geplaatst
Verschillende anti-virus bedrijven waarschuwen voor de verspreiding van een nieuwe mass-mailer Internetworm met de naam Fizzer (ook bekend als W32/Fizzer@MM, W32/Fizzer.A, W32/Fizzer-A en I-Worm.Fizzer). De worm heeft een medium risico aanduiding gekregen, maar toch waarschuwt men voor de hoge distributie en schade potentie. Fizzer verspreidt zich via e-mail, P2P netwerken en IRC en kan zichzelf updaten via een geocities website. De worm is het eerst ontdekt in Azie, maar het lijkt alsof hij ontworpen is door iemand uit Zuid Duitsland (of iemand met goede kennis van het Duits). Dit vanwege het gebruikte dialect in de onderwerp regel. Virusscanners die zijn geupdate zouden de worm moeten herkennen, hoewel Fizzer bepaalde virusscanners kan uitschakelen.
-------------------- People are like pieces of a puzzle. We all fit together, but not all of us connect. Berichten: 6985 | Plaats: Zeist | Geregistreerd: Jul 2002
| IP: Gelogd |
A new mass mailing virus, currently labeled "Win32.Fizzer.A" is spreading for the last few days. The payload of this virus contains a few interesting features:
- In addition to e-mail, the virus uses the P2P system Kazaa to spread. - it will try to terminate anti virus scanners. - The virus includes a key stroke logger - In addition to permitting remote control via AOL Instant Messenger or IRC.
The IRC component is in particular interesting. It includes a long list of IRC servers. The infected system will join a password protected channel on one of these systems to wait for commands.
"Fizzer" attempts to hide its bot-nature in this IRC channel, by using regular looking name. Occasionally, the bots will "chat" by sending a random string to the channel.
A summary from an IRC operator's perspective can be found in this mailing list post:
Current Anti Virus filters will detect 'Fizzer'. Stripping executable attachments will work as well.
Detection:
The virus will create the files "iservc.exe" and "initbak.dat" in the infected machine's Windows directory. See the Anti Virus vendor links below for a more complete list.
Removal:
According to BullGuard antivirus, create an empty file 'UNINSTALL.PKY' in your Windows folder, wait one minute and then delete the file progOp.exe from the Windows folder.
-------------------- People are like pieces of a puzzle. We all fit together, but not all of us connect. Berichten: 6985 | Plaats: Zeist | Geregistreerd: Jul 2002
| IP: Gelogd |
geplaatst
On Monday 12 May 2003 12:55, Johannes B. Ullrich wrote:
I run two irc networks.
Last week we had a ton of rogue clients connecting and joining one channel on one of my networks. We caught on to this very quickly. One of my admins started glining immediately without my knowledge. That was quickly halted but not before we got packeted pretty hard.
We learned that the way the virus was getting distributed was via a game bot for an RPG game. The name of the bot was skore and it was installing a virus called Optix 3.0 using a sub 7 knockoff. Google Optix...you will find it.
Ok, so...I said I run two networks. Who would have thunk that a similar situation would arise in less than a week later than the last and they are not related nor on the same network. This seems to be a pretty popular uprising -- using irc for rogue bot networks.
We are err, well, I am (the other admins of the network aren't into this kind of forensics thing sooo) watching a phenomenon where we get strange clients connecting seemingly randomly named channels and keying those channels. The clients are named using mixes of valid names or just random names:
To show just a few. This is the most clever irc bot I've ever seen. Anyway, the majority of these connections seem to be coming from Germany or someplace in Europe...no, I don't mean the connections, I mean whoever is controlling the connections. The connections are actually coming from all over the world. I am currently watching packets from a few of the clients and in fact am developing a Perl script to do this automagically since the only way for me to do this is to 1. have root on the box to put the nic into promisc mode for tcpdump/ngrep/etc 2. cuz despite that messages are seen from clients on all servers (ie all traffic for all clients goes through all servers except for ctcp) I can't see any ctcp or non-irc related traffic (not direct network connection) to those bots. Alrighty, so, I am in the middle of writing script that as I type...kinda...er well, anyway, you know what I mean. Oh, before I go on, I decided to nmap a couple of the IPs from which these bots hailed only to find that both of them (not a huge control group but oh well) were very well firewalled and had no ports opened with the exception of 137 and 113 respectively to each IP. I will do some more tracing on that later. Therefore, I can deduce that these machines are most likely fw'ed.
Ok. Now these clients dissappear after so long (random amount of time) which is to be expected if these are sploited machines and depend on the owner of the machine to keep the machine on...or something else built-in to the client(?? perhaps). Each client connects to a channel that is keyed where the key of the channels are not the same thus, well, maybe this will help by showing what I see:
Notice the number of clients in each channel? All those clients with the exception of one (me...Im clever, Im disguised as one of the rogues just watching what is going on) are all in +slk channels. This means that each channel is secret (hidden from normal users on /list), client number limited (no number so this is really superfluous), and keyed meaning that it requires a password to get in. Each channel has a different key. I have been able to grab some of the keys while watching tcpdump. Therefore, I know they are not the same keys.
Notice how the channels are named? It is clear to me that the channels are named by taking names of people or something and morphing them into something less understandable. Whats more is there is often a number tacked on the end...again, makes it more ''random''-like. Not really necessary but ok. The words are also mixed-case which again is superfluous as irc is case-insensitive.
Now, the ircd we use is unrealircd beta 15 or 16. This is a really good daemon as it has many functions for irc opers to allow us to do neato things without the use of a services bot. One of those things is the ability to change modes to channels without being channel operators. So, naturally, we want to see whats going on in the channels. Therefore we have changed the keys of some of these channels then we enter the channel. Now, when we change the key nothing adverse happens. In fact, new clients join still and clients still in the channel just chill and jabber away randomly. Thus, clients in the channel must be sending the key to the new clients joining or the new clients wouldn't be able to join the channel, right?
This can be MOUNDS of info that could just make or break the whole "case". For instance, in the last "attack" on my other network, once we got in the channel the bots set the topic to something like "trojan bot channel" or some other ridiculously obvious thing that allowed us to know what was going on. Each bot connected with the OS of its host, the machine name it was on, the name of the user it was logged in as, the trojan password, the IP of the machine, etc, etc, etc, and then the name of the virus software. This current little situation is NOT AT ALL like that one in that it is very stealthy. This guy doesn't set a channel topic nor does it set the channels to +nt. Ok, +nt are channel modes that disallow anyone to come in and change the channel topic (+t) and to disallow anyone to send a message to the channel without being in the channel (+n). As I have already stated, the messages the client leaves are nonsensical. The most odd behavior of these bots is that they send messages to other channels (using the lack of the channel mode +n) AND these messages are unintelligible as well. The messages are either in German or are in english but are random non-incriminating statements as if they are having babble conversation...and it is very sporatic:
<dANieL67> diabolical knowlege <SamaNt56> Indirectly intriguing peace embraces beauty? <cLaIVE44> happiness embraces, reinterprets love <MADLLI760> Really great charity <MArfa7> Horribly passive suffering <STeVFN42> brb... <kaIWLy1> The terribly bad leisure follows fear! <sarkh3> bad happiness kills love. <rmCHeL787> god repeals passively good hate! <NICHol144> brb... <kAItly1> huhu Camper <MIe17> 8() <lUkE6> moin uk-world <Robest4> faith is a horror <cAmERo8> Gut geschlafen? <gabRLe935> Life is a suffering <sHeLbY62> oh man, ich habe ja jetzt schon kopfweh <MADGSO268> Ich verstehe nicht. <aaIoN433> Inverted work encapsulates power. <stkvEn0> The greatly bad suffering <BmBER33> Hallo, wie geht es dir. <eoAN999> hihi <BrkAnN708> the terribly superior religion <alEJan381> heidelbeerkuchen <ISAbBl5> hehe
Oh, and all of that is from clients who are in other channels. I know, because I am the only one in the channel. It's amusing that I can watch what is going on and nobody else is in the channel with me. This is significant too, however, because none of their clients are in this channel anymore thus the channel should have been destroyed when the last one left. It wasn't, however, so this means to me that either the trojan (which I think it is safe to say that that is what this is) has a list of channels that it is sending messages to, or the trojan caches the channels it has been in and sends messages to all the channels in its cache.
Now, I might have found the owner of the trojans. He wasn't on the network earlier, however, tonight as I scanned for new channels I found a couple that were really out of place (this is a Mormon (OK!! NO SCOFFING! ) network so there are certain channels that are dissallowed). Funnily enough, I glined (permanently banned) this guy last week for being in the same channels. He was a little stealthy then too, because my other admins couldn't seem to gline him. They, my admins, weren't masking correctly (meaning they weren't using the proper class subnet hostmask for the network address from which he was coming). No problem.
So, I joined his channel...forgetting that I was made up to look like one of the trojans. I was immediately opped in the channel. Oh, he changes his nick every so often too. Now, another nifty thing that the ircd allowed netadmins to do is to change the way you look. Let me explain...
In irc when a person makes a connection the daemon associates the connection to you with some information (Note the post a couple of weeks ago about IRC DNS whois bug). Here is an example (obfu'ed):
--- [ByondF1] (~webmaster at NetAdmin.LDSirc.Net) : His Name --- ByondF1 :is connecting from *@real.address.here.net --- ByondF1 :is a registered nick --- [ByondF1] *#Services *#School *#Help *#FullTimeMoms *#Announcements ^#Kolob *#opers --- [ByondF1] modesto.ca.us.ldsirc.net :LDSircNet's Modesto, California Server --- [ByondF1] is a Network Administrator --- ByondF1 :is available for help. --- ByondF1 :is a Services Root Administrator --- [ByondF1] idle 05:57:53, signon: Mon May 12 20:22:38 --- [byondf1] End of WHOIS list.
This is a /whois done on one of the other net admins...my colleague. See the 'webmaster at netadmin.ldsirc.net'? Ok, well, now that is the part that can be changed so that normal clients, when they do a /whois on you, get your info. This ircd can mask that info but that is beyond the scope of this little paper of mine. That is the info I changed about myself...making me look like I am just a normal schmoe trojan connection.
So, I immediately get opped when I join the channel. I am still waiting to see what happens in there.
Anyway, this was, well, long-winded...but might be helpful. As I learn more about what this is I will divulge the info.
As the main admin of this network it is my express rule NOT to immediately start glining such trojans. Why? Generally, these kinds of trojans have a nasty ability to dDoS and well, we don't like dDoS'es. These trojans have done nothing wrong to us at this point as well...so, I am sitting back and watching. Tomorrow, we will contact our ISP's and let them know what is going on. There is really no really good way to shut these suckers down and guaranteeing that they will not retalliate short of turning the servers off. Now, just because these nasty buggers haven't done anything to us doesn't mean they are good. They can launch dDoS'es from our network as well which is why we are contacting our ISP's tomorrow.
My suggestion is that if you find yourself in a situation like this, be cautious or don't screw around at all. As network admins only three of us have been watching and we've been doing it as sneaky as possible. Just be cautious. Take Johannes's advice
Johannes, feel free to contact me on this if you are interested in more. Also, if you want to post this but you would prefer to change some of the pastes feel free to do so. I figured since the channels are locked, regular clients can't get in. If you want to get in and watch, however, I can ''stealth'' you up and you can be sneaky as well.
- Jim
| This is all too common :-(. Whenever I find on of them, | shutting them down is a high priority. | | However, a quick note of caution: I almost did not aprove | this post, as I do not want everyone on this list to | join the channel to 'lurk'. This can get you very quickly | at the bad end of a DDOS attack if the 'owner' of the | channel finds out. | | Please, if you find an IRC server that is used to control | bots, send me a brief e-mail outlining things like IP | address, channel name and key if you have it. If you captured | some trojans that connects to this channel, attach it as an | encrypted zip file (encrypted because a virus scanner may | strip it enroute if it is not encrypted). Use 'infected' | as a password, or mention the password in the body of your | email. | | Thanks. | | On Mon, 2003-05-12 at 14:51, Abdullah Hamad wrote: | > Folks, | > | > There are script kiddies hacked some boxs and they installed IRC servers | > on them and hosting DDoS bots. | > | > I failed to to reach to the admins of these servers. | > | > /server 213.29.98.8 6667 | > /join #crazy | > /server 195.128.196.68 6667 | > /join #crazy | > | > The whois in ripe didn't help and I need your kind help please to sort | > the issue. | > | > Thanks, | > | > -A | > | > | > __________________________________________________________ | > Send free greetings ecards from ArabChat Cards! http://Card.ArabChat.Org | > Chat with US now, and make new friends on ArabChat! | > http://Chat.ArabChat.Org Get your free ArabMail now! | > http://Mail.ArabChat.Org | > | > _______________________________________________ | > list mailing list | > list at dshield.org | > To change your subscription options (or unsubscribe), see: | > http://www.dshield.org/mailman/listinfo/list | | _______________________________________________ | list mailing list | list at dshield.org | To change your subscription options (or unsubscribe), see: | http://www.dshield.org/mailman/listinfo/list
--
- Jim
-------------------- People are like pieces of a puzzle. We all fit together, but not all of us connect. Berichten: 6985 | Plaats: Zeist | Geregistreerd: Jul 2002
| IP: Gelogd |