 2004/06/27  win32apisrvr.exe
2004/08/16 - 2004/08/24  soundblaster.exe
2004/08/16 - 2004/08/25  msnmsg.exe
2004/08/16 - 2004/08/27  windowsup.exe
2004/08/16 - 2004/08/29  muamgrd.exe
2004/08/16 - 2004/08/30  winupdater.exe
2004/08/16 - 2004/08/31  win16update.exe
2004/08/16 - 2004/09/01  dllmngr32.exe
2004/08/17 - 2004/08/17  msdev.exe
2004/08/17 - 2004/08/17  svchostc.exe
2004/08/17 - 2004/08/31  javatm.exe
2004/08/17 - 2004/08/31  usbsvc.exe
2004/08/17 - 2004/09/01  msnmsgr.exe
2004/08/18 - 2004/08/18  mnzks.exe
2004/08/18 - 2004/08/18  notepad.exe
2004/08/18 - 2004/08/18  tcpip.exe
2004/08/19 - 2004/08/19  mss3rvices200x.exe
2004/08/19 - 2004/08/19  msservices200x.exe
2004/08/19 - 2004/09/01  iexplore.exe
2004/08/23 - 2004/08/23  msrtwd.exe
2004/08/24 - 2004/08/24  csass.exe
2004/08/24 - 2004/08/24  winxp32.exe
2004/08/24 - 2004/08/26  nmon.exe
2004/08/24 - 2004/08/27  winupdate.exe
2004/08/24 - 2004/09/01  msnplus.exe
2004/08/25 - 2004/08/25  lsas.exe
2004/08/25 - 2004/08/27  dwervdl32.exe
2004/08/26 - 2004/08/26  jutsu.exe
2004/08/26 - 2004/08/26  usb.exe
2004/08/26 - 2004/08/26  win43.exe
2004/08/27 - 2004/08/27  java.exe
2004/08/27 - 2004/08/27  svchost32.exe
2004/08/27 - 2004/08/29  iexplorer.exe
2004/08/27 - 2004/08/30  ati2vid.exe
2004/08/27 - 2004/08/30  svchosts.exe
2004/08/29 - 2004/08/29  server.exe
2004/08/29 - 2004/08/30  nortoanavap.exe
2004/08/29 - 2004/09/02  syswin32.exe
2004/08/30 - 2004/09/02  rsvc32.exe
2004/08/30 - 2004/09/02  vsmons.exe
2004/08/31 - 2004/08/31  winsrv.exe
2004/09/02 - 2004/09/02  sslwina.exe
2004/09/02 - 2004/09/02  winxpini.exe

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ