Re: Possible new trojan?

["Mike Blomgren" <mike.blomgren () ccnox com>]

Thanks for all on/off-line replies - I was a bit hasty in my previous 
post, and missed a few important technical details: see below.

> 1.  Did  you perform a packet capture on the network?

Not yet - but we're in the process of doing this, post mortem, so to 
say.

> 2.  Did you dump the process list from the machine
> during this activity?

No. We had to unplug the machine from the network, and it was 
inadvertently powered down.

> 3.  What is the os of the target system (this would
> help myself and others recommend tools)?

I forgot to mention that the client is a Win2k SP2. The two targets are 
seemingly 'Microsoft-IIS/5.0' and 'Apache/1.3.11 Ben-SSL/1.38 (Unix) 
PHP/3.0.15'.

> 4.  Did you check the contents of the Run,
> RunServices, RunOnce Registry keys (if the target
> system is a MS platform)?  

No - but I'd like a tool that can decipher the 'ntuser.dat' file, so we 
don't have to log on as the specific user that caused the problems. 
Does anyone known of a way of 'reading'/enumerating a users own 
registryfile (HKCU)? There is supposedly a driver for Linux, to mount 
the registryfile - and browse everything like a directory. But that 
seems to be like crossing the river for water...

> How about startup
> directories for the currently logged on user?  

Checked - nothing found.

> http://www.securityfocus.com/focus/microsoft/2k/forensictools.html

I'll check these tomorrow. When daylight hits again...

> > An interesting thing is that the source port in each
> > request, would
> > start at 1025, increase by one to 5000, and then
> > start over with source
> > port 1025.
>
> That should be fairly normal activity, actually.  I'm
> not sure about rolling over specifically at 5000, but
> starting at a high port (ie, above 1024) is normal.

When investigating further, it turns out that all the customers 
Microsoft client machines (NT4 & Win2k) rollover at 5000, and start at 
1025 again. Is this normal behaviour? And out of curiosity - if so, 
why? What about the other 60000 ports?

> > The client machine does have an irc client
> > installed, and this is somewhat alarming.
>
> How so?  It might have served as the infection vector,
> but I don't necessarily see how the presence of just
> an irc client is "alarming".

Alarming due to company policy for this client machine, and alarming 
due to the fact that IRC is a method of spreading 'evil'.


Rgds,

~Mike




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com