Pubstro warez worm

Discussion in 'malware problems & news' started by NetWatchman, Aug 26, 2002.

Thread Status:
Not open for further replies.
  1. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    ..this one is pretty nasty..I sent the following email out to about 20 different organizations that were involved in this incident:

    FYI,

    We recently completed an intrusion investigation regarding the following host:

    http://www.mynetwatchman.com/LID.asp?IID=7129937

    On the above host we found sfind.exe, an automated scanner which searches for Microsoft IIS hosts which are vulnerable to the well-publicized Unicode exploits...it then records the IP addresses of vulnerable systems to the file sfind.txt. In this case, sfind was set up to scan most of the 128.x.x.x address space...it got up to about 128.150.x.x before the customer received our alert and shut down the box.

    You are receiving this email because one of YOUR IP addresses was found by sfind as being vulnerable (see entries in the attach list that are associated with your domain).
    As sfind does not provide a timestamp, I can only saw that this information was identified sometime between 2002-08-23 and 2002-08-26 at 20:00 UTC.

    Be advised that this activity seems to be associated with a semi-automated worm which you may now also be infected with. The system we analyzed appeared to be infected with a "Pubstro" script which aims to compromise hosts, install rogue FTP servers (serv-u-ftp), and use the infected host to host Warez..hence "Pubstro" = "Public Storage".

    For more info on pubstro see:
    link deleted by FanJ


    The system we researched was highly modified...and thus manual removal may not be possible or advisable.
    The hostile files we identified were in the C:/inetpub/aux/home directory and included:

    sfind.exe - IIS Unicode file scanner
    sfind.txt - IP addresses found by scanner
    ncx99.exe - a version of netcat that opens a command shell backdoor on port 99
    kill.exe - a process killer
    reboot.exe - a rebooter
    tlist.exe - a task lister
    cmd1.exe - a modified command shell?
    jasfv.dll - and SFV checker
    winlogon.exe - a modified winlogon?

    copies of serv-u-ftp were also installed in the root of C:

    Interestingly, virus scanners (e.g. Norton) did not detect the the existence of these files...I assume this is because although these are utilities often associated with hostile activity, they are not technically worms or viruses. Also, by storing the code in a directory with an invalid name "aux" many windows commands and utilities can't access it.

    We don't know for sure if your servers were loaded with the above code...but it look pretty sure that these servers are vulnerable to Unicode exploits and need to be patched.

    A quick way to detect a suspected infection is to run the 'netstat' command and look for a high rate of *outbound* port 80 connections. For example, netstat on the above host produced:

    C:/> netstat -an
    [snip]

    TCP 198.243.46.10:22450 128.156.200.114:80 SYN_SENT
    TCP 198.243.46.10:22451 128.156.200.115:80 SYN_SENT
    TCP 198.243.46.10:22452 128.156.200.116:80 SYN_SENT
    TCP 198.243.46.10:22453 128.156.200.117:80 SYN_SENT
    TCP 198.243.46.10:22454 128.156.200.118:80 SYN_SENT
    TCP 198.243.46.10:22455 128.156.200.119:80 SYN_SENT
    TCP 198.243.46.10:22456 128.156.200.120:80 SYN_SENT
    TCP 198.243.46.10:22457 128.156.200.121:80 SYN_SENT
    TCP 198.243.46.10:22458 128.156.200.122:80 SYN_SENT
    TCP 198.243.46.10:22459 128.156.200.123:80 SYN_SENT
    TCP 198.243.46.10:22460 128.156.200.124:80 SYN_SENT
    TCP 198.243.46.10:22461 128.156.200.125:80 SYN_SENT
    TCP 198.243.46.10:22462 128.156.200.126:80 SYN_SENT
    TCP 198.243.46.10:22463 128.156.200.127:80 SYN_SENT
    TCP 198.243.46.10:22464 128.156.200.128:80 SYN_SENT
    TCP 198.243.46.10:22465 128.156.200.129:80 SYN_SENT
    TCP 198.243.46.10:22466 128.156.200.130:80 SYN_SENT
    TCP 198.243.46.10:22467 128.156.200.131:80 SYN_SENT
    TCP 198.243.46.10:22468 128.156.200.132:80 SYN_SENT
    TCP 198.243.46.10:22469 128.156.200.133:80 SYN_SENT
    TCP 198.243.46.10:22470 128.156.200.134:80 SYN_SENT
    TCP 198.243.46.10:22471 128.156.200.135:80 SYN_SENT
    TCP 198.243.46.10:22472 128.156.200.136:80 SYN_SENT
    TCP 198.243.46.10:22473 128.156.200.137:80 SYN_SENT
    TCP 198.243.46.10:22474 128.156.200.138:80 SYN_SENT
    TCP 198.243.46.10:22475 128.156.200.139:80 SYN_SENT
    TCP 198.243.46.10:22476 128.156.200.140:80 SYN_SENT
    TCP 198.243.46.10:22477 128.156.200.141:80 SYN_SENT
    TCP 198.243.46.10:22478 128.156.200.142:80 SYN_SENT
    TCP 198.243.46.10:22479 128.156.200.143:80 SYN_SENT
    TCP 198.243.46.10:22480 128.156.200.144:80 SYN_SENT
    TCP 198.243.46.10:22481 128.156.200.145:80 SYN_SENT
    TCP 198.243.46.10:22482 128.156.200.146:80 SYN_SENT
    TCP 198.243.46.10:22483 128.156.200.147:80 SYN_SENT
    TCP 198.243.46.10:22484 128.156.200.148:80 SYN_SENT
    TCP 198.243.46.10:22485 128.156.200.149:80 SYN_SENT
    TCP 198.243.46.10:22486 128.156.200.150:80 SYN_SENT
    TCP 198.243.46.10:22487 128.156.200.151:80 SYN_SENT
    TCP 198.243.46.10:22488 128.156.200.152:80 SYN_SENT
    TCP 198.243.46.10:22489 128.156.200.153:80 SYN_SENT
    TCP 198.243.46.10:22490 128.156.200.154:80 SYN_SENT
    TCP 198.243.46.10:22491 128.156.200.155:80 SYN_SENT
    TCP 198.243.46.10:22492 128.156.200.156:80 SYN_SENT
    TCP 198.243.46.10:22493 128.156.200.157:80 SYN_SENT
    TCP 198.243.46.10:22494 128.156.200.158:80 SYN_SENT
    TCP 198.243.46.10:22495 128.156.200.159:80 SYN_SENT
    TCP 198.243.46.10:22496 128.156.200.160:80 SYN_SENT
    TCP 198.243.46.10:22497 128.156.200.161:80 SYN_SENT
    TCP 198.243.46.10:22498 128.156.200.162:80 SYN_SENT
    TCP 198.243.46.10:22499 128.156.200.163:80 SYN_SENT
    TCP 198.243.46.10:22500 128.156.200.164:80 SYN_SENT



    If you research these hosts and have any observations you'd like to share, or if you have any questions regarding this email, please do not hesitate to email or phone me.

    Regards,

    Lawrence Baldwin
    myNetWatchman.com
    The Internet Neighborhood Watch
     
Loading...
Thread Status:
Not open for further replies.