From: Aron Roberts (aron_at_socrates.berkeley.edu)
Date: Mon Aug 04 2003 - 07:58:17 PDT
On Friday, August 1 at 13:13, Forrest Smalley wrote:
>We seem to have a dozen or so computers that have probably have been
>infected with a backdoor trojan. It seems to have written a directx.exe
>file to c:\windows\system32 ... I'm guessing someone used the RPC
>hole to infect the machines.
>
>The machines exhibit the symptoms of not being to log off or shutdown.
>Killing the directx process allows this and kills the IRC channel 6667 that
>it has opened up.
Forrest's report of a directx.exe executable and of code that
listens for commands on an Internet Relay Chat channel is confirmed
by the following article, which describes how "several programs ...
have been cobbled together to create" what appears to be the first --
or at least one of the first -- tools to exploit the widely reported
Windows DCOM RPC vulnerability.
The article emphasizes that this tool is not a worm. At least at
this moment, no exploit tool using worm or virus mechanisms and thus
capable of spreading rapidly like Slammer, Klez, Code Red, et al. has
yet emerged, but the article also notes that "security researchers
[have] widely expected a worm to be written to exploit [this
vulnerability] ..."
Also, the article mentions the names of files identified by
Symantec researchers as associated with this early exploit tool,
which include "rpc.exe, rpctest.exe, tftpd.exe, worm.exe [although
the version of this file as examined by Symantec apparently didn't --
yet -- contain worm code - Aron], lolx.exe and dcomx.exe."
Aron Roberts
Workstation Software Support Group
-- Robert Lemos "Attack bot strikes Windows flaw" CNET News.com, August 4, 2003, 4:50 AM PT http://zdnet.com.com/2100-1105_2-5059263.html?tag=fdfeed >LAS VEGAS--Online vandals are using a program to compromise Windows >servers and remotely control them through Internet relay chat (IRC) >networks, system administrators said Saturday. > >Several programs, including one that exploits a recent vulnerability >in computers running Windows, have been cobbled together to create a >remote attack tool. The tool takes commands from an attacker through >the IRC networks and can scan for and compromise computers >vulnerable to the recently discovered flaw in Windows. > >Files left behind on a compromised server by the worm were posted to >a security mailing list. Computer security company Symantec analyzed >the files and determined that what was first thought to be a worm >was actually an attack program. > >"Based on our analysis, the threat does not appear to be a worm," >said Oliver Friedrichs, senior manager for Symantec's security >response team. "It doesn't go and try to spread." Friedrichs was in >Las Vegas attending the Black Hat Briefings and DefCon hacking >conferences. > >The ability to spread automatically is the hallmark of a computer >worm. The collection of programs that Symantec analyzed is a tool >that compromises computers and is referred to as an autorooter. It >also acts like an IRC bot, listening to specific channels on the >chat network and taking commands from attackers via IRC. > >The initial post describing what security researchers thought might >be a worm appeared at 10 a.m. PDT Saturday on the Full-Disclosure >security list. > >The tool consists of six files that work together to find vulnerable >systems and attack them. Ever since the Windows flaw was announced, >security researchers widely expected a worm to be written to exploit >it. The IRC bot is one step removed from a worm and less disruptive. >... ------------------------------------------------------------------------ The following was automatically added to this message by the list server: For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Mon Aug 04 2003 - 08:05:56 PDT