More info about found Win2K "rootkit"

From: Bojan Zdrnja <Bojan.Zdrnja(at)FER.hr>
Date: Wed Nov 20 2002 - 10:30:06 EST

Hi.

As I posted yesterday (repeated, I sent original post on friday) I found rootkit on one compromised machine.
Here are the details I manage to analyze so far:

1. It didn't install in same dir on all machines, however, part of rootkit was in c:\winnt\system32\drivers\etc\tools directory on all compromised machines. Tools directory only contains ServU ftp daemon which appears on random ports (it was 56321 and 22222 on compromised machines). Upon connecting to ftp daemon port you get following banner (same as we saw previously on this mailing list):

220-Serv-U FTP Server v4.0 for WinSock ready...
220-===================================================
220-               -== HEH ==-
220-===================================================
220-You are Connecting From XXXXXXXXXX
220-3 users have visited in the last 24 hours.
220-This server has been running for
220-0 Days, 23 Hours, 36 Mins, 58 Secs
220-===================================================
220-Amout of Logins Since Server Started:   1 total
220-Logged in Users:     1
220-Total Kb downloaded:     2 Kb
220-Total Kb uploaded:       0 Kb
220-Amout of Files downloaded:  0
220-Amout of Files uploaded:    0
220-Average Speed: 0.000 Kb/sec
220-Current Speed: 0.000 Kb/sec
220-Free Disk Space:   254.74 MB
220 ===================================================

2) Directory named "Win" contains actual rootkit, which hacker used to change local security policy and some other things. This directory was on different places on compromised machines. Two main scripts in this directory are called secure.bat and secure1.bat, and they are exactly the same as Mike Cain posted on this mailing list, but my secure1.bat script had uncommented filed for deleting IPC$ share.
Basically, scripts are pretty simple - first one puts all local security parameters in a temp file and applies that file with secedit.exe command. It practically puts default password aging times, turns off some of the auditing, modifies some lanman settings, does a lot of work with privilege rights and various SID (most of which seems pretty default to me) and adds one user on machine. Username and password of account it adds is same on Mike's scripts and mine.

3) Last thing to mention I found is irc offer bot, sitting in Win directory. It's started under name win.exe and it is a cygwin compiled binary. Upon starting it will join some of predefined EFNet servers (it has whole list in it) and channel #additcz. I joined that channel and confirmed that it has hundreds of other bots in it (all compromised machines), most of them serving some warez.

I'll post more information when (and if :) I get it.

Best regards,

Bojan Zdrnja

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Nov 22 02:27:50 2002