New IRC bot

[thehorse13]

Today we had a few machines dumping 4,000 events a minute at our domain controllers. Upon analysis, we found that an executable named CTFMON.EXE (replaced the real one) in the c:\winnt\system32 folder and a reg key setup in the HKLM/Software/Microsoft/Windows/CurrentVersion/Run.

Though preliminary, we have seen it attempt to disable AD accounts and report information back to an IRC channel. More testing is gonna be done but in the mean time, a sample has been sent to Symantec. It appears that they don't know what this is yet.

Stay tuned...


**EDIT**

Here is the IRC server it connects up to:

Trying 217.70.149.22 at ARIN
Trying 217.70.149 at ARIN

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

This is the KingMaster.org clowns. GRRRRRR.

**EDIT 2*

This thing is pretty slick. It fires up (infected CTFMON.EXE is 54kb) and then copies the real one (8kb) back and remains resident in memory. Another HEX edit of the infected CTFMON.DLL shows all the IRC commands and associated commands. If anyone wants a sample, please let me know via PM.


**EDIT 3**
CERT contacted me about this so here is the link where I have a sample published for them and a few other folks. The DLL has most of the meat so fire up a hex editor and you'll see the guts of this thing.

http://www.citlink.net/~sdiscini/download/ircbot.zip

**EDIT 4**
No surprise here, it tries to propigate via netbios shares.


-TH13

[cacosapo]

TH:

WinTasks Process Library
2004 © Uniblue Systems Ltd. This information is protected by copyright laws.



ctfmon - ctfmon.exe - Process Information
Process File: ctfmon or ctfmon.exe
Process Name: Alternative User Input Services

Description:
ctfmon.exe is a part of the Microsoft Office suite. It activiates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

Author: Microsoft Corp.
Part Of: Microsoft Office Suite

System Process: Yes
Virus: No
Spyware: No
Background Process: Yes
Uses Network: No
Hardware Related: No

Security Risk (0-5): 0
Common Errors: N/A

are you sure that isnt that software above? looks like a regular MS software...

[thehorse13]

No, a hexedit shows this one (haxored CTFMON.EXE) has been tagged with the author's handle.

[cacosapo]

i found this reference from a malware that use ctfmon.exe to hide itself. take a look:
http://www.sophos.com/virusinfo/analyses/w32hobota.html

[thehorse13]

Yeah, I just saw this reference on Sophos but it lacks details.

[Tiger Shark]

Ok... I'll ask the obvious question....

Since you are pretty tightly locked down do you have any clue how it got there yet?

[thehorse13]

Yes. Vendor laptop. He is currently locked up in my rusty cage awaiting torture.

[Tiger Shark]

Vendor Laptop.....

Might I suggest the the vendor gets rapidly put onto the "never a vendor again" list....

I think I'll write a book..... "The number 1 thing a vendor can do to lose a contract".

[Begin Book]

Attach your infected computers to the clients network.

[End Book]

I feel better now....

[thehorse13]

Symantec answered back with this although I disagree with their analysis:


: [CLOSING]: Symantec Security Response Automation: Tracking #4843119

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: A:\cftmon.exe
machine:
result: This file is infected with W32.Spybot.Worm
http://securityresponse.symantec.com...ybot.worm.html

Developer notes:
A:\cftmon.exe is non-repairable threat. NAV with the latest rapidrelease definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest rapidrelease definitions.

Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.
Symantec is now building a new set of definitions to include the threat you have submitted. The approximate time to complete this process is one hour. We recommend checking the ftp site periodically over the next 60 to 90 minutes to download these definitions as soon as they are available.

MY Personal Wrap-up Rant:

More or less, they are telling me that a year old worm has infected a bunch of workstations that have the latest SAV signatures. Hmmmmmmm, so then I checked their site for information on this worm but again, the description does not match this variant so perhaps the mechanics are similar but the sample I submitted, without question, is a variant not the actual worm they are coming back at me with. If it was, there wouldn't be a need for a rapid response definition they provided to me.

Anyway, case closed.

[hogfly]

I've become increasingly dissatisifed with Symantec's classification of worms etc...

In the future TH, submit things to virustotal.com you'll get a broader spectrum response. spybot..what a generic useless classification.