New IRC bot
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: New IRC bot

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    New IRC bot

    Today we had a few machines dumping 4,000 events a minute at our domain controllers. Upon analysis, we found that an executable named CTFMON.EXE (replaced the real one) in the c:\winnt\system32 folder and a reg key setup in the HKLM/Software/Microsoft/Windows/CurrentVersion/Run.

    Though preliminary, we have seen it attempt to disable AD accounts and report information back to an IRC channel. More testing is gonna be done but in the mean time, a sample has been sent to Symantec. It appears that they don't know what this is yet.

    Stay tuned...


    **EDIT**

    Here is the IRC server it connects up to:

    Trying 217.70.149.22 at ARIN
    Trying 217.70.149 at ARIN

    OrgName: RIPE Network Coordination Centre
    OrgID: RIPE
    Address: Singel 258
    Address: 1016 AB
    City: Amsterdam
    StateProv:
    PostalCode:
    Country: NL

    This is the KingMaster.org clowns. GRRRRRR.

    **EDIT 2*

    This thing is pretty slick. It fires up (infected CTFMON.EXE is 54kb) and then copies the real one (8kb) back and remains resident in memory. Another HEX edit of the infected CTFMON.DLL shows all the IRC commands and associated commands. If anyone wants a sample, please let me know via PM.


    **EDIT 3**
    CERT contacted me about this so here is the link where I have a sample published for them and a few other folks. The DLL has most of the meat so fire up a hex editor and you'll see the guts of this thing.

    http://www.citlink.net/~sdiscini/download/ircbot.zip

    **EDIT 4**
    No surprise here, it tries to propigate via netbios shares.


    -TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130

    Re: New IRC bot

    TH:
    WinTasks Process Library
    2004 © Uniblue Systems Ltd. This information is protected by copyright laws.



    ctfmon - ctfmon.exe - Process Information
    Process File: ctfmon or ctfmon.exe
    Process Name: Alternative User Input Services

    Description:
    ctfmon.exe is a part of the Microsoft Office suite. It activiates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

    Author: Microsoft Corp.
    Part Of: Microsoft Office Suite

    System Process: Yes
    Virus: No
    Spyware: No
    Background Process: Yes
    Uses Network: No
    Hardware Related: No

    Security Risk (0-5): 0
    Common Errors: N/A
    are you sure that isnt that software above? looks like a regular MS software...
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    No, a hexedit shows this one (haxored CTFMON.EXE) has been tagged with the author's handle.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    i found this reference from a malware that use ctfmon.exe to hide itself. take a look:
    http://www.sophos.com/virusinfo/analyses/w32hobota.html
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Yeah, I just saw this reference on Sophos but it lacks details.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ok... I'll ask the obvious question....

    Since you are pretty tightly locked down do you have any clue how it got there yet?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Yes. Vendor laptop. He is currently locked up in my rusty cage awaiting torture.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Vendor Laptop.....

    Might I suggest the the vendor gets rapidly put onto the "never a vendor again" list....

    I think I'll write a book..... "The number 1 thing a vendor can do to lose a contract".

    [Begin Book]

    Attach your infected computers to the clients network.

    [End Book]

    I feel better now....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Symantec answered back with this although I disagree with their analysis:


    : [CLOSING]: Symantec Security Response Automation: Tracking #4843119

    We have analyzed your submission. The following is a report of our
    findings for each file you have submitted:

    filename: A:\cftmon.exe
    machine:
    result: This file is infected with W32.Spybot.Worm
    http://securityresponse.symantec.com...ybot.worm.html

    Developer notes:
    A:\cftmon.exe is non-repairable threat. NAV with the latest rapidrelease definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest rapidrelease definitions.

    Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.
    Symantec is now building a new set of definitions to include the threat you have submitted. The approximate time to complete this process is one hour. We recommend checking the ftp site periodically over the next 60 to 90 minutes to download these definitions as soon as they are available.

    MY Personal Wrap-up Rant:

    More or less, they are telling me that a year old worm has infected a bunch of workstations that have the latest SAV signatures. Hmmmmmmm, so then I checked their site for information on this worm but again, the description does not match this variant so perhaps the mechanics are similar but the sample I submitted, without question, is a variant not the actual worm they are coming back at me with. If it was, there wouldn't be a need for a rapid response definition they provided to me.

    Anyway, case closed.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    I've become increasingly dissatisifed with Symantec's classification of worms etc...

    In the future TH, submit things to virustotal.com you'll get a broader spectrum response. spybot..what a generic useless classification.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •