 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
| reply to Link Logger
Re: New Worm scanning on 1025, 2745, 3127 and 6129 Note from Microsoft concerning the second scan...
------------
Our Security team says:
The Dept of Homeland security has issued an alert on a new bot that maybe
related:
To NCC Telecom-ISAC members (Routine lists), Info NSIE Info N2 Below are
details, received from a trusted source, regarding a new bot discovered this
morning. We are listing first the important highlights from the analysis
write-up, followed with a more detailed technical analysis. We would
appreciate any further information or feedback on this information.
Important highlights
* Kaspersky does NOT yet recognize this file as a trojan; it is unclear if
other AV software detects Phatbot. All attempts to kill the process will
respawn a new one.
All attempts to remove the malware have failed in our tests.
* Thus far, we've witnessed the following spreading mechanisms:
TCP 135 (Win9x Netbios)
TCP 139 (Win9x Netbios)
TCP 445 (Win2k Shares)
TCP 3127 (Mydoom)
TCP 6129 (Dameware)
* Based on strings output this bot appears to include the following:
- multiple DDOS capabilities
- multiple spying capabilities
- disables at least some Anti-Virus, Anti-trojan, and Personal Firewall
software
* The bot appears to offer relay capability by listening on:
TCP 63808 (Socks)
TCP 63809 (HTTP)
TCP 65506 (SSL)
Infected hosts should have these ports open, along with TCP 4387.
* How to spot Phatbot:
- Watch for ingress or egress active opens (SYN packets) to TCP 4387.
- Watch for ingress or egress active opens (SYN packets) to TCP 4387, TCP
63808, TCP 63809, and TCP 65506. This
*may* indicate the presence of the bot.
Detailed Analysis
Unfortunately, it appears as if peer-to-peer communication is making its way
further into bots. The latest bit of malware we received, code named
"phatbot," has some interesting characteristics we'd like to pass along to
you. Unfortunately we've not been able to get to the bottom of everything
yet, but thought a little bit of information would be better than nothing!
This bot appears to be a derivative of the infamous Agobot. There is a fair
bit of shared code, at the very least.
This malware affects windows machines and installs as
%SystemRoot%\system32\srvhost.exe, e.g. c:\windows\system32\srvhost.exe. The
malware runs as "%SystemRoot%\system32\srvhost.exe -service". The malware is
PE encrypted with PE-Crypt.Wonk. Kaspersky does NOT yet recognize this file
as a trojan; it is unclear if other AV software detects Phatbot. All
attempts to kill the process will respawn a new one. All attempts to remove
the malware have failed in our tests.
It is unclear how many hosts are infected or how large the P2P botnet has
become.
Thus far, we've witnessed the following spreading mechanisms:
TCP 135 (Win9x Netbios)
TCP 139 (Win9x Netbios)
TCP 445 (Win2k Shares)
TCP 3127 (Mydoom)
TCP 6129 (Dameware)
The scanning is not launched at startup. The scans appear to be sequential,
e.g. the infected host scans TCP 135, 139, 445, 3127, and 6129 on each
scanned IP. This may be a means by which to detect the scan and sploit
activities of Phatbot.
Based on strings output this bot appears to include the following:
- multiple DDOS capabilities
- multiple spying capabilities
- disables at least some Anti-Virus, Anti-trojan, and Personal Firewall
software
--
-----------
Bolt it down kids looks like some more fun is coming our way.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
