-
September 10th, 2004, 07:56 PM
#1
New IRC bot
Today we had a few machines dumping 4,000 events a minute at our domain controllers. Upon analysis, we found that an executable named CTFMON.EXE (replaced the real one) in the c:\winnt\system32 folder and a reg key setup in the HKLM/Software/Microsoft/Windows/CurrentVersion/Run.
Though preliminary, we have seen it attempt to disable AD accounts and report information back to an IRC channel. More testing is gonna be done but in the mean time, a sample has been sent to Symantec. It appears that they don't know what this is yet.
Stay tuned...
**EDIT**
Here is the IRC server it connects up to:
Trying 217.70.149.22 at ARIN
Trying 217.70.149 at ARIN
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL
This is the KingMaster.org clowns. GRRRRRR.
**EDIT 2*
This thing is pretty slick. It fires up (infected CTFMON.EXE is 54kb) and then copies the real one (8kb) back and remains resident in memory. Another HEX edit of the infected CTFMON.DLL shows all the IRC commands and associated commands. If anyone wants a sample, please let me know via PM.
**EDIT 3**
CERT contacted me about this so here is the link where I have a sample published for them and a few other folks. The DLL has most of the meat so fire up a hex editor and you'll see the guts of this thing.
http://www.citlink.net/~sdiscini/download/ircbot.zip
**EDIT 4**
No surprise here, it tries to propigate via netbios shares.
-TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
September 10th, 2004, 08:02 PM
#2
Re: New IRC bot
TH:
WinTasks Process Library
2004 © Uniblue Systems Ltd. This information is protected by copyright laws.
ctfmon - ctfmon.exe - Process Information
Process File: ctfmon or ctfmon.exe
Process Name: Alternative User Input Services
Description:
ctfmon.exe is a part of the Microsoft Office suite. It activiates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.
Author: Microsoft Corp.
Part Of: Microsoft Office Suite
System Process: Yes
Virus: No
Spyware: No
Background Process: Yes
Uses Network: No
Hardware Related: No
Security Risk (0-5): 0
Common Errors: N/A
are you sure that isnt that software above? looks like a regular MS software...
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
September 10th, 2004, 08:11 PM
#3
No, a hexedit shows this one (haxored CTFMON.EXE) has been tagged with the author's handle.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
September 10th, 2004, 08:57 PM
#4
i found this reference from a malware that use ctfmon.exe to hide itself. take a look:
http://www.sophos.com/virusinfo/analyses/w32hobota.html
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
September 10th, 2004, 09:18 PM
#5
Yeah, I just saw this reference on Sophos but it lacks details.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
September 10th, 2004, 09:35 PM
#6
Ok... I'll ask the obvious question....
Since you are pretty tightly locked down do you have any clue how it got there yet?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
September 10th, 2004, 09:43 PM
#7
Yes. Vendor laptop. He is currently locked up in my rusty cage awaiting torture.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
September 10th, 2004, 09:49 PM
#8
Vendor Laptop.....
Might I suggest the the vendor gets rapidly put onto the "never a vendor again" list....
I think I'll write a book..... "The number 1 thing a vendor can do to lose a contract".
[Begin Book]
Attach your infected computers to the clients network.
[End Book]
I feel better now....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
September 11th, 2004, 11:59 AM
#9
Symantec answered back with this although I disagree with their analysis:
: [CLOSING]: Symantec Security Response Automation: Tracking #4843119
We have analyzed your submission. The following is a report of our
findings for each file you have submitted:
filename: A:\cftmon.exe
machine:
result: This file is infected with W32.Spybot.Worm
http://securityresponse.symantec.com...ybot.worm.html
Developer notes:
A:\cftmon.exe is non-repairable threat. NAV with the latest rapidrelease definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest rapidrelease definitions.
Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.
Symantec is now building a new set of definitions to include the threat you have submitted. The approximate time to complete this process is one hour. We recommend checking the ftp site periodically over the next 60 to 90 minutes to download these definitions as soon as they are available.
MY Personal Wrap-up Rant:
More or less, they are telling me that a year old worm has infected a bunch of workstations that have the latest SAV signatures. Hmmmmmmm, so then I checked their site for information on this worm but again, the description does not match this variant so perhaps the mechanics are similar but the sample I submitted, without question, is a variant not the actual worm they are coming back at me with. If it was, there wouldn't be a need for a rapid response definition they provided to me.
Anyway, case closed.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
September 16th, 2004, 04:27 AM
#10
I've become increasingly dissatisifed with Symantec's classification of worms etc...
In the future TH, submit things to virustotal.com you'll get a broader spectrum response. spybot..what a generic useless classification.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|