[Hacked] DarkMailer?

Author	All Replies
elias Premium,VIP join:2000-07-24 Miami, FL	[Hacked] DarkMailer? My girlfriend leaves her PC on during the day, so that she can connect from work via Remote Desktop during the day. Today, she connected, and there was a program on the middle of her screen that had lists of AOL e-mail addresses scrolling-by, and the program said "DarkMailer" on it. Behind the program was a folder, that seemed to contain either the installer, or the program itself. I connected to her computer, but kept getting kicked-out of Remote Desktop and VNC. I don't know if I was getting kicked by the program, or what. I was able to connect long enough to stop the program (forgot to take a screenshot) and shut down her computer. She's running XP SP2 with all the latest patches, D-Link router, etc. She hasn't opened any attachments, etc. Could it be someone was able to compromise her via RDC or VNC? I leave my computer on 24x7 and have never had something similar happen. The only difference I can think of is that I run my RDC on alternate ports, since I have multiple computers behind my router. I'll asses her situation better tonight when I get there, and take screenshots if possible. I know from a quick Google search that DarkMailer is a bulk sender for spammers, namely for sending to AOL. Any help or insight would be appreciated. -- Elias -- My Webmaster Gig \| Crunching the Midnight Oil
	to forum · permalink · 2006-06-21 14:22:38 ·

novaflare The Dragon Was Here Premium join:2002-01-24 Barberton, OH	Sounds like she ither opened a rouge attachment dled something she shouldnt have or had a easy to guess pass word.
	to forum · permalink · 2006-06-21 15:51:42 ·
uid1307457 Premium join:2005-12-30 Tempe, AZ	reply to elias VNC not so great for protecting the connection.
	to forum · permalink · 2006-06-21 16:00:19 ·
major marco Res Firma Mitescere Nescit Premium join:2003-02-13 Stepford, CA 1 edit	reply to elias Check the Events Viewer, then run an online scanner such as Trend Micro on the box to see if that yields anything. If you don't find anything suspicious then I would change everything on the system from router admin/pc log ins and everything in between until you determine exactly what happened. Does the box even have AOHell installed? I would think that would be a dead-giveaway right there as to what happened and a lesson not to use it anymore. Lastly, does she have all the latest Windoze security patches, including the latest VNC updates? If not, then you might want to strongly consider it. -- Choose Net Neutrality or Lose It 21st C TechnoBarons. Why Care About Media?
	to forum · permalink · 2006-06-21 16:03:58 ·
Snowy mIRC unix.ro UnderNet Premium join:2003-04-05 Kailua, HI kudos:5 Reviews: ·Clearwire Wireless ·RoadRunner Cable	reply to elias You'll find more than just DarkMailer when you get to it. At a minimum there will be a file containing the email addys the mail was getting sent to. I've seen them as large as 26MB's. I'd be surprised if there weren't a phpshell somewhere there too. You might want to keep an eye on it until you get to it. Restarting it won't be an issue for whoever uploaded the files to it. The content matter of the outgoing emails would also help you locate other uploaded material, so if it's still there, take a look at it.
	to forum · permalink · 2006-06-21 16:11:08 ·
elias Premium,VIP join:2000-07-24 Miami, FL 1 edit	reply to novaflare said by novaflare: Sounds like she ither opened a rouge attachment dled something she shouldnt have or had a easy to guess pass word. She says she hasn't opened any attachments, and she never does anything she's not supposed to. Her Windows password is not a "strong" password, but it's still nothing that would be found in a dictionary. VNC had a "strongish" password, it's not very long, but it uses many different types of characters. I'm figuring that they had to have "cracked" the Windows password because if they were to VNC into the machine, then they would see the Welcome screen and have to get past that. Plus, they didn't log her off from her session, meaning they did somehow get past her Win. password. I suppose it's possible they cracked both Win. and VNC, but still. -- My Webmaster Gig \| Crunching the Midnight Oil
	to forum · permalink · 2006-06-21 17:54:22 ·
elias Premium,VIP join:2000-07-24 Miami, FL 1 edit	reply to major marco said by major marco: Check the Events Viewer, then run an online scanner such as Trend Micro on the box to see if that yields anything. If you don't find anything suspicious then I would change everything on the system from router admin/pc log ins and everything in between until you determine exactly what happened. Does the box even have AOHell installed? I would think that would be a dead-giveaway right there as to what happened and a lesson not to use it anymore. Lastly, does she have all the latest Windoze security patches, including the latest VNC updates? If not, then you might want to strongly consider it. Yeah, I plan to disconnect it from the LAN and check Event Viewer and a few other places. She does not have AOL or anything AOL-related. The only thing she uses is Yahoo! Messenger, but she never leaves it on. She only connects it when needed, and exits the program when done. She has automatic updates enabled, etc. and I usually check-up on things for her. She also has Symantec AntiVirus Corp 10, with liveupdate set to check every day (or every hour). I doubt it coudl be a virus, but I'll do a full offline scan plus an online scan after. Her RealVNC does not have the latest patch, as I wasn't aware that there was an updated version. Hers is from a few months ago. I'll be sure to update that. I'm thinking of a few remedies: Change the VNC Port Put a more secure/strong VNC password Change the RDC Port Put a more secure/strong Win. password Any other suggestions? -- My Webmaster Gig \| Crunching the Midnight Oil
	to forum · permalink · 2006-06-21 17:57:18 ·
elias Premium,VIP join:2000-07-24 Miami, FL	reply to Snowy said by Snowy: You'll find more than just DarkMailer when you get to it. At a minimum there will be a file containing the email addys the mail was getting sent to. I've seen them as large as 26MB's. I'd be surprised if there weren't a phpshell somewhere there too. You might want to keep an eye on it until you get to it. Restarting it won't be an issue for whoever uploaded the files to it. The content matter of the outgoing emails would also help you locate other uploaded material, so if it's still there, take a look at it. Do you think there will be enough evidence to try and locate the spammer? It would be nice to attempt to go after them, as I've seen others do in these forums in the past. -- My Webmaster Gig \| Crunching the Midnight Oil
	to forum · permalink · 2006-06-21 17:58:22 ·
Snowy mIRC unix.ro UnderNet Premium join:2003-04-05 Kailua, HI kudos:5	maybe, maybe not. A look at the email content & the cofiguration file for DarkMailer could shed some light on it.
	to forum · permalink · 2006-06-21 18:07:27 ·
major marco Res Firma Mitescere Nescit Premium join:2003-02-13 Stepford, CA	reply to elias said by elias: Any other suggestions? All that's a good start but I would probably post to a more qualified usenet group to determine more info. Nobody seems to have much of an opinion around here.
	to forum · permalink · 2006-06-21 18:34:50 ·
garys_2k join:2004-05-07 Farmington, MI Reviews: ·Callcentric ·Future Nine Corp.. 1 edit	reply to elias Can't find it right now, but an earlier (but not very old, maybe a couple of rev's back) version of VNC would allow logins with NO passwords, no matter how the server was configured. This was just recently fixed. That's my bet on how the box got owned. Edit: Might as well run it through the steps in here, too: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
	to forum · permalink · 2006-06-21 19:36:24 ·
novaflare The Dragon Was Here Premium join:2002-01-24 Barberton, OH	reply to elias said by elias: said by Snowy: You'll find more than just DarkMailer when you get to it. At a minimum there will be a file containing the email addys the mail was getting sent to. I've seen them as large as 26MB's. I'd be surprised if there weren't a phpshell somewhere there too. You might want to keep an eye on it until you get to it. Restarting it won't be an issue for whoever uploaded the files to it. The content matter of the outgoing emails would also help you locate other uploaded material, so if it's still there, take a look at it. Do you think there will be enough evidence to try and locate the spammer? It would be nice to attempt to go after them, as I've seen others do in these forums in the past. I found a spammers rel email addy once. Was pretty funny he had installed a mass mailer name of that one has long sence been forgotten. Any how this guy also installed a keylogger. It would email him its log. This email addy was a isp email for road runner. So i decided to have some fun with the few 100 emails a hour going out of the system. I simply put his email in the file over and over 1 address per line and let it rip I bet he was quite suprised to see him self spammed 100s of times per hour poor email inbox had to be jammed packed with his own crap. You just got to love spammers who are dumb enough to include their email addy on a infected system. I also reported him to road runner generaly took them about a week to handle situations like this so for the entire week his primary email account would have been packed tight. I know it was the primary account because was first letter of first name and last name@xx.rr.com. So before you just report him if you get his main addy some how you might want to consider having some fun as well. -- DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channel open source dns server for *nix and windows »powerdns.com
	to forum · permalink · 2006-06-21 20:22:12 ·
SpannerITWks Premium join:2005-04-22	reply to elias Sorry to hear about your GF's misfortune ! Most good AV/AT should be able to detect/remove this though. Hope she gets it sorted soon. --------------------- DarkMailer is a super fast bulk email software that sends out at speeds greater than 500,000 emails per hour* on a dedicated mailing server. Dark Mailer has the capability to use Proxies and Relays and also to send directly. »refwm.com/darkmailer/ »www.specialham.com/specialham/m_···1/tm.htm Analysis of the DarkMailer etc SpamBot - »www.f-secure.com/weblog/archives···005.html Spanner -- I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks /SpannerITWks
	to forum · permalink · 2006-06-21 20:41:02 ·
Snowy mIRC unix.ro UnderNet Premium join:2003-04-05 Kailua, HI kudos:5 Reviews: ·Clearwire Wireless ·RoadRunner Cable	said by SpannerITWks: Sorry to hear about your GF's misfortune ! Most good AV/AT should be able to detect/remove this though. Hope she gets it sorted soon. --------------------- DarkMailer is a super fast bulk email software that sends out at speeds greater than 500,000 emails per hour* on a dedicated mailing server. Dark Mailer has the capability to use Proxies and Relays and also to send directly. »refwm.com/darkmailer/ »www.specialham.com/specialham/m_···1/tm.htm Analysis of the DarkMailer etc SpamBot - »www.f-secure.com/weblog/archives···005.html Spanner "Most good AV/AT should be able to detect/remove this though. Next time you decide to post I wish you would do the community a favor & check your facts first. The OP is dealing with a compromise & needs facts, not Spannerism's. Heres the facts regarding Jotti's detection of DarkMailer. Service load: 0% 100% File: dm.exe Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) MD5 be06575cccb6062ab5d45f47f3958c98 Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found nothing
	to forum · permalink · 2006-06-22 00:33:02 ·
SpannerITWks Premium join:2005-04-22	SnowyOne Next time you decide to post I wish you would do the community a favor & check your facts first, like i DID. Here's the facts about DarkMailer that i was talking about - F-Secure seem to know all about DarkMailer for one, as i already mentioned + linked to. Here's a couple of others that do too, + have it in their defs ! »www.nod32usa.com/nod32-updates/u···980.html »www.atshield.com/?r=features&pr=list DarkMailer i've also seen listed as TrojanDropper.Win32 Re Jotti's " NON " detection of DarkMailer. Who did that Jotti's scan ? If it was you based on already having a sample, then why hadn't you sent it on to the AV/AT etc vendors by now, so it would have been detected ? If it wasn't you then who has the file + why are you posting on behalf of someone else ? You can send it to me via a - »rapidshare.de/ - link, and i'll put it through my stuff and see what gets detected or not + post back with the info, which should be interesting ! Spanner -- I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks /SpannerITWks
	to forum · permalink · 2006-06-22 06:50:50 ·
ghost16825 Use security metrics Premium join:2003-08-26	reply to garys_2k Yes, it's quite likely this was the source of the compromise: »VNC Flaw -- The previous signature has been removed due to recent and continuing website "ownership" issues.
	to forum · permalink · 2006-06-22 06:56:41 ·
elias Premium,VIP join:2000-07-24 Miami, FL	reply to garys_2k said by garys_2k: Can't find it right now, but an earlier (but not very old, maybe a couple of rev's back) version of VNC would allow logins with NO passwords, no matter how the server was configured. This was just recently fixed. That's my bet on how the box got owned. Edit: Might as well run it through the steps in here, too: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance Yes, I now do believe that VNC was the culprit, especially after checking the logs. It seems to show an IP address that kept connecting to VNC. I asked my GF, and she hadn't connected to her computer remotely (yet) which means her computer wasn't "locked" at the time. I downloaded the latest version of VNC, but am no longer running it as a service. This time I just made a shortcut to the server on the desktop, so that if she needs help, she can just launch it as needed, and then close it when finished. I also closed the VNC port on the router. I will open it as needed, and not on the default port number. -- My Webmaster Gig \| Crunching the Midnight Oil
	to forum · permalink · 2006-06-22 07:49:13 ·
elias Premium,VIP join:2000-07-24 Miami, FL	reply to SpannerITWks said by SpannerITWks: Sorry to hear about your GF's misfortune ! Most good AV/AT should be able to detect/remove this though. Hope she gets it sorted soon. Actually, in checking the Even Viewer, Symantec had updated itself with the latest definitions that very morning around 6am when she turned on her computer. It also seems that when the spammer tried installing it, Symantec identified dm.exe as a trojan and tried to quarantine it. I'm guessing the guy dismissed the pop-up messages and had it ignored or something. The version they installed on her machine was older, like 1.36 or some such. It has several files with e-mail addresses along with a text file containing the outgoing message. The e-mail addresses were all @aol.com and were all in the L's. The message itself was a Suntrust phishing e-mail, trying to trick the user into providing their info at some site. -- My Webmaster Gig \| Crunching the Midnight Oil
	to forum · permalink · 2006-06-22 07:54:21 ·
SpannerITWks Premium join:2005-04-22	reply to elias Found these also - Trojan.Win32.DarkMailer Aliases Trojan.Win32.DarkMailer (Kaspersky Lab) is also known as: Generic (McAfee), PWSteal.Trojan (Symantec), Trojan:Win32/DarkMailer (RAV), TROJ_DARKMAIL.A (Trend Micro) Behavior Trojan »www.viruslist.com/en/viruses/enc···id=36737 Spanner -- I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks /SpannerITWks
	to forum · permalink · 2006-06-22 11:35:28 ·
Snowy mIRC unix.ro UnderNet Premium join:2003-04-05 Kailua, HI kudos:5 Reviews: ·Clearwire Wireless ·RoadRunner Cable	reply to elias Elias, I had no doubt you would succesfully sort through it all. The Symantec detection of dm.exe is interesting since it seems to be the only AV to do so. STATUS: FINISHEDComplete scanning result of "dm.exe", received in VirusTotal at 06.22.2006, 18:12:29 (CET). Antivirus Version Update Result AntiVir 6.35.0.15 06.22.2006 no virus found Authentium 4.93.8 06.22.2006 no virus found Avast 4.7.844.0 06.22.2006 no virus found AVG 386 06.22.2006 no virus found BitDefender 7.2 06.22.2006 no virus found CAT-QuickHeal 8.00 06.22.2006 no virus found ClamAV devel-20060426 06.22.2006 no virus found DrWeb 4.33 06.22.2006 no virus found eTrust-InoculateIT 23.72.46 06.22.2006 no virus found eTrust-Vet 12.6.2270 06.22.2006 no virus found Ewido 3.5 06.22.2006 no virus found Fortinet 2.77.0.0 06.22.2006 suspicious F-Prot 3.16f 06.21.2006 no virus found Ikarus 0.2.65.0 06.22.2006 no virus found Kaspersky 4.0.2.24 06.22.2006 no virus found McAfee 4791 06.22.2006 no virus found Microsoft 1.1481 06.22.2006 no virus found NOD32v2 1.1615 06.22.2006 no virus found Norman 5.90.21 06.22.2006 no virus found Panda 9.0.0.4 06.22.2006 no virus found Sophos 4.06.0 06.22.2006 no virus found Symantec 8.0 06.22.2006 Infostealer TheHacker 5.9.8.164 06.22.2006 no virus found UNA 1.83 06.21.2006 no virus found VBA32 3.11.0 06.21.2006 no virus found VirusBuster 4.3.7:9 06.22.2006 no virus found Aditional Information File size: 709632 bytes MD5: be06575cccb6062ab5d45f47f3958c98 SHA1: ee2d8c2b3da71682eac65a2821cb30af3dbf43cb
	to forum · permalink · 2006-06-22 12:35:22 ·

Broadband Tech > Security > Security > [Hacked] DarkMailer?