Page 1 of 9 123 ... LastLast
Results 1 to 10 of 89

Thread: RPC/DCOM/mblast.exe thread discussions/notices

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Exclamation Stealther Worm Exploits RPC Flaw

    A new worm / trojan has been discovered that exploits the RPC flaw from MS Security Bulletin MS03-026:

    This trojan has been found to be widespread among several universities. In these cases, the recent DCOM RPC vulnerablity has been exploited to copy a backdoor trojan (detected as BackDoor-TC since the 4255 DAT files), and the patch for the DCOM RPC vulnerability. Exploited systems are patched, the backdoor is installed, and the Stealther trojan conceals both the backdoor and itself.
    The stealther trojan is designed to hide running processes, files, and registry keys. When run, any file name matching CSRS*.EXE will be hidden from the user. Booting an infected system in to Safe Mode, or connecting to it via network share are 2 ways to view the stealth files.

    Details of the recent attack are as follows. Compromised systems contain the following files:

    %WinDir%\system32\csrsv.exe Stealther trojan
    %WinDir%\system32\csrsu.exe ExeStealth packed BackDoor-TC trojan
    c:\update.exe MS03-026 patch


    The following registry keys are present:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSRSPX
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSRSWIN1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSPX
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSWIN1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CSRSPX
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CSRSWIN1
    The CSRSPX key is responsible for loading the Stealther trojan, to conceal the presence of any file named CSRS*.EXE (in this case the backdoor trojan, as well as the Stealther trojan). Reports have varied in which TCP Port the backdoor trojan is listening on, and is likely configured by the hacker(s) responsible for these attacks.
    This one is kind of sneaky so beware and keep your eyes open.

    McAfee AVERT

    Trend Micro

  2. #2

    Anyone recognize this virus? msblast.exe?

    Found a file called msblast.exe. A friend and client both called me saying they were having the same problems. Their box would constantly reboot with a shutdown message of 1 minute right after rpc crashed on them.

    Was able to get into the machines and get a command shell remotely, and tftp'ed over some files like fport, pslist, pskill.exe, strings.exe etc. Did a dir in windows\system32 by date and found a strange file.

    The file is msblast.exe. It is packed with UPX, and after unpacking, strings.exe shows that it contains the following strings in the executable:

    msblast.exe
    I just want to say LOVE YOU SAN!!
    billy gates why do you make this possible ? Stop making money and fix your softw
    are!!
    MARB
    MEOW
    MEOW(
    MEOW
    ~'?bB
    41Qk
    windowsupdate.com
    start %s
    tftp -i %s GET %s
    %d.%d.%d.%d
    %i.%i.%i.%i
    BILLY
    windows auto update
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    htons
    ioctlsocket
    inet_addr
    inet_ntoa
    recvfrom
    select
    send
    sendto
    setsockopt
    socket
    gethostbyname
    bind
    gethostname
    closesocket
    WSAStartup
    WSACleanup
    connect
    getpeername
    getsockname
    WSASocketA
    InternetGetConnectedState
    ExitProcess
    ExitThread
    GetCommandLineA
    GetDateFormatA
    GetLastError
    GetModuleFileNameA
    GetModuleHandleA
    CloseHandle
    GetTickCount
    RtlUnwind
    CreateMutexA
    Sleep
    TerminateThread
    CreateThread
    RegCloseKey
    RegCreateKeyExA
    RegSetValueExA
    __GetMainArgs
    atoi
    exit
    fclose
    fopen
    fread
    memcpy
    memset
    raise
    rand
    signal
    sprintf
    srand
    strchr
    strtok
    WS2_32.DLL
    WININET.DLL
    KERNEL32.DLL
    ADVAPI32.DLL
    CRTDLL.DLL

    It installs itself into SOFTWARE\Microsoft\Windows\CurrentVersion\Run as Windows Auto Update.

    As you can see from the strings it tftp's something down to the infected computer. I did find a tftp file in the windows\system32 directory but it was 0 bytes.

    Thats all I have been able to figure out so far. Going to install it on a test box and see what it does

    I have searched and couldnt find any references to this virus online. Not sure if it is a revised older virus or a new one. I think it may spread by the rpc/dcom exploit, as both servers that were compromised with this, were also able to be compromised by the rpc/dcom exploit.

    Anyone have any further info?

    Grinler

  3. #3
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    See nebulus200's post in the thread:

    http://www.antionline.com/showthread...995#post651995

    It talks about a newly discovered worm which has a lot of the characteristics you mentioned here.

    Cheers:
    DjM

  4. #4
    Hey thanks. Couldnt find it anywhere online. It does just what is posted at Sans. Uses rpc dcom exploit, finds a vulnerable box, by sequentially scanning ip addresses, opens a shell on their port 4444, connects to them, tftps the file down and adds the reg key.

    Just loaded it up on my test box and it did all of that to my lab.

    This is going to be very ugly.

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    IF you have the code still I am sure the guys over at f-secure or Sophos would love a copy
    Who is more trustworthy then all of the gurus or Buddha’s?

  6. #6
    Don't know if it'll help much but here is a link to McAfee's Virus library regarding msblast.exe: http://vil.nai.com/vil/content/v_100547.htm

    Be sure to check out that link that DjM gave you - there is some really good information available there..
    - Maverick

  7. #7
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Symantec just posted it as a cat. 3 threat. More info HERE


    Cheers:
    DjM

  8. #8
    I followed the removal instructions and its not working, i scan and it doesn't find the file, i even scan directly on the file and it doesn't get anything!!!

  9. #9
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by a_person
    I followed the removal instructions
    Which 'removal instructions'? Why did you follow the removal instructions, did you perform a scan that detected the virus prior to trying to remove it?

    Cheers:
    DjM

  10. #10
    I just sent a sample off to F-secure and Sophos, though I would be surprised if they dont have it already.

    I have seen 4x the amount of RPC port connection attempts in my firewall logs since yesterday. The scary thing is that a script kiddy can setup a firewall, black ice, etc....and just wait for all the requests to come in for port 135. When their firewall records the request, the script kid knows there is a good chance the box is vulnerable to the exploit. Now they have a box that is most likely exploitable and didnt have to portscan or do other activities that may have raised alarms.

    Oh well...we all knew this was gonna be bad.

    Grinler

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •