From a forward to me on the DDos stuff...this might shed some light on the DDos problem, if not sorry for the bandwidth. --------begin forward
[Note: I just noticed last night, after giving a talk on this incident, that several threads on the SANS Unisog list going back as far as February 18, 2002 have discussed this same botnet in generality and in some detail, so I can't claim to be the first to analyze this botnet. That credit goes to Christopher E. Cramer of Duke University. (That's what I get for letting myself get so far behind on email, and for not studying all sources of information I had available to me when we first started seeing problems. Hopefully someone on the unisog list will cross-post to incidents@securityfocus.com when a widespread incident like this pops up next time. ;)
The Unisog threads can be found here:
http://staff.washington.edu/dittrich/misc/ddos/unisog-xdcc.txt
Since all this work was already done, I'll still post what I have assembled with the assistance of Mike Hornung and Alexander Howard at the UW, in hopes I'm adding something new in the way of tools and techniques (see my CanSecWest talk slides referenced at bottom) that will help speed up response the next time one of these massive botnets is assembled using compromised computers.]
Summary =======
Over the months of March through late April of 2002, the University of Washington has seen multiple incidents of distributed "warez" (pirated software) and denial of service (DDoS) attacks, coming from Windows 2000 and NT systems. These systems all have several things in common:
o They appeared to be found with no password on the Administrator account, and control taken over.
o They had various IRC bots installed on them, including knight.exe, GTbot, and X-DCC (a distributed "warez" serving bot.)
o They had the ServUFTP daemon running on them for incoming file transfer (to load the "warez".)
o They had Firedaemon (a program that registers programs for execution to serve incoming connections, similar to the Unix "inetd" daemon.)
Details =======
Forensic analysis of hard drive contents and IRC traffic has revealed the methods and signatures of the malware installed on the compromised systems. To date we are not 100% sure of exactly how the initial backdoor installation occurs, but it appears to involve remote shell access (via telnetd). Whatever it is, the next step is to transfer a script onto the system and run it to bootstrap the rest of the installation of backdoors, bots, FTP server, and other support programs, the modification of directory/file permissions and attributes to hide files, and changes to registry settings to make programs run at each boot. On some system, FTP is also used to later transfer files onto the compromised system.
The script does the following:
o Creates a directory under the C:\RECYCLER directory, and marks it hidden and system directory.
o Kills any previously running instances of itself.
o Installs Firedeamon, and changes it (and other support programs) to be system/hidden.
o Uses tftp to download IRC bot configuration files from a temporary cache (on another compromised system)
o Does a "net user administrator changem" and deletes the ipc$ file share.
o Starts the Firedaemon and registers services named "Ms32dll", "SVHOST" and "MSVC5"
o Creates a file to set the following Registry settings, then runs "regedit" on this file:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] restrictanonymous"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] "NTLM"="2"
o Cleans up some files, and stops and deletes the following services: "tlntsvr" and "PSEXESVC"
o (Re)Starts the following services: "lmhosts" and "NtLmSsp"
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= user_nick [XDCC]XXXX-649 slotsmax 20 loginname XXXXX filedir C:\RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000 uploaddir C:\RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000 xdccfile c:\winnt\system32\vmn32\asp\mybot.xdcc pidfile c:\winnt\system32\vmn32\asp\mybot.pid server irc.XXXXXX.net 6667 server irc.XXXXXX.net 7000 server XXXX.XXXXX.net 6667 server XXXX.XXXXX.net 7000 server XXX.XXX.XX.XXX 6667 logrotate weekly messagefile c:\winnt\system32\vmn32\asp\mybot.msg ignorefile c:\winnt\system32\vmn32\asp\mybot.ignl channel #XDCC -plist 15 user_realname XDCC user_modes +i virthost no vhost_ip virtip.domain.com firewall no dccrangestart 4000 queuesize 20 slotsmaxpack 0 slotsmaxslots 5 slotsmaxqueue 10 maxtransfersperperson 1 maxqueueditemsperperson 1 restrictlist yes restrictsend yes overallminspeed 5.0 transfermaxspeed 0 overallmaxspeed 2000 overallmaxspeeddayspeed 0 overallmaxspeeddaytime 9 17 overallmaxspeeddaydays MTWRF debug no autosend no autoword bleh automsg bleh autopack 1 xdccautosavetime 15 creditline ^2Brought to you by #XDCC^2 adminpass Xv8h8aXknm8J5z adminhost *!*@*.XXXXXX.net adminhost *!*@*.cia.gov uploadallowed no uploadmaxsize 900 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
A search of Google for the terms "+X-DCC +XDCC +bot" comes up with several hits, including the following list of the top IRC networks. The X-DCC/XDCC related channels (including channels found on many of the compromised systems at the UW) were the majority of the top channels on this site:
http://62.27.120.133/networks/chanlist.shtml
The signature of these particular bots can be identified by the string ":Total Offered:" (the amount of disc space used for "warez" on the system, to be served by the bot):
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= T 2002/04/18 08:30:18.768002 10.1.1.1:6667 -> 192.168.2.2:3852 [AP] :[f0]-XDCC230!~accute@foo-0000000.bar.asu.edu PRIVMSG #XXXXXXXXXX :.**. .Brought to you by #XXXXXXXXXXXXX. .**...:[f0]-XDCC230!~accute@ foo-0000000.bar.asu.edu PRIVMSG #XXXXXXXXX :.**. .Brought to you by #X XXXXXXXXXXXX. .**...
T 2002/04/18 08:30:20.452092 217.199.39.139:7000 -> 128.208.113.130:1031 [AP] :[f0]-XDCC230!~accute@foo-0000000.bar.asu.edu PRIVMSG #XXXXXXXXXX :Total Offered: 1223.5 MB Total Transferred: 419.19 MB..:[f0]-XDCC230 !~accute@foo-0000000.bar.asu.edu PRIVMSG #XXXXXXXXX :Total Offered: 1 223.5 MB Total Transferred: 419.19 MB..:[f0]-XDCC230!~accute@foo-000 0000.bar.asu.edu PRIVMSG #XXXXXXXXX :Total Offered: 1223.5 MB Tota l Transferred: 419.19 MB.. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Using this information, a capture of all IRC traffic across the border of the network was performed and a script written ("findoffer") to parse and summarize the totals. Sampling IRC traffic to/from a set of 9 compromised systems (tcpdump filter "tcp port 6667 and tcp port 7000"), and using "findoffer", as many as 419 bots in 22 IRC channels, serving a total of 556.18 GB (yes, over half a Terabyte!!! and that is just from bots in some of the X-DCC channels, not all of them.)
[Note that IRC can be run over any port besides just 6667/tcp and 7000/tcp, so I expect that these bots will likely move off of public servers to rogue servers on compromised systems, and to use ports other than the standard 6666/tcp - 7000/tcp.]
In addition to file sharing, many (all?) of these systems were at least capable, if not actually used for, distributed denial of service (DDoS) attacks. Dozens of attacks have been attributed to the same group who installed these warez bots. Here is one such use:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= T 2002/03/27 02:28:31.434846 192.168.0.220:6667 -> 10.0.0.1:3164 [AP] :ns.example.net 404 KNIGHT77tdtR #doschan :Cannot send t o channel..:badd_kittycatN0yb!~moonglow@dc00.foonet.gatech.edu PRIVM SG #doschan :[login accepted]..
T 2002/03/27 02:28:31.986647 192.168.0.220:6667 -> 10.0.0.1:3164 [AP] :ns.example.net 404 KNIGHT77tdtR #doschan :Cannot send t o channel..:badd_kittycatN0yb!~moonglow@d000.foonet.gatech.edu PRIVM SG #doschan :[packeting 192.168.32.94 at 64000kb/s 10000000 times].. :vodkidWT!~zoolander@grd0000.foo.uiuc.edu PRIVMSG #doschan :[packet ing 192.168.32.94 at 64000kb/s 10000000 times]..
. . .
T 2002/03/27 05:25:31.491814 192.168.0.220:6667 -> 10.0.0.1:3164 [AP] :foobar!foo@staff.botnet.net PRIVMSG #doschan :.run c:\w innt\system32\temp.exe..:XXXXXXXXXXZ2vco!~XXXXXX@A000000.N0.Vanderbilt .Edu PRIVMSG #doschan :[running c:\winnt\system32\temp.exe]..
T 2002/03/27 05:25:31.493483 10.0.0.1:3164 -> 192.168.0.220:6667 [AP] PRIVMSG #doschan :[running c:\winnt\system32\temp.exe].. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Two DDoS bots have been seen in use in conjunction with this activity: "knight.exe" and "GTbot". ("knight.exe" is the Unix "knight.c" program, compiled with the Cygwin development libraries.) These programs are described here:
http://www.cert.org/archive/pdf/DoS_trends.pdf http://bots.lockdowncorp.com/gtbot.html
The UDP traffic (seen by "tcpdump") during a GTbot attack shows some unusual packets:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 1017207252.687968 192.168.32.126.1646 > 10.203.32.94.37046: rad-#43 837 [id 32 ] Attr[ Acct_out_octets{length 30 != 4} ARAP_zone_acces{length 46 != 4} NAS_id{ +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH} Acct_out_packets{length 41 != 4} ARAP _challenge_resp{302B202B202B4154}|radius} ARAP_challenge_resp{302B202B202B4154}| radius} ARAP_challenge_resp{302B202B202B4154}|radius} ARAP_challenge_resp{302B20 2B202B4154}|radius} ARAP_challenge_resp{302B202B202B4154}|radius} ARAP_challenge _resp{302B202B202B4154}|radius} ARAP_challenge_resp{302B202B202B4154}|radius} AR AP_challenge_resp{302B202B202B4154}|radius} ARAP_challenge_resp{302B202B202B4154 }|radius} [|radius] . . . 1017207256.282173 192.168.32.126.1645 > 10.203.32.94.24413: rad-#64 440 [id 64 ] Attr[ Tunnel_type{length 62 != 4} Tunnel_type{length 62 != 4} Tunnel_type{len gth 62 != 4} Tunnel_type{length 62 != 4} Tunnel_type{length 62 != 4} Tunnel_type {length 62 != 4} [|radius] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Seen by "ngrep", there is a strange kind of UDP flood:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= U 2002/03/26 21:34:16.284428 192.168.32.126:2892 -> 10.203.32.94:19192 + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + + ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH 0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +A TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0 + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + + ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0
U 2002/03/26 21:34:16.284790 192.168.32.126:3099 -> 10.203.32.94:61749 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@
U 2002/03/26 21:34:16.285599 192.168.32.126:2767 -> 10.203.32.94:44393 !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% !@#%!^@)
U 2002/03/26 21:34:16.286329 192.168.32.126:4403 -> 10.203.32.94:56289 !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&! ^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!% !@#%!^@)
U 2002/03/26 21:34:16.287070 192.168.32.126:4008 -> 10.203.32.94:39934 + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + + ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH 0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +A TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0 + + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +AT H0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + + ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Apparent IRC traffic confirms there is a DDoS bot on this system:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= T 2002/03/26 21:36:43.468911 192.168.32.126:1135 -> 10.76.175.220:7666 [AP] PRIVMSG #doschan :.S.ending [.64,000.kb] of Data to (10.203.32.94). =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Seen by "tcpdump", one of the attack methods of this tool uses IP protocol 255 (listed as "Reserved" by IANA). These attacks use both large packets (requiring fragmentation) and small packets. [Note: Network monitoring tools that only log TCP, UDP, and ICMP protocols will not see this attack traffic at all.]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Fri Mar 22 20:54:59 2002 1016859299.879744 192.168.0.1 > 10.209.12.152: ip-proto-255 1480 (frag 37686:1480@0+) 1016859299.879745 192.168.0.1 > 10.209.12.152: (frag 37686:20@1480) 1016859299.881140 192.168.0.1 > 10.209.12.152: ip-proto-255 1480 (frag 37687:1480@0+) 1016859299.881141 192.168.0.1 > 10.209.12.152: (frag 37687:20@1480) 1016859299.882465 192.168.0.1 > 10.209.12.152: ip-proto-255 1480 (frag 37688:1480@0+) 1016859299.882465 192.168.0.1 > 10.209.12.152: (frag 37688:20@1480) 1016859299.883866 192.168.0.1 > 10.209.12.152: ip-proto-255 1480 (frag 37689:1480@0+)
Sat Mar 23 13:13:25 2002 1016918005.627814 192.168.0.1 > 10.99.102.100: ip-proto-255 52 1016918005.627905 192.168.0.1 > 10.99.102.100: ip-proto-255 52 1016918005.627986 192.168.0.1 > 10.99.102.100: ip-proto-255 52 1016918005.628120 192.168.0.1 > 10.99.102.100: ip-proto-255 52 1016918005.628180 192.168.0.1 > 10.99.102.100: ip-proto-255 52 1016918005.628282 192.168.0.1 > 10.99.102.100: ip-proto-255 52 1016918005.628342 192.168.0.1 > 10.99.102.100: ip-proto-255 52 1016918005.628448 192.168.0.1 > 10.99.102.100: ip-proto-255 52 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Seen with Foundstone's "FPort" program, the program showed the following open port:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= FPort v1.33 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com
Pid Process Port Proto Path 2 System -> 80 TCP 187 inetinfo -> 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 2 System -> 113 TCP 191 temp -> 113 TCP C:\WINNT\System32\temp.exe 94 RpcSs -> 135 TCP C:\WINNT\system32\RpcSs.exe 2 System -> 135 TCP 2 System -> 139 TCP 2 System -> 443 TCP 187 inetinfo -> 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 191 temp -> 1035 TCP C:\WINNT\System32\temp.exe 187 inetinfo -> 1036 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 187 inetinfo -> 1037 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 187 inetinfo -> 2962 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 191 temp -> 9000 TCP C:\WINNT\System32\temp.exe 2 System -> 135 UDP 2 System -> 137 UDP 2 System -> 138 UDP =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
More information on this botnet, and references to the tools used to analyze it, were presented at CanSecWest Core02 in Vancouver, BC on May 2. The slides and references to the tools that were used can be found at the following location:
http://staff.washington.edu/dittrich/talks/core02/
An example report produced by "findoffer" can be found at:
http://staff.washington.edu/dittrich/misc/ddos/xdcc-report.txt
This report has been anonymized, since some of the host are voluntarily serving files (these networks are NOT exclusively compromised hosts running bots.) Use this script ONLY to identify hosts on your network, and make sure you follow all applicable privacy laws and policies of your organization regarding logging of IRC traffic.
-- Dave Dittrich Computing & Communications dittrich@cac.washington.edu University Computing Services http://staff.washington.edu/dittrich University of Washington