James, > In this case I think you have mislabed a trojan with > a rootkit.
Just out of curiosity, what are you seeing that leads you to say this? I'm not sure that I see anything in Richard's original email that suggests a rootkit at this point. > You should determine (if possible) what rootkit has > infected the machine. > It sounds like a new variant or perhaps a new tool > altogether. Again, what leads you to think this, if you don't mind me asking? > I would suggest wiping the box and rebuilding it if > you cannot determine > exactly what is the culprit or any way to clean it. Hhhmmm...if it is a rootkit, then perhaps wiping/reinstalling may be the way to go, but I'd suggest further investigation and a root cause analysis first. Even if Richard were to find out what the malware is (looks like an IRCbot at this point), without a root cause analysis (and subsequent actions as a result), the system will likely be reinfected all over again. > > To answer your questions: > > 1. No, I have not seen this in our nets. > > 2. I answered this above. > > 3. Probably not. There is nothing law enforcement > can do unless there is a > substantial loss. You are ultimately responsible > for what gets installed on > your machines regardless of the method of > installation. Now, if you find > someone using data that you can prove could only > have been acquired by this > method, then you should discuss with your legal > department about your > options and what you will need to do to provide > proof of this infringment. > > > Cheers, > > James Friesen, CIO > Lucretia Enterprises > Our World Is Here > info at lucretia dot ca > http://lucretia.ca > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > Goetz, Richard > > Sent: Tuesday, October 24, 2006 8:54 AM > > To: [email protected] > > Subject: Malware/trojan attacks > > > > Over the last several months we have on more than > one > > occasion uncovered a number of Trojans that appear > to be > > seeking corporate information, sending that over a > chat > > session to/through several European sites and > downloading > > additional programs to the infected computer. > Here's a short > > synopsis of the type of conversations one of our > people > > uncovered on a laptop on the network: > > > > > > Contacts 203.121.73.136 on port TCP/17555. IRC > commands were > > sent to the workstation to run a command > "staticftp" > > 70.84.109.84 to download a program x.exe. > Instructed to > > launch 5 scans (netapi on port 137, wkssvc port > 445, asn on > > port 445, dcom on port 135 and lsass on port 445). > Connects > > to 66.36.243.116 on TCP/80 and starts a PHP-based > > conversation, giving the workstation credentials > to the host > > and receiving the following information: > > CARGO:smtp_purple; > > MOD:smtp; > > PATH:http://niuqennaois.com/s2.5.exe; > > SERVER:209.160.64.216; > > REFRESH:2700;KEY:864a1bae77fc8053055d02550ed7b49c; > > Connects to 195.49.141.23 on TCP/3144, retrieving > unreadable > > data Connects to 66.36.243.116 on TCP/80, > exchanging > > credentials via PHP: > > To host: > > uuid <wsname>_547611528 > > wv mag5_min0_build2195_Service_Pack_4 > > cargo > > check purple > > To workstation: > > REFRESH:3600; > > KEY: 864a1bae77fc8053055d02550ed7b49c; > > HTTP connections are made to 66.45.232.66, > 66.36.243.116 to > > perform similar PHP and download conversations. > > Three way TCP handshakes are attempted to > 74.52.53.66, > > 68.142.212.41and 68.142.212.93 on TCP/80, but no > further > > conversation was made. > > > > > > My questions are: > > > > 1. Are other folks in the community seeing this > kind of activity? > > 2. What, aside from deleting what you can find > what other > > actions are recommended/required? > > Who, if anyone, in the community or law > enforcement should be > > notified? > > > > If this post should be somewhere else, please let > me know. > > > > Thanks, > > > > Richard Goetz > > IT Security Officer > > Kronos, Incorporated > > Phone: 978-947-2819 > > Fax: 978-256-3919 > > [EMAIL PROTECTED] > > > > Experts at Improving the Performance of People and > Business > > > > > > > > > -------------------------------------------------------------- > > ---------------- > > This List Sponsored by: Black Hat > > > > Attend the Black Hat Briefings & Training USA, > July 29-August > > 3 in Las Vegas. > > World renowned security experts reveal tomorrow's > threats > > today. Free of vendor pitches, the Briefings are > designed to > > be pragmatic regardless of your security > environment. > > Featuring 36 hands-on training courses and 10 > conference > > tracks, networking opportunities with over 2,500 > delegates > > from 40+ nations. > > > > http://www.blackhat.com > > > -------------------------------------------------------------- > > ---------------- > > > > > > ------------------------------------------------------------------------------ > This List Sponsored by: Black Hat > > Attend the Black Hat Briefings & Training USA, July > 29-August 3 in Las Vegas. > World renowned security experts reveal tomorrow's > threats today. Free of > vendor pitches, the Briefings are designed to be > pragmatic regardless of your > security environment. Featuring 36 hands-on training > courses and 10 conference > tracks, networking opportunities with over 2,500 > delegates from 40+ nations. > > http://www.blackhat.com > ------------------------------------------------------------------------------ > > ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com ------------------------------------------ ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
