Security Incidents mailing list archives

Proxy attackers/hijackers

From: "Thomas Willner" <thomaswillner () elitetraderz com>
Date: Fri, 17 Oct 2003 23:38:25 -0300

Could you provide us with a location for downloading all the files
involved in this including the HTML source code of the site for
analyzing (We want to find out how and why this exploit still works with
patched IE - see details on this below)? I suspect they are using the IE
Exploit described in Cumulative Patch for Internet Explorer (822925).

It has been reported that the official Microsoft patch for this
vulnerability is not 100% effective in blocking exploitation. At this
time, there is no fully working solution except disabling ActiveX
controls and also disabling Active Scripting in IE. 

Some links that may be of use in determining your exposure to this
vulnerability: 

Technical Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp 
CERT Advisory: http://www.cert.org/advisories/CA-2003-22.html 
End-User Bulletin:
http://www.microsoft.com/security/security_bulletins/ms03-032.asp 

This is a serious threat and this exploit could be used for ANY sort of
virus/malware/trojan attack including on patched IE.

It would be great to be able to analyze all the files and
HTML/JavaScript involved in order for finding a solution.

Thomas Willner
(Security Researcher)

Elitetraderz, Inc.
Phone: (56)-2-4530381
Mobile: (56)-9-3193229
http://www.elitetraderz.com

-----Original Message-----
From: Carey, Steve T GARRISON [mailto:steven-carey () us army mil] 
Sent: Friday, October 17, 2003 2:00 PM
To: 'Joe Stewart '; 'General DShield Discussion List '
Cc: 'Jeff Kell '; 'incidents () securityfocus com ';
'intrusions () incidents org'
Subject: RE: Proxy attackers/hijackers

 The autoproxy Trojan you mentioned is detected by Norton Anti-virus as

'backdoor.coreflood Trojan', per the write-up from the site you
provided, but

there is another autoproxy Trojan that is not identified as a Trojan.
There is

a new site (216.247.117.225 - shows up as chinesenaming.com and
wvw.goling.com

(wvw is not a misprint))that is running malicious code when users
connect to it

(with ActiveX enabled).  We do not have a copy of the E-Mail that
initiated it,

however, look for http traffic to that site that changes to port 53
(same IP but

the site name changes between the two above).  There are files called
stop.bat

and ftp.txt (this file is brought in from 216.40.224.210 -
ftp.goling.com)and a

program called ap216.exe.  This program is the autoproxy Trojan.  When

everything is run there are two other files created - one without an
extension

and one (same name, which is random) that is a dll.  Also creates a
registry key

called

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McAfeeFramework\St
art",4,"

REG_DWORD". 

The last thing ran is the stop.bat file which disables all Anti-virus
and

personal firewalls, then deletes itself (but they forgot and the may be
a copy

in the temp folder.



  Still working at the Forensics on this, so don't know everything yet.
We do

know that the random named file, with no extension, date/time stamp can
change

(but the size remains the same), apparently depending on what the user
is doing

on the web.  



The difference between this version and the one in the write-up appears
to be

there is no porn site references in the browser (probably taken out) and
there

are early indications that this Trojan is collecting personal ID and
credit card

information.  Also, if your ActiveX controls are disabled (or hopefully
you are

patched but have not tested that) and you go to the site, you do not see

everything on the site (approximately 200 bytes of data returned with
ActiveX

disabled and over 500 if enabled.

Also, does not appear to work on Windows9x, the stop.bat file is there,
but none

of the others.  NT, W2K, and XP (XP varies) are affected.



Steve Carey



-----Original Message-----

From: Joe Stewart

To: General DShield Discussion List

Cc: Jeff Kell; incidents () securityfocus com

Sent: 10/17/2003 9:15 AM

Subject: Re: Proxy attackers/hijackers



On Thursday 16 October 2003 11:31 pm, Jeff Kell wrote:

We had an attempted proxy rape today on a trojanned dorm machine.  No

mail escaped thanks to firewalling but I did track down the culprits

and the compromised ports (which appear random, they changed when the

machine was rebooted).  Do not have the machine (yet) for forensics

to see what infected it, but it was providing two proxy ports on

random ports that change when the machine is rebooted (apparently,

given the time difference between the pairs of proxy ports below).




If the two proxy ports start at a random port but themselves are 

sequential, it could be the Autoproxy trojan. A rash of these was 

installed yesterday by a second mass-hack of a large webhosting 

provider. Autoproxy can be detected when it attempts to make outbound 

HTTP control connections (one is to a CGI script where it reports its 

port numbers and stats, the other is to an uninvolved third-party 

website for connectivity checking). In these connections it sets its 

User-Agent header to "Autoproxy/0.2". The snort signature below will 

catch these connections leaving your network and let you know if you 

have any infected hosts. 



alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Autoproxy Trojan 

control connection"; flags:A+; content: "|0d 0a 55 73 65 72 2d 41 67 65 

6e 74 3a 20 41 75 74 6f 70 72 6f 78 79 2f|"; 

reference:url,www.lurhq.com/autoproxy.html; classtype:trojan-activity; 

sid:1000028;  rev:1;)



-Joe



-- 

Joe Stewart, GCIH 

Senior Security Researcher

LURHQ http://www.lurhq.com/





------------------------------------------------------------------------

---

FREE Whitepaper: Better Management for Network Security



Looking for a better way to manage your IP security?

Learn how Solsoft can help you:

- Ensure robust IP security through policy-based management

- Make firewall, VPN, and NAT rules interoperable across heterogeneous

networks

- Quickly respond to network events from a central console



Download our FREE whitepaper at:

http://www.securityfocus.com/sponsor/Solsoft_incidents_031015

------------------------------------------------------------------------

----



------------------------------------------------------------------------
---

FREE Whitepaper: Better Management for Network Security



Looking for a better way to manage your IP security?

Learn how Solsoft can help you:

- Ensure robust IP security through policy-based management

- Make firewall, VPN, and NAT rules interoperable across heterogeneous

networks

- Quickly respond to network events from a central console



Download our FREE whitepaper at:

http://www.securityfocus.com/sponsor/Solsoft_incidents_031015

------------------------------------------------------------------------
----



---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------

Current thread:

Proxy attackers/hijackers Jeff Kell (Oct 17)
- Re: Proxy attackers/hijackers Joe Stewart (Oct 17)
- <Possible follow-ups>
- RE: Proxy attackers/hijackers Carey, Steve T GARRISON (Oct 17)
- Proxy attackers/hijackers Thomas Willner (Oct 20)
  - Re: [Dshield] Proxy attackers/hijackers Thor Larholm (Oct 19)
- RE: Proxy attackers/hijackers James C. Slora, Jr. (Oct 20)