On Sun, 21 Aug 2005, Jack Vizelter wrote:
-> Since about 5pm last night, we've been hit hard, so far about 60 computers,
-> mostly running Windows 2000 got infected.
->
-> All infected computers show a backdoor on a random TCP port such as:
->
-> xxx.xx.xxx.xxx 5794/tcp dhcp-xxx-xxx.xxxxxxxxx.xxx
-> 220 Reptile welcomes you....
->
-> Has anyone seen or expierenced similar?
220 looks like a standard FTP reply. I'm guessing this is one of the
popular IRC bots modified slightly. Since the source code is out there,
this isn't hard to do for anyone with basic C/C++ knowlege and a copy of
MSVC++. The main ones are Agobot/Phatbot, and rBot/rxBot/urxBot. Since you
say the targets are largly Windows 2K, I'm guessing this version makes
heavy use of the latest PnP bug.
This server you're seeing is more than likely the means to send the actual
bot binary back onto the victim machine. Sometimes a tftp server is used.
If I'm not mistaken, the original line was "220 Bot Server", which you
see changed alot to the group/nick name of the person that made it. Works
like this:
attacker1: -> exploit -> victim -> (victim not vuln.) -> host is safe
|
(victim is vuln)
|
exploit spawns shell, shell is given ftp/tftp
download from attacker commands
|
attacker1 <- ftp req. <- victim
|
attacker1 -> bot binary -> victim is instructed to run downloaded file
via same shell as above.
|
infected host (new attacker, #2)
attacker1 -> more scan/exploit
attacker2 -> more scan/exploit
And so it goes on. Filenames and/or listening port numbers are usually not
much help as both these and others can be changed within the source code
and recompiled, sometimes with different compiler switches, to produce a
seemingly different piece of malware when in fact it's the same old one
with a few minor changes. AV companies that make up their own names for
malware that already has well-known identies serves to further confuse
things, as many times what is made out in the media and other places to a
the "latest new threat" is really just another instance of these here. As
of the MS PnP vulnerability, I've seen so many misleading names for what
is actually the same piece of malware that I can't help but wonder if it
is intentionally done by certain AV makers as a way to make their products
seem to catch more kinds of viruses/worms/trojans than they actually do:
MyDoom.(insert random letters), Bobax.(insert random letters),
Surila.(insert random letters), "Zotob", "MyTob", Gaobot.(insert random
letters), etc.
This malware depends on masses of people to run non-firewalled unpatched
Windows computers, and that they do, which are then easily added to the
ever-growning numbers of botnets (collections of many of these infected
computers that all connect back to a specific IRC server and join a
pre-set channel, ready for use and manipulation by their creators). These
are then used for all sorts of things, usually not good, such as spam
distibution means, DDoS attacks, or sale. Needing a human controller to
issue scan/attack commands, they are neither virus nor worm, but fit best
in their own catagory of IRC bots since they can preform typical client
IRC commands like /join, /part, /op. People sometimes call them virus/worm
because of their ability to exploit another system and then use the shell
to send a copy of the attacking binary. Sometimes you'll see them called
"backdoor/s", since they let the attacker run some commands on the host
machine, but this name ignores about 80% of the other functionality these
have built-in.
