Friday, July 15, 2005

Freekin' %&(#$ bots!.....

I didn't find much of an opportunity to review tech news tidbits and post to the blog this afternoon because I was busy helping to identify, disable, and disinfect a few servers of an Agobot infection in a client network.

What a pain in the ass...

Having said that, I'd really like to hear from anyone who might have $.02 to pitch in on how they might have handled this type of issue before, what they used to detect it/them, etc.

The servers that were infected were probably compromised because of outdated security patches (Microsoft) and did not show any overt indications of suspicous activity (LSASS scanning of hosts, RPC buffer overflows, etc.) than usual day-to-day network errors. And on top of that, the latest installed antivirus signatures (McAfee provided a new .dat signature update earlier this afternoon which did identify the culprit executable) didn't catch the infected exectuable runnning on the servers.

The infected exectuable was "wnpsm.exe" and www.virustotal.com provided this summary report:

Virus Total
_______________________________________________

Scan results
File: wnpsm.bak
Date: 07/15/2005 19:15:37 (CET)
----
AntiVir 6.31.0.9/20050715 found [Worm/Agobot.PD]
AVG 718/20050715 found nothing
Avira 6.31.0.9/20050715 found [Worm/Agobot.PD]
BitDefender 7.0/20050715 found [Backdoor.SDBot.7E9551EC]
CAT-QuickHeal 7.03/20050715 found [(Suspicious) - DNAScan]
ClamAV devel-20050501/20050714 found nothing
DrWeb 4.32b/20050715 found [Win32.HLLW.Agobot]
eTrust-Iris 7.1.194.0/20050714 found nothing
eTrust-Vet 11.9.1.0/20050715 found nothing
Fortinet 2.36.0.0/20050715 found [W32/AgoBot.ATZ-bdr]
F-Prot 3.16c/20050715 found nothing
Ikarus 2.32/20050715 found [Backdoor.Win32.Agobot.HM]
Kaspersky 4.0.2.24/20050715 found [Backdoor.Win32.Agobot.gen]
McAfee 4535/20050714 found nothing
NOD32v2 1.1170/20050715 found [probably unknown WIN32 virus]
Norman 5.70.10/20050714 found nothing
Panda 8.02.00/20050715 found [W32/Gaobot.gen.worm]
Sybari 7.5.1314/20050715 found [Backdoor.Win32.Agobot.gen]
Symantec 8.0/20050714 found nothing
TheHacker 5.8.2.071/20050715 found nothing
VBA32 3.10.4/20050715 found nothing

I have the ASCII strings of the output of this binary, which I would generally not think anything of posting here--but it's, like, 50 pages in length. ;-)

Here's a couple of troubling lines, though:

[snip]

00404260   ASCII "CCmdExecutor"
0040495B ASCII "CDownloadHelper"
00405B9E ASCII "%d"
00405BF3 ASCII "***ATTENTION*** NortonBot is protected under
international copyright laws. Any attempt to dissassemble or alter this file is
a violation of international copyright law. NortonBot is NOT intended to be a
virus or trojan."
00405C06 ASCII "Bot - File Transfer Port"
00405C17 ASCII "bot_ftrans_port"
00405C35 ASCII "Bot - File Transfer Port for FTP"
00405C46 ASCII "bot_ftrans_port_ftp"
[snip]

Look forward to hearing any war storys.

- ferg

3 Comments:

At Fri Jul 15, 09:16:00 PM PDT, Anonymous Anonymous said...

snort is a good way of picking these things up - either via commands sent over an IRC channel or via scanning activity - mostly seen on 445/tcp, but some bots come with a lot of other exploits.

cheers,
Jamie

 
At Fri Jul 15, 09:33:00 PM PDT, Anonymous Anonymous said...

I've not encountered agobot. I have encountered some others (randex, gaobot). Even on fully patched systems, they were able to infect via weak passwords (some bots will attempt a laundry list of passwords) & file shares.

Some bots can enumerate valid domain accounts to use when connecting to file shares. Monitor DC (or GC) security event log for either lockouts or failed login attempts. Depends on your lockout threshold. Too low & accounts will lock (help desk will hear about it first). Too high & lockout events disappear. However, you will notice a pattern of failed logins. Many (100s, 1000s) failed logins for multiple accounts from individual machines. Track the machine down, shoot it.

----
Recently seen a blended threat. Virus w/rootkit, installs other virus, installs spyware. Not sure what comes first (virus or spyware). Infected machines appear to be mostly patched, w/ up-to-date definitions and anti-spyware. Infection attempts to spread (known-patchable vulns, file shares) but fails because others are patched, good passwords, no accessible shares.

Cleanup was frustrated by the rootkit, didn't know the file/virus was there. Also one virus was able to load into all other processes, effectively, every process helped keep the virus alive.

Is it possible that all the users (low, not wide-spread) visited a site(s) that "convinced" them to install something, or that loaded a signed activex or other "trusted" object? Can anyone share experience with setting killbit on guids for known-bad activex (spyware...)? Is this an effective mitigation? How do you keep up with new guids?

 
At Fri Jul 15, 11:20:00 PM PDT, Anonymous Anonymous said...

The best way to combat these pieces of malware that disguise their presence and spawn multiple processes which monitor each other is to disinfect the disk offline. My two personal favorites for doing this are the INSERT live-cd and the BartPE Windows-based live-cd. Generally, the infected files that ClamAV can't find, AdAware will detect. If you encounter a new piece of malware, offline registry editing usually takes care of the rest. I haven't seen malware that is clever enough to avoid the virus/malware scanners and piggy-back on standard Windows components so that it cannot be seen loading itself from the registry/INIs. That doesn't mean they don't exist though, just that one hasn't been noisy enough to be noticed yet.

 

Post a Comment

<< Home