Security Incidents mailing list archives

Re: strange windows behaviour.

From: J Mike Rollins <rollins () wfu edu>
Date: Wed, 8 Oct 2003 13:45:38 -0400 (EDT)


One trick that hackers are exploiting is to store executable files as NTFS
Streams.  You should check you registry for programs set to run at startup
with the following format

        rundll32.exe C:\Some\Directory:trojan.dll

The : in front of the trojan signifies that the file is really an NTFS
Stream.  Trojans stored in this format may not be detected by many virus
scanners.

NTFS Streams cannot be listed by the dir command.  What you can do to
verify the existence of one of the Streams is to do

        notepad.exe C:\Some\Directory:trojan.dll

If you see content, then the stream is really there.


On Mon, 6 Oct 2003, Peter Moody wrote:

Hello all,

I've got a bit of a problem, and I was wondering if anyone on this list
has seen similar things.  Recently, we've been having student windows
machines on our residential network begin spewing large, massive (on the
order of hundreds of thousands in a few hours) spam messages at our mail
servers.  We promptly disconnect the machines and head down to do some
forensic work on the boxes when we get a chance (usually after they call
to complain that the internet has died).

I've been trying to find information on this, but the most I've been
able to come up with is an advisory from symantec's threat management
system saying Mprox (some sort of MS proxy) is to blame.  None of the
machines I've gone and examined have had this program running or on the
system anywhere for that matter.

Has anyone else had similar problems of late?  This all started for us
about a week ago and it's showing no signs of going away any time soon.

Thanks.

-Peter

--
Peter Moody                             <peter () ucsc edu>
Information Security Administrator      831/459.5409
Communications and Technology Services. http://mustard.ucsc.edu/pubkey
UC, Santa Cruz.
:wq


Mike

    Network Operations and Security, Wake Forest University
======================================================================
          J. Mike Rollins              rollins () wfu edu
     Wake Forest University     http://www.wfu.edu/~rollins
        Winston-Salem, NC            work: (336) 758-1938
======================================================================


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

strange windows behaviour. Peter Moody (Oct 07)
- Re: strange windows behaviour. John Sage (Oct 07)
  - Re: strange windows behaviour. Jeff Kell (Oct 08)
    - Re: strange windows behaviour. Magosányi Árpád (Oct 09)
  - Re: strange windows behaviour. Brian Eckman (Oct 08)
    - Re: strange windows behaviour. Fabio Panigatti (Oct 10)
    - Re: strange windows behaviour. J Mike Rollins (Oct 10)
    - Re: strange windows behaviour. Tomasz Papszun (Oct 10)
- Re: strange windows behaviour. J Mike Rollins (Oct 08)
- <Possible follow-ups>
- Re: strange windows behaviour. H Carvey (Oct 08)
  - Re: strange windows behaviour. Peter Moody (Oct 08)
    - Re: strange windows behaviour. Harlan Carvey (Oct 08)
- Re: strange windows behaviour. Derek (Oct 08)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
  - RE: strange windows behaviour. J Mike Rollins (Oct 09)
    - Re: strange windows behaviour. Jeff Kell (Oct 09)
    - Re: strange windows behaviour. J Mike Rollins (Oct 09)
    - Re: strange windows behaviour. Tobias Rice (Oct 10)
  - RE: strange windows behaviour. Harlan Carvey (Oct 09)

(Thread continues...)