 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
1 edit | New Worms scanning on 1025 and others Possible new worm as this morning. The capture on TCP 3127 was submitted to Kaspersky online scanner and came back clean, however the infected systems scanned us on a number of ports and the scan on TCP 1025 appeared to be an RPC exploit which in itself is somewhat new. Malware sample has been sent out to the AV Vendors for analysis.
Someone had mentioned inbound scans to TCP port 1025 so I setup PortPeeker to capture this traffic which appears to be an RPC exploit. The capture on 3127 showed that it was a new capture on that port and an interesting scan to 2745 in that it wasn't a worm, but a brief string of characters, which perhaps has some meaning on DoomJuice.B infected systems.
Link Logger Firewall Log
Mar 08, 2004 07:50:01.901 - (TCP) 68.198.81.31 : 3872 >>> 68.144.193.246 : 6129
Mar 08, 2004 07:49:56.703 - (TCP) 68.198.81.31 : 3872 >>> 68.144.193.246 : 6129
Mar 08, 2004 07:49:56.533 - (TCP) 68.198.81.31 : 3872 >>> 68.144.193.246 : 6129
Mar 08, 2004 07:49:56.463 - (TCP) 68.198.81.31 : 3871 >>> 192.168.1.33 : 3127
Mar 08, 2004 07:49:52.948 - (TCP) 68.198.81.31 : 3861 >>> 192.168.1.38 : 1025
Mar 08, 2004 07:49:52.918 - (TCP) 68.198.81.31 : 3857 >>> 192.168.1.33 : 2745
NOTE 192.168.1.33 and 192.168.1.38 are PortPeeker systems used to capture this traffic.
Thanks
Blake McNeill
Changed title to reflect both worms |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH | Re: New Worm scanning on 1025, 2745, 3127 and 6129 I just checked my logs for IPs that scanned me on both 1025 and 3127, and found two samples, both were 245,760 bytes long and are detected as Win32.Agobot by eTrust AV.
KAV online missed it. F-prot and NOD32 detect heuristically as "unknown virus". I'll submit my sample to the Submit Suspected Malware link.
In any case, looks like another NEW Agobot/Gaobot variant! |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 | The 3127 capture was 249,861 bytes (minus 5 if you knock of the myDoom string at the start).
Blake |
|
|
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH | Your sample might be different from mine then. I submitted mine to the Submit Suspected Malware addresses as well as the malware archive. You may want to do the same with yours. If it's a Gaobot/Agobot variant, NAV and eTrust seem to have generic detection for it. F-prot and NOD32 give me a heuristic detection (possibly unknown Win32 virus). |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
| reply to kpatz
I have two different samples with a length of 245,760 (I assume you don't include the myDoom string), both are detected as Agobot.es by Kaspersky.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH
1 edit | I've seen the Agobot.es samples before. I just scanned (with KAV) the two 245,760-byte samples I received from IPs that scanned me on 1025, 6129 and 3127 and one was detected as Agobot.fj and the other was NOT detected. I submitted the sample that was not detected.
EDIT: So far I have not been scanned on 2745 and 3127 by the same IP, so your samples are probably different from mine. My Agobot samples are coming from IPs hitting me on 3127 and 1025 (and 6129). |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 | reply to Link Logger
Response from Kaspersky is that this new worm is now called Backdoor.Agobot.3.fk.
Blake |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
2 edits | reply to Link Logger
The TCP Port 1025 capture is posted here »www.linklogger.com/Port1025_RPC_Exploit.htm
Anyone want the RPC exploit capture for analysis?
Blake |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH | When I looked at your port 1025 capture, I saw strings in there that exist in a piece of malware I just dismantled and posted an analysis of in this thread: »nvchip4.exe maybe new virus~~
I wonder if those strings "MARB" and "MEOW" are related to a RPC exploit, or if they are part of that trojan for another reason. |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
| reply to kpatz
You might want to take a look at »MD5 File Grouper for PortPeeker and others as MD5 Grouper is a handy way to group captures by MD5 Hash value. So after running MD5 Grouper in your capture directory you would have a bunch of sub directories (one for each MD5 Hash value) containing files which are exactly alike. I run it everytime I have a new capture(s) so it places the files into the proper hash directory, or if its a new hash (ie new worm) then the directory name (the hash value) is displayed in Bold in MD5 Grouper.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
| reply to kpatz
Both of those strings also existed in MSBlast (see »www.linklogger.com/msblast.htm ). My 1025 capture is an RPC exploit but is different then MSBlast.
Perhaps 1025 was his infection entry vector.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH | I guess those strings are part of the RPC exploit vector then. Well, time to post another new piece of info in the other thread!  |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 | reply to Link Logger
The TCP 1025 scan was new and is now called the Nachi.F worm.
Blake |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
| Just caught another capture on 1024 with a difference MD5 hash then before and the scan pattern was different:
Mar 08, 2004 12:04:26.150 - (TCP) 211.238.194.79 : 2206 >>> 68.144.193.246 : 6129
Mar 08, 2004 12:04:26.130 - (TCP) 211.238.194.79 : 2205 >>> 68.144.193.246 : 445
Mar 08, 2004 12:04:20.121 - (TCP) 211.238.194.79 : 2206 >>> 68.144.193.246 : 6129
Mar 08, 2004 12:04:20.101 - (TCP) 211.238.194.79 : 2205 >>> 68.144.193.246 : 445
Mar 08, 2004 12:04:17.407 - (UDP) 192.168.1.33 : 137 >>> 211.238.194.79 : 137
Mar 08, 2004 12:04:17.287 - (TCP) 211.238.194.79 : 2206 >>> 68.144.193.246 : 6129
Mar 08, 2004 12:04:17.247 - (TCP) 211.238.194.79 : 2205 >>> 68.144.193.246 : 445
Mar 08, 2004 12:04:16.956 - (TCP) 211.238.194.79 : 2194 >>> 192.168.1.38 : 1025
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
 jmn1207Premium
join:2000-07-19
Ashburn, VA | 1024? I don't see it anywhere. Would be odd to see something similar on any port below 1025. |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 | reply to Link Logger
Both scans captured and posted at »www.LinkLogger.com/Port1025_RPC_Exploit.htm
Blake |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
| reply to Link Logger
Note from Microsoft concerning the second scan...
------------
Our Security team says:
The Dept of Homeland security has issued an alert on a new bot that maybe
related:
To NCC Telecom-ISAC members (Routine lists), Info NSIE Info N2 Below are
details, received from a trusted source, regarding a new bot discovered this
morning. We are listing first the important highlights from the analysis
write-up, followed with a more detailed technical analysis. We would
appreciate any further information or feedback on this information.
Important highlights
* Kaspersky does NOT yet recognize this file as a trojan; it is unclear if
other AV software detects Phatbot. All attempts to kill the process will
respawn a new one.
All attempts to remove the malware have failed in our tests.
* Thus far, we've witnessed the following spreading mechanisms:
TCP 135 (Win9x Netbios)
TCP 139 (Win9x Netbios)
TCP 445 (Win2k Shares)
TCP 3127 (Mydoom)
TCP 6129 (Dameware)
* Based on strings output this bot appears to include the following:
- multiple DDOS capabilities
- multiple spying capabilities
- disables at least some Anti-Virus, Anti-trojan, and Personal Firewall
software
* The bot appears to offer relay capability by listening on:
TCP 63808 (Socks)
TCP 63809 (HTTP)
TCP 65506 (SSL)
Infected hosts should have these ports open, along with TCP 4387.
* How to spot Phatbot:
- Watch for ingress or egress active opens (SYN packets) to TCP 4387.
- Watch for ingress or egress active opens (SYN packets) to TCP 4387, TCP
63808, TCP 63809, and TCP 65506. This
*may* indicate the presence of the bot.
Detailed Analysis
Unfortunately, it appears as if peer-to-peer communication is making its way
further into bots. The latest bit of malware we received, code named
"phatbot," has some interesting characteristics we'd like to pass along to
you. Unfortunately we've not been able to get to the bottom of everything
yet, but thought a little bit of information would be better than nothing!
This bot appears to be a derivative of the infamous Agobot. There is a fair
bit of shared code, at the very least.
This malware affects windows machines and installs as
%SystemRoot%\system32\srvhost.exe, e.g. c:\windows\system32\srvhost.exe. The
malware runs as "%SystemRoot%\system32\srvhost.exe -service". The malware is
PE encrypted with PE-Crypt.Wonk. Kaspersky does NOT yet recognize this file
as a trojan; it is unclear if other AV software detects Phatbot. All
attempts to kill the process will respawn a new one. All attempts to remove
the malware have failed in our tests.
It is unclear how many hosts are infected or how large the P2P botnet has
become.
Thus far, we've witnessed the following spreading mechanisms:
TCP 135 (Win9x Netbios)
TCP 139 (Win9x Netbios)
TCP 445 (Win2k Shares)
TCP 3127 (Mydoom)
TCP 6129 (Dameware)
The scanning is not launched at startup. The scans appear to be sequential,
e.g. the infected host scans TCP 135, 139, 445, 3127, and 6129 on each
scanned IP. This may be a means by which to detect the scan and sploit
activities of Phatbot.
Based on strings output this bot appears to include the following:
- multiple DDOS capabilities
- multiple spying capabilities
- disables at least some Anti-Virus, Anti-trojan, and Personal Firewall
software
--
-----------
Bolt it down kids looks like some more fun is coming our way.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
 pkeech
join:2003-02-21
Clawson, MI | reply to Link Logger
Re: New Worms scanning on 1025 and others Hey Blake,just started seeing those scans at 5:05p.m.est.
1 interesting scan scanned 8 ports at 1 time,in order..
port 2745,135,1025,445,3127,6129,139,80....most are scanning 4-6 ports,must be propagating real fast,all the hits I'm getting are coming from wideopenwest customers(my ip) |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH
2 edits | quote:
The scanning is not launched at startup. The scans appear to be sequential,
e.g. the infected host scans TCP 135, 139, 445, 3127, and 6129 on each
scanned IP. This may be a means by which to detect the scan and sploit
activities of Phatbot.
Like other IRC-based backdoor trojans, this one probably awaits a command via IRC to start scanning/spreading.
My port 3127 'pot picked up another copy of this bot/worm/trojan - but this one was also infected with Win32.Xorala (KAV)/W32.Harmony (F-Prot) - nothing like a double whammy - a bot/trojan/worm infected with a virus. I'd hate to have to clean up THAT PC!  |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
| I think we have hit the next phase where every vulnerable computer on the planet is infected and so now we are heading into the infect it X times or as we have seen clean off the other infections and infect it. If someone comes out with a new exploit it should be interesting to see what happens then.
The other thing is once again the crew in BBR's security forum is leading the charge into detection of new nasties, good work everyone.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
