Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

New/old Trojan?

from [nixsec] Network Security [Permanent Link]
Subject: New/old Trojan?
Date: Sun, 21 Nov 2004 14:11:28 -0600 
-------- Original Message --------
Subject:        New/old Trojan?
Date:   Sun, 21 Nov 2004 14:03:36 -0600
From:   nixsec <nixsec@area66.org>
To:     bugtraq@securityfocus.com
CC:     forensics@securityfocus.com, focus-ms@securityfocus.com,
honeypots@securityfocus.com



I usually use linux as operating system but for games i go with windows,
i used this installation of windows 2000 SP4 around 6 times(Did not do
windows update cause didn't really care about the system since it was
gaming only), and sygate firewall detected this weird application trying
to connect to remote site atm-bank.ru, tried looking on google for
Mmnkijia.exe and could not find anything on it, this application hides
itself in the folder when using windows explorer to view the folder
C:\WINNT\system32\ the file would not show up, using tcpview from
sysinternals i found several ports open:
<Non-existant Process>:976      TCP     xfiles:247      xfiles:0
LISTENING  (searched on google and said this was a service called
subntbcst_tftp)
<Non-existant Process>:976      TCP     xfiles:18855    xfiles:0
LISTENING
<Non-existant Process>:976      TCP     xfiles:21134    xfiles:0
LISTENING
<Non-existant Process>:976      TCP     xfiles:38493    xfiles:0
LISTENING

(Tcpview.exe would crash when i attempted to kill the process, when i
reopened it those ports would still be open i think i managed to kill
the process one time or crashed it somehow and few minutes later got
back up and running)

I loaded up windows in safe mode with command prompt and from there the
file would be visible, i found also a DLL file which the exe uses called
Mngepfne.dll (maybe loaded to hide processes and files?) , i backed
these up for further examination  and removed them from the system32
folder, this seemed to fix the problem for now and all the ports are
closed, but i got no idea where it came from! Later i checked the page
atm-bank.ru and the index page says page not found, so my only guess is
it accesses that web site and the owners of it can check the web server
log files to find infected IPs i did a whois on that server name and its
a few months old only created:  2004.06.26. If anyone has info  or would
like a copy of the binary files to examine them let me know.

Sygate firewall log:
C:\WINNT\system32\Mmnkijia.exe
Parent Version :
Parent Description :
Parent Process ID :     0x394 (Heximal) 916 (Decimal)


File Version :          5.0.2920.0
File Description :      Internet Explorer (IEXPLORE.EXE)
File Path :             C:\Program Files\Internet Explorer\IEXPLORE.EXE
Process ID :            0x3D4 (Heximal) 980 (Decimal)

Connection origin :     local initiated
Protocol :              TCP
Local Address :         192.168.1.102
Local Port :            1046
Remote Name :           atm-bank.ru
Remote Address :        66.132.236.44
Remote Port :           80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 76)
      Destination:    00-06-25-63-64-64
      Source:         00-00-21-ff-8a-0d
Type: IP (0x0800)
Internet Protocol
      Version: 4
      Header Length: 20 bytes
      Flags:
              .1.. = Don't fragment: Set
              ..0. = More fragments: Not set
      Fragment offset:0
      Time to live: 128
      Protocol: 0x6 (TCP - Transmission Control Protocol)
      Header checksum: 0x9209 (Correct)
      Source: 192.168.1.102
      Destination: 66.132.236.44
Transmission Control Protocol (TCP)        Acknowledgment number: 0
      Header length: 28
      Flags:
              0... .... = Congestion Window Reduce (CWR): Not set
              .0.. .... = ECN-Echo: Not set
              ..0. .... = Urgent: Not set
              ...0 .... = Acknowledgment: Not set
              .... 0... = Push: Not set
              .... .0.. = Reset: Not set
              .... ..1. = Syn: Set
              .... ...0 = Fin: Not set
      Checksum: 0x7128 (Correct)
      Data (0 Bytes)

Binary dump of the packet:
0000:  00 06 25 63 64 64 00 00 : 21 FF 8A 0D 08 00 45 00 | ..%cdd..!.....E.
0010:  00 30 00 77 40 00 80 06 : 09 92 C0 A8 01 66 42 84 | .0.w@........fB.
0020:  EC 2C 04 16 00 50 A7 95 : 7D F3 00 00 00 00 70 02 | .,...P..}.....p.
0030:  40 00 28 71 00 00 02 04 : 05 B4 01 01 04 02 6B 02 | @.(q..........k.
0040:  72 75 00 00 01 00 01 39 : 2E 32 35 35             | ru.....9.255

      Source port: 1046
      Destination port: 80
      Sequence number: 2811592179

Im thinking of maybe installing snort on the windows system and
reactivate the trojan to see what happens, would like to learn more on
computer forensics, any tips or other software good to be used to
gather/examine data?

Paulo Ferreira.




--
Editor's Note: The 43rd Most Powerful Person in Networking says...

Register today to take the TruSecure ICSA exam by 12/31/04  at
<http://www.2test.com> ,  use promo code "CT1204" and you will pay just
$221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
for international delivery.

Visit <https://ticsa.trusecure.com>  for complete details regarding the
TICSA credential and to take the free sample exam.

--

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • New/old Trojan?, nixsec <=
Previous by Date:  Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched], Brett Moore
Next by Date:  A little nervous about service packs, Derek
Previous by Thread:  Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched], Brett Moore
Next by Thread:  A little nervous about service packs, Derek
Indexes:  [Date] [Thread] [Top] [All Lists]