|reply to Link Logger |
Re: Port 137 Scans or 'Intro to Basic Forensics'
Link Logger I apologize my question is a little late in the thread, but the majority of information on opaserv for example, from various antivirus sites, tend to describe what it does and not how it does it. In other words it is a worm that spreads via network shares, creates certain files in the windows folder,makes certain registry entries and then scans a range of IP addresses for the local area network searching for computers with an open C: share and NETBIOS enabled over TCP/IP, etc. Given what you describe above in your ping -a example, exactly how does opaserv perform its scan as described? Is it as something as simple as an nbtstat -A request? I'm not particularly computer literate, and describing what it does leaves me very curious as to the how, which in turn would help my understanding of your example. Regards
The ping -A example given above were an example of how Windows uses the 'root/system' netbios process to send out a hostname request via source port 137.
Basically how Opaserv works is it uses a nbtstat -A like command send using dynamically allocated UDP port to see if any shares are available. It then attempts to connect to those shares in order to copy its payload onto the victim's system and update their registry such that the payload will be run on next boot up. There are some other enhancements that it uses to connect, for example it can get around fileshare passwords on unpatched Windows 98 systems due to a vul in its fileshare security.