New Virus in the wild

Nils_Ketelsen · January 17, 2005, 4:39pm

We see a lot of requests of the following format in our proxy logs:

1105979310.010 240001 10.3.12.211 TCP_MISS/504
1458 GET http://84.120.14.236:25204/2005/1/17/11/23/32/ - NONE/- text/html
1105979314.020 240009 10.3.12.211 TCP_MISS/504
1458 GET http://67.171.84.104:25238/2005/1/17/11/23/41/ - NONE/- text/html
1105979316.077 240068 10.3.12.211 TCP_MISS/504
1460 GET http://213.188.227.50:25401/2005/1/17/11/23/43/ - NONE/- text/html

The Port these clients are trying to connect to seem to be
in the range between 25000 and 26000 all the time. All requests have the
timestamp in the URL (/2005/1/17/11/23/43 for example). We are currently
investigating together with NAI what that is.

We have a bunch of internal hosts producing these requests and the numbers
are rising. The load is starting to render our proxies unusable.

Any hints are very welcome.

Nils

Gadi_Evron1 · January 17, 2005, 5:44pm

Nils Ketelsen wrote:

We see a lot of requests of the following format in our proxy logs:

1105979310.010 240001 10.3.12.211 TCP_MISS/504
1458 GET http://84.120.14.236:25204/2005/1/17/11/23/32/ - NONE/- text/html
1105979314.020 240009 10.3.12.211 TCP_MISS/504
1458 GET http://67.171.84.104:25238/2005/1/17/11/23/41/ - NONE/- text/html
1105979316.077 240068 10.3.12.211 TCP_MISS/504
1460 GET http://213.188.227.50:25401/2005/1/17/11/23/43/ - NONE/- text/html

A very important question would be: do you see these URL's on ANY-HOST/permutation or SPECIFIC-HOSTS/permutation?

Gadi.

Nils_Ketelsen · January 17, 2005, 7:20pm

Good idea to look at this. According to my logs exactly 1000
IP-Addresses are tried to be accessed. After that I looked
at one example host who by then had accessed 466 addresses. Waited a few
seconds, chacked the one host again: 469 addresses.

Nevertheless the total number of accessed addresses was still
1000 (over all hosts). So I think we might have in fact 1000 Addresses
that are contacted/attacked. The complete list of contacted addresses can
be found here:

http://steering-group.net/~nils/ips.txt

Network owners might want to check if their IP-Addresses are
on the list. And if so look for increased traffic on these Addresses, in
case all infected PCs (and not only the ones I happen to be seeing) really
connect to the same addresses.

I still have no clue what is causing this, but I am pretty clueless when
it comes to Windows PCs anyway, and as you might have guessed: The PCs
making these connections are windows machines.

Nils

Gadi_Evron1 · January 17, 2005, 7:38pm

I still have no clue what is causing this, but I am pretty clueless when
it comes to Windows PCs anyway, and as you might have guessed: The PCs
making these connections are windows machines.

Continuing our off-list discussion for this on-list comment...
Without a reboot, try to connect the outgoing connections to a process.

I believe sysinternals have some tools that may help with this.

Gadi.

Gadi_Evron1 · January 17, 2005, 7:40pm

Nevertheless the total number of accessed addresses was still
1000 (over all hosts). So I think we might have in fact 1000 Addresses
that are contacted/attacked. The complete list of contacted addresses can
be found here:

http://steering-group.net/~nils/ips.txt

More to the point - how about the IP's who try to connect inbound? I suppose sharing this on-list may not be the best of ideas.

Gadi.

Gadi_Evron · January 18, 2005, 12:48pm

Nils Ketelsen wrote:

I still have no clue what is causing this, but I am pretty clueless when
it comes to Windows PCs anyway, and as you might have guessed: The PCs
making these connections are windows machines.

http://www.lurhq.com/baba.html

Thanks go to Joe Stewart from lurhq.

Gadi_Evron · January 18, 2005, 12:56pm

http://www.lurhq.com/baba.html

Thanks go to Joe Stewart from lurhq.

Further, please note this is the older variant. According to Joe the B variant was released Jan/12.

Gadi.

Nils_Ketelsen · January 18, 2005, 1:58pm

No, not it. Close but not exactly. I seem to be encountering a different
mutation of this Virus. First, the ports it is trying to connect
to are 25000-26000, second the timestamp in the URL seems to be missing in
the above description.

True is, that the infected file seems to be C:\csrss.exe. According to
McAfee Virus Scan (with the newest pattern file) this file was infected
with buchon.c. But the description does not fully match either. Anyways:
Killing the process and removing c:\csrss.exe helped.

McAfee knows about this Virus since last week, but decided
it was not worth an update of their regular patterns. Thank you for this
policy of slow updates, I will see that I get a vendor that acts
in time, I guess.

Nils

Jason_Frisvold1 · January 18, 2005, 2:19pm

McAfee knows about this Virus since last week, but decided
it was not worth an update of their regular patterns. Thank you for this
policy of slow updates, I will see that I get a vendor that acts
in time, I guess.

Might I suggest ClamAV? http://www.clamav.com

ClamAV, while being open source, seems to have an incredibly fast
response time to new virii. I've seen new virii caught by Clam 8-10
hours before the "big" vendors catch them.

I understand the need to have a vendor supported product, but having
clamav in the mix helps tremendously...

And there's a windows version as well (albeit, by another developer)
... http://www.clamwin.net