Collection and analysis of malware

Discussion in 'malware problems & news' started by Ned Slider, Nov 27, 2005.

Thread Status:
Not open for further replies.
  1. Ned Slider

    Ned Slider Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    169
    Hi folks,

    I've been doing some collection and analysis of malwares recently using two newly available tools, mwcollect and nepenthes. Both are malware collection daemons that use plugin modules to simulate known Windows vulnerabilities, parse exploited shellcodes and download the malware. I've run both programs on a RHEL box during the past week to analyse the frequency and types of threat an unpatched Windows box may typically experience. Such programs allow us to do this in a safe and controlled manner. The vulnerabilities simulated and their respective ports can be found at the documentation section on the bottom of this page.

    Here's a copy of my log showing successful exploits against the target machine during the last week:

    Code:
    [2005-11-20T15:52:26] creceive://xxx.116.116.2:55725
    [2005-11-20T15:52:59] creceive://xxx.116.116.2:32047
    [2005-11-20T16:41:00] ftp://1:1@xxx.56.95.204:10327/servs.exe
    [2005-11-20T18:01:43] ftp://1:1@xxx.8.13.103:5679/taskmnegr.exe
    [2005-11-20T18:38:39] ftp://1:1@0.0.0.0:1284/servs.exe
    [2005-11-20T20:05:13] ftp://1:1@xxx.186.161.10:18880/eraseme_34317.exe
    [2005-11-20T20:49:48] ftp://1:1@xxx.197.138.112:13216/taskmegr.exe
    [2005-11-21T07:20:21] http://xxx.33.25.49:2567/x.exe
    [2005-11-21T07:47:12] ftp://1:1@xxx.137.186.128:11703/msngersd.exe
    [2005-11-21T07:52:22] ftp://1:1@xxx.137.186.128:11703/msngersd.exe
    [2005-11-21T08:17:29] ftp://1:1@xxx.137.186.128:11703/msngersd.exe
    [2005-11-21T09:00:12] ftp://1:1@xxx.137.186.128:11703/msngersd.exe
    [2005-11-21T09:29:18] ftp://1:1@0.0.0.0:30910/msngersd.exe
    [2005-11-21T09:44:15] creceive://xxx.87.161.103:38566
    [2005-11-21T09:44:48] creceive://xxx.87.161.103:4135
    [2005-11-21T10:04:02] ftp://1:1@0.0.0.0:30910/msngersd.exe
    [2005-11-21T10:36:04] ftp://1:1@0.0.0.0:11703/msngersd.exe
    [2005-11-21T10:39:14] ftp://1:1@0.0.0.0:11703/msngersd.exe
    [2005-11-21T11:56:32] ftp://1:1@xxx.137.186.127:3597/msngersd.exe
    [2005-11-21T12:10:20] ftp://1:1@0.0.0.0:11703/msngersd.exe
    [2005-11-21T12:33:41] tftp://0.0.0.0/winsys.exe
    [2005-11-21T12:39:58] ftp://1:1@0.0.0.0:11703/msngersd.exe
    [2005-11-21T13:00:38] ftp://1:1@0.0.0.0:11703/msngersd.exe
    [2005-11-21T13:11:41] tftp://0.0.0.0/winsys.exe
    [2005-11-21T13:21:07] tftp://0.0.0.0/winsys.exe
    [2005-11-21T13:30:54] ftp://1:1@0.0.0.0:11703/msngersd.exe
    [2005-11-21T13:40:36] ftp://1:1@xxx.137.186.127:30787/msngersd.exe
    [2005-11-21T14:12:36] tftp://0.0.0.0/winsys.exe
    [2005-11-21T14:26:12] ftp://1:1@xxx.137.186.128:16359/msngersd.exe
    [2005-11-21T14:26:58] tftp://0.0.0.0/winsys.exe
    [2005-11-21T14:27:56] http://xxx.32.115.128:1395/x.exe
    [2005-11-21T15:21:06] ftp://1:1@xxx.137.186.127:30787/msngersd.exe
    [2005-11-21T15:39:15] tftp://xxx.137.98.245/winsys.exe
    [2005-11-21T15:52:57] csend://xxx.144.8.6:2284
    [2005-11-21T16:33:05] csend://xxx.144.8.6:2284
    [2005-11-21T16:34:59] ftp://1:1@xxx.137.186.128:18717/msngersd.exe
    [2005-11-21T17:00:35] csend://xxx.168.0.57:1813
    [2005-11-21T17:38:33] tftp://xxx.137.98.245/winsys.exe
    [2005-11-21T17:46:00] tftp://xxx.137.98.245/winsys.exe
    [2005-11-21T18:14:27] ftp://1:1@xxx.198.240.241:4438/eraseme_73063.exe
    [2005-11-21T18:30:41] tftp://xxx.137.98.245/winsys.exe
    [2005-11-21T18:39:36] ftp://1:1@xxx.137.186.128:18717/msngersd.exe
    [2005-11-21T18:44:24] tftp://xxx.137.98.245/winsys.exe
    [2005-11-21T18:59:13] tftp://xxx.137.98.245/winsys.exe
    [2005-11-21T19:09:25] tftp://xxx.137.98.245/winsys.exe
    [2005-11-21T19:43:55] ftp://1:1@xxx.137.186.127:23750/msngersd.exe
    [2005-11-21T19:46:35] ftp://1:1@xxx.137.186.127:23750/msngersd.exe
    [2005-11-21T20:05:57] ftp://1:1@xxx.137.186.127:23750/msngersd.exe
    [2005-11-21T20:29:40] ftp://1:1@xxx.137.186.127:23750/msngersd.exe
    [2005-11-21T20:41:13] ftp://1:1@xxx.137.81.14:24155/servs.exe
    [2005-11-21T21:16:51] ftp://1:1@xxx.137.186.127:23750/msngersd.exe
    [2005-11-21T22:07:14] tftp://xxx.54.193.156/NetSis.exe
    [2005-11-21T23:17:31] http://xxx.117.115.31:8122/x.exe
    [2005-11-22T01:37:47] tftp://xxx.72.54.217/NetSis.exe
    [2005-11-22T01:43:33] http://xxx.115.76.137:3151/x.exe
    [2005-11-22T03:12:22] ftp://1:1@xxx.22.235.17:18393/network.exe
    [2005-11-22T03:26:48] tftp://0.0.0.0/NetSis.exe
    [2005-11-22T06:16:18] tftp://xxx.168.252.38/NetSis.exe
    [2005-11-22T08:05:09] tftp://xxx.38.119.194/msnservers.exe
    [2005-11-22T09:10:01] ftp://1:1@xxx.137.186.139:3445/msngersd.exe
    [2005-11-22T09:18:21] ftp://1:1@xxx.137.186.139:3445/msngersd.exe
    [2005-11-22T09:33:01] ftp://1:1@xxx.137.186.139:3445/msngersd.exe
    [2005-11-22T09:44:03] ftp://1:1@xxx.137.186.127:25870/msngersd.exe
    [2005-11-22T10:04:14] ftp://1:1@xxx.137.186.127:25870/msngersd.exe
    [2005-11-22T10:06:50] ftp://1:1@xxx.137.186.139:15649/msngersd.exe
    [2005-11-22T10:25:35] ftp://1:1@xxx.137.186.139:15649/msngersd.exe
    [2005-11-22T10:32:10] ftp://1:1@xxx.137.186.139:15649/msngersd.exe
    [2005-11-22T10:34:58] ftp://1:1@xxx.137.186.139:15649/msngersd.exe
    [2005-11-22T10:41:21] ftp://1:1@xxx.137.186.139:15649/msngersd.exe
    [2005-11-22T11:07:54] ftp://1:1@xxx.137.186.139:15649/msngersd.exe
    [2005-11-22T11:10:19] ftp://1:1@xxx.137.186.139:15649/msngersd.exe
    [2005-11-22T11:27:36] tftp://xxx.137.98.245/winsys.exe
    [2005-11-22T11:30:56] tftp://xxx.168.1.101/NetSis.exe
    [2005-11-22T11:32:23] tftp://xxx.137.98.245/winsys.exe
    [2005-11-22T11:47:35] tftp://xxx.137.98.245/winsys.exe
    [2005-11-22T13:31:25] tftp://xxx.137.98.245/winsys.exe
    [2005-11-22T13:42:53] tftp://xxx.137.98.245/winsys.exe
    [2005-11-22T14:15:17] ftp://1:1@xxx.137.186.139:17552/msngersd.exe
    [2005-11-22T15:03:11] tftp://xxx.137.98.245/winsys.exe
    [2005-11-22T15:32:02] ftp://1:1@xxx.137.186.139:17552/msngersd.exe
    [2005-11-22T15:33:24] tftp://xxx.168.3.195/NetSis.exe
    [2005-11-22T16:01:19] tftp://0.0.0.0/winsys.exe
    [2005-11-22T16:15:29] tftp://0.0.0.0/winsys.exe
    [2005-11-22T16:16:54] tftp://0.0.0.0/winsys.exe
    [2005-11-22T16:28:56] ftp://1:1@xxx.137.186.127:13722/msngersd.exe
    [2005-11-22T16:32:01] ftp://1:1@xxx.137.186.127:13722/msngersd.exe
    [2005-11-22T16:54:39] ftp://1:1@xxx.137.186.127:13722/msngersd.exe
    [2005-11-22T16:55:14] tftp://xxx.137.98.245/winsys.exe
    [2005-11-22T17:03:27] ftp://1:1@xxx.137.81.14:1656/msngersd.exe
    [2005-11-22T17:18:17] ftp://1:1@xxx.137.212.218:60921/msgms.exe
    [2005-11-22T17:23:44] ftp://1:1@xxx.137.186.139:17552/msngersd.exe
    [2005-11-22T17:30:15] ftp://1:1@xxx.137.212.218:60921/msgms.exe
    [2005-11-22T17:43:32] tftp://xxx.228.63.205/NetSis.exe
    [2005-11-22T17:56:07] ftp://1:1@xxx.137.186.139:17552/msngersd.exe
    [2005-11-22T17:58:24] ftp://1:1@xxx.137.212.218:60921/msgms.exe
    [2005-11-22T18:05:43] tftp://xxx.137.98.245/winsys.exe
    [2005-11-22T18:19:15] ftp://1:1@xxx.137.212.218:60921/msgms.exe
    [2005-11-22T18:26:26] ftp://1:1@xxx.137.186.139:17552/msngersd.exe
    [2005-11-22T19:32:25] ftp://1:1@xxx.137.81.14:58232/msgms.exe
    [2005-11-22T20:15:22] ftp://1:1@xxx.137.186.139:17552/msngersd.exe
    [2005-11-22T20:28:18] http://10.40.4.30:359/x.exe
    [2005-11-22T20:36:54] ftp://1:1@xxx.137.186.139:17552/msngersd.exe
    [2005-11-22T20:39:51] ftp://1:1@xxx.137.212.218:60921/msgms.exe
    [2005-11-22T20:40:54] ftp://1:1@xxx.137.186.139:17552/msngersd.exe
    [2005-11-22T20:44:56] ftp://1:1@xxx.137.212.218:60921/msgms.exe
    [2005-11-22T21:49:10] ftp://1:1@xxx.137.254.53:48141/msgms.exe
    [2005-11-22T22:21:51] ftp://1:1@0.0.0.0:48141/msgms.exe
    [2005-11-22T22:39:01] ftp://1:1@0.0.0.0:48141/msgms.exe
    [2005-11-22T23:11:21] ftp://1:1@0.0.0.0:48141/msgms.exe
    [2005-11-22T23:16:10] ftp://1:1@0.0.0.0:48141/msgms.exe
    [2005-11-22T23:21:50] ftp://1:1@0.0.0.0:48141/msgms.exe
    [2005-11-22T23:27:00] ftp://1:1@0.0.0.0:48141/msgms.exe
    [2005-11-23T00:20:53] ftp://1:1@0.0.0.0:48141/msgms.exe
    [2005-11-23T00:55:22] tftp://xxx.168.1.104/NetSis.exe
    [2005-11-23T01:39:29] csend://xxx.129.246.92:1117
    [2005-11-23T05:16:10] creceive://xxx.43.57.244:53893
    [2005-11-23T05:16:33] creceive://xxx.43.57.244:40673
    [2005-11-23T07:11:38] ftp://1:1@xxx.137.186.139:2789/msngersd.exe
    [2005-11-23T07:14:08] ftp://1:1@xxx.137.186.139:2789/msngersd.exe
    [2005-11-23T08:02:50] ftp://1:1@xxx.137.254.53:8377/msgms.exe
    [2005-11-23T08:24:44] ftp://1:1@xxx.137.254.53:8377/msgms.exe
    [2005-11-23T08:44:16] ftp://1:1@xxx.137.186.127:12445/msngersd.exe
    [2005-11-23T08:48:23] ftp://1:1@xxx.137.254.53:8377/msgms.exe
    [2005-11-23T08:50:46] ftp://1:1@xxx.137.254.53:8377/msgms.exe
    [2005-11-23T08:52:47] ftp://1:1@xxx.137.186.127:12445/msngersd.exe
    [2005-11-23T09:05:49] ftp://1:1@xxx.137.186.127:12445/msngersd.exe
    [2005-11-23T09:13:18] ftp://1:1@xxx.137.254.53:8377/msgms.exe
    [2005-11-23T09:25:16] ftp://1:1@xxx.137.186.127:12445/msngersd.exe
    [2005-11-23T09:34:48] ftp://1:1@xxx.137.186.127:12445/msngersd.exe
    [2005-11-23T09:49:16] ftp://1:1@xxx.137.186.127:12445/msngersd.exe
    [2005-11-23T09:52:19] ftp://1:1@xxx.137.254.53:8377/msgms.exe
    [2005-11-23T10:01:07] ftp://1:1@xxx.137.40.106:6982/eraseme_45026.exe
    [2005-11-23T10:05:47] tftp://0.0.0.0/winsys.exe
    [2005-11-23T10:16:16] ftp://1:1@xxx.137.254.53:8377/msgms.exe
    [2005-11-23T10:23:11] ftp://1:1@xxx.137.254.53:8377/msgms.exe
    [2005-11-23T10:31:29] ftp://1:1@xxx.137.254.53:8377/msgms.exe
    [2005-11-23T11:07:46] ftp://1:1@xxx.137.254.53:8377/msgms.exe
    [2005-11-23T11:19:55] tftp://0.0.0.0/winsys.exe
    [2005-11-23T12:43:49] tftp://0.0.0.0/winsys.exe
    [2005-11-23T14:52:22] ftp://1:1@0.0.0.0:8377/msgms.exe
    [2005-11-23T14:54:33] tftp://xxx.137.98.245/winsys.exe
    [2005-11-23T15:07:20] tftp://xxx.137.98.245/winsys.exe
    [2005-11-23T15:11:37] ftp://1:1@0.0.0.0:8377/msgms.exe
    [2005-11-23T15:21:40] ftp://1:1@xxx.137.254.53:2167/msgms.exe
    [2005-11-23T15:44:34] ftp://1:1@xxx.137.186.139:8424/msngersd.exe
    [2005-11-23T16:04:07] ftp://1:1@xxx.137.186.139:8424/msngersd.exe
    [2005-11-23T16:31:58] tftp://xxx.137.98.245/winsys.exe
    [2005-11-23T16:36:29] ftp://1:1@xxx.137.254.53:2167/msgms.exe
    [2005-11-23T17:12:27] ftp://1:1@xxx.137.186.139:16942/msngersd.exe
    [2005-11-23T17:15:48] ftp://1:1@xxx.137.186.139:16942/msngersd.exe
    [2005-11-23T17:25:04] ftp://1:1@xxx.137.186.139:16942/msngersd.exe
    [2005-11-23T17:46:16] ftp://1:1@xxx.137.254.53:46165/msgms.exe
    [2005-11-23T18:10:50] ftp://1:1@xxx.137.96.203:33241/sysin.pif
    [2005-11-23T18:14:18] tftp://xxx.137.98.245/winsys.exe
    [2005-11-23T18:20:52] tftp://0.0.0.0/winsys.exe
    [2005-11-23T19:06:55] tftp://0.0.0.0/winsys.exe
    [2005-11-23T19:09:59] tftp://0.0.0.0/winsys.exe
    [2005-11-23T19:27:49] ftp://1:1@xxx.137.186.139:16942/msngersd.exe
    [2005-11-23T19:37:40] ftp://1:1@xxx.137.186.139:16942/msngersd.exe
    [2005-11-23T19:44:04] ftp://1:1@xxx.137.254.53:7741/msgms.exe
    [2005-11-23T19:49:48] ftp://1:1@xxx.137.186.127:5367/msngersd.exe
    [2005-11-23T20:41:17] ftp://1:1@xxx.137.186.127:5367/msngersd.exe
    [2005-11-23T20:53:07] ftp://1:1@xxx.137.186.127:5367/msngersd.exe
    [2005-11-23T21:10:00] http://xxx.1.1.56:2241/x.exe
    [2005-11-23T21:15:28] ftp://1:1@xxx.137.81.14:8455/msgms.exe
    [2005-11-23T21:27:12] ftp://1:1@xxx.137.81.14:8455/msgms.exe
    [2005-11-23T21:28:26] ftp://1:1@xxx.137.186.139:16942/msngersd.exe
    [2005-11-23T21:52:42] ftp://1:1@xxx.137.186.139:16942/msngersd.exe
    [2005-11-23T22:17:21] ftp://1:1@xxx.137.254.53:7741/msgms.exe
    [2005-11-23T23:45:54] tftp://0.0.0.0/msni.exe
    [2005-11-24T01:15:45] http://xxx.168.1.75:956/x.exe
    [2005-11-24T04:00:39] creceive://xxx.161.215.99:41108
    [2005-11-24T04:01:09] creceive://xxx.161.215.99:55304
    [2005-11-24T05:15:51] csend://xxx.168.0.1:6560
    [2005-11-24T07:23:25] ftp://1:1@xxx.38.104.192:25593/taskmegr.exe
    [2005-11-24T07:26:37] ftp://1:1@xxx.137.186.127:16413/msngersd.exe
    [2005-11-24T07:38:44] ftp://1:1@xxx.137.186.139:28905/msngersd.exe
    [2005-11-24T07:38:49] ftp://1:1@xxx.137.186.139:28905/msngersd.exe
    [2005-11-24T08:32:45] ftp://1:1@xxx.137.186.146:3158/msngersd.exe
    [2005-11-24T09:12:07] ftp://1:1@0.0.0.0:32500/msngersd.exe
    [2005-11-24T09:51:39] csend://xxx.168.1.1:1326
    [2005-11-24T10:10:12] ftp://1:1@xxx.137.186.127:31836/msngersd.exe
    [2005-11-24T10:33:43] ftp://1:1@xxx.137.186.127:31836/msngersd.exe
    [2005-11-24T11:50:43] ftp://1:1@xxx.137.88.135:32055/msngersd.exe
    [2005-11-24T12:52:37] ftp://1:1@xxx.116.125.172:9606/servs.exe
    [2005-11-24T12:59:19] ftp://1:1@xxx.137.186.139:3594/msngersd.exe
    [2005-11-24T13:40:30] ftp://1:1@xxx.137.88.135:32055/msngersd.exe
    [2005-11-24T13:53:54] ftp://1:1@xxx.137.186.139:3594/msngersd.exe
    [2005-11-24T14:10:56] ftp://1:1@xxx.137.17.208:5879/msngersd.exe
    [2005-11-24T14:26:20] ftp://1:1@xxx.137.88.135:32055/msngersd.exe
    [2005-11-24T14:48:21] tftp://0.0.0.0/winsys.exe
    [2005-11-24T14:56:36] tftp://xx.107.66.166/msni.exe
    [2005-11-24T14:56:42] tftp://0.0.0.0/winsys.exe
    [2005-11-24T15:13:03] ftp://1:1@xxx.137.186.139:3594/msngersd.exe
    [2005-11-24T15:27:38] ftp://1:1@xxx.137.88.135:32055/msngersd.exe
    [2005-11-24T15:38:56] ftp://1:1@xxx.137.186.146:21955/msngersd.exe
    [2005-11-24T15:53:52] tftp://xxx.137.98.245/winsys.exe
    [2005-11-24T16:06:42] ftp://1:1@xxx.137.186.139:3594/msngersd.exe
    [2005-11-24T16:34:08] csend://xx.96.23.132:6698
    [2005-11-24T16:56:22] tftp://xxx.137.98.245/winsys.exe
    [2005-11-24T16:58:04] http://xxx.141.88.197:1157/x.exe
    [2005-11-24T17:13:03] ftp://1:1@xxx.137.186.139:3594/msngersd.exe
    [2005-11-24T17:26:58] tftp://xxx.137.98.245/winsys.exe
    [2005-11-24T17:56:47] ftp://1:1@xxx.137.96.203:19446/sysin.pif
    [2005-11-24T18:10:04] ftp://1:1@xxx.137.186.139:3594/msngersd.exe
    [2005-11-24T18:25:04] ftp://1:1@0.0.0.0:27426/msgms.exe
    [2005-11-24T18:42:57] ftp://1:1@xxx.172.246.123:25243/reg1x.exe
    [2005-11-24T18:55:20] ftp://1:1@xxx.137.96.203:26839/msngersd.exe
    [2005-11-24T19:55:38] creceive://xxx.137.75.152:12673
    [2005-11-24T19:56:01] creceive://xxx.137.75.152:28892
    [2005-11-24T20:18:17] ftp://1:1@xxx.137.186.139:6856/msngersd.exe
    [2005-11-24T20:23:05] ftp://1:1@xxx.137.186.139:6856/msngersd.exe
    [2005-11-24T20:50:15] ftp://1:1@xxx.137.186.146:19056/msngersd.exe
    [2005-11-24T20:52:09] ftp://1:1@xxx.137.186.146:19056/msngersd.exe
    [2005-11-24T20:53:30] creceive://xxx.137.75.152:1664
    [2005-11-24T20:53:54] creceive://xxx.137.75.152:21979
    [2005-11-24T21:03:18] ftp://1:1@xxx.116.116.105:31007/servs.exe
    [2005-11-24T21:27:03] ftp://1:1@0.0.0.0:6856/msngersd.exe
    [2005-11-24T21:50:14] ftp://1:1@0.0.0.0:32475/msngersd.exe
    [2005-11-24T22:08:50] http://xxx.254.175.86:5912/x.exe
    [2005-11-24T22:10:03] http://xxx.168.254.28:4153/x.exe
    [2005-11-24T22:15:10] http://xxx.254.147.209:7198/x.exe
    [2005-11-24T22:52:54] link://xxx.37.252.53:62280/+TDL9w==
    [2005-11-25T02:54:08] http://xxx.181.67.104:6833/x.exe
    [2005-11-25T05:02:47] http://xxx.226.76.42:1912/x.exe
    [2005-11-25T06:28:22] ftp://1:1@0.0.0.0:16043/servs.exe
    [2005-11-25T06:54:31] ftp://1:1@xxx.137.186.127:22027/msngersd.exe
    [2005-11-25T07:05:03] ftp://1:1@xxx.137.186.127:22027/msngersd.exe
    [2005-11-25T07:15:50] ftp://1:1@xxx.137.186.127:22027/msngersd.exe
    [2005-11-25T07:54:06] creceive://xxx.146.33.200:17553
    [2005-11-25T07:54:31] creceive://xxx.146.33.200:23792
    [2005-11-25T08:29:50] ftp://1:1@xxx.245.212.10:12837/MSAV32.exe
    [2005-11-25T08:36:41] ftp://1:1@xxx.137.98.241:25452/msngersd.exe
    [2005-11-25T08:45:35] ftp://1:1@xxx.137.98.241:25452/msngersd.exe
    [2005-11-25T09:26:59] ftp://1:1@xxx.137.81.14:8714/msgms.exe
    [2005-11-25T09:58:10] http://xxx.168.0.101:7801/x.exe
    [2005-11-25T10:26:19] ftp://1:1@xxx.137.254.53:59712/msgms.exe
    [2005-11-25T10:35:15] http://xx.10.6.26:4517/x.exe
    [2005-11-25T10:48:05] ftp://1:1@xxx.42.224.46:14648/msdevices.exe
    [2005-11-25T10:55:26] ftp://1:1@xxx.137.254.53:59712/msgms.exe
    [2005-11-25T11:40:36] tftp://xxx.137.98.245/winsys.exe
    [2005-11-25T11:46:18] tftp://xxx.137.98.245/winsys.exe
    [2005-11-25T11:47:36] ftp://1:1@xxx.224.173.125:30772/sysdriver.exe
    [2005-11-25T11:59:03] ftp://1:1@xxx.137.254.53:2841/msgms.exe
    [2005-11-25T11:59:27] csend://xxx.168.116.2:4268
    [2005-11-25T12:23:58] ftp://1:1@xxx.137.254.53:2841/msgms.exe
    [2005-11-25T12:35:52] tftp://xxx.137.98.245/winsys.exe
    [2005-11-25T13:17:04] tftp://xxx.137.98.245/winsys.exe
    [2005-11-25T13:28:41] ftp://1:1@0.0.0.0:2841/msgms.exe
    [2005-11-25T13:41:29] ftp://1:1@xxx.137.81.14:43237/msgms.exe
    [2005-11-25T13:41:56] ftp://1:1@xxx.137.81.14:22586/msngersd.exe
    [2005-11-25T13:49:00] ftp://1:1@xxx.19.157.94:8026/sysdriver.exe
    [2005-11-25T13:52:33] ftp://1:1@0.0.0.0:29288/msdevices.exe
    [2005-11-25T13:57:09] ftp://1:1@xxx.137.81.14:22586/msngersd.exe
    [2005-11-25T15:20:09] tftp://xxx.137.98.245/winsys.exe
    [2005-11-25T15:22:34] ftp://1:1@xxx.50.53.32:24771/msdevices.exe
    [2005-11-25T15:28:55] ftp://1:1@xxx.227.110.63:26661/msdevices.exe
    [2005-11-25T15:42:52] ftp://1:1@xxx.137.186.139:11932/msngersd.exe
    [2005-11-25T15:46:28] ftp://1:1@xxx.137.186.139:11932/msngersd.exe
    [2005-11-25T15:52:29] tftp://xxx.137.98.245/winsys.exe
    [2005-11-25T16:05:03] tftp://xxx.137.98.245/winsys.exe
    [2005-11-25T16:33:32] ftp://1:1@xxx.137.186.127:14338/msngersd.exe
    [2005-11-25T16:45:35] tftp://xxx.137.254.114/winsys.exe
    [2005-11-25T17:35:51] tftp://xxx.137.98.245/winsys.exe
    [2005-11-25T18:16:34] ftp://1:1@0.0.0.0:57656/msgms.exe
    [2005-11-25T18:18:03] creceive://xxx.34.229.120:38036
    [2005-11-25T18:18:03] creceive://xxx.34.229.120:31896
    [2005-11-25T18:18:30] creceive://xxx.34.229.120:40957
    [2005-11-25T18:18:30] creceive://xxx.34.229.120:20223
    [2005-11-25T18:23:20] http://xxx.168.1.100:4234/x.exe
    [2005-11-25T18:26:35] ftp://1:1@xxx.137.254.53:57656/msgms.exe
    [2005-11-25T18:29:28] tftp://xxx.137.254.114/winsys.exe
    [2005-11-25T18:37:00] ftp://1:1@xxx.69.132.130:24219/sysdriver.exe
    [2005-11-25T18:38:36] creceive://xxx.175.85.89:37057
    [2005-11-25T18:41:58] ftp://1:1@0.0.0.0:28086/msngersd.exe
    [2005-11-25T18:46:16] tftp://0.0.0.0/winsys.exe
    [2005-11-25T18:54:04] tftp://xxx.137.254.114/winsys.exe
    [2005-11-25T19:00:11] http://xxx.168.1.21:5548/x.exe
    [2005-11-25T19:04:50] ftp://1:1@xxx.137.254.53:57656/msgms.exe
    [2005-11-25T19:18:06] ftp://1:1@xxx.137.254.53:57656/msgms.exe
    [2005-11-25T19:20:52] ftp://1:1@0.0.0.0:28086/msngersd.exe
    [2005-11-25T19:21:47] ftp://1:1@xxx.137.81.14:43405/msgms.exe
    [2005-11-25T19:41:09] link://xxx.69.149.146:65185/w1F5Dg==
    [2005-11-25T19:49:59] tftp://xxx.137.254.114/winsys.exe
    [2005-11-25T20:18:17] ftp://1:1@xxx.137.254.53:57656/msgms.exe
    [2005-11-25T20:26:53] tftp://xxx.137.254.114/winsys.exe
    [2005-11-25T20:34:39] ftp://1:1@0.0.0.0:8640/taskmnegr.exe
    [2005-11-25T20:41:49] ftp://1:1@0.0.0.0:57656/msgms.exe
    [2005-11-25T20:52:10] ftp://1:1@xxx.137.81.14:15662/msgms.exe
    [2005-11-25T20:55:53] ftp://1:1@0.0.0.0:25953/msdevices.exe
    [2005-11-25T21:43:16] ftp://1:1@xxx.218.24.167:12332/servs.exe
    [2005-11-25T21:46:12] http://xxx.168.2.11:5516/x.exe
    [2005-11-25T23:18:23] http://xxx.10.6.26:4517/x.exe
    [2005-11-25T23:32:55] http://xxx.10.254.249:1943/x.exe
    [2005-11-26T00:21:25] ftp://1:1@xxx.63.42.112:7275/msdevices.exe
    [2005-11-26T00:29:39] http://xxx.168.116.2:3533/x.exe
    [2005-11-26T00:40:44] http://xxx.133.233.23:437/x.exe
    [2005-11-26T01:07:07] ftp://1:1@0.0.0.0:12282/sysdriver.exe
    [2005-11-26T03:47:53] ftp://1:1@xxx.168.0.154:8402/msdevices.exe
    [2005-11-26T04:17:12] http://xxx.254.29.162:2450/x.exe
    [2005-11-26T04:56:33] ftp://1:1@xxx.235.145.64:15488/sysdriver.exe
    [2005-11-26T05:08:35] ftp://1:1@xxx.38.207.25:10998/msdevices.exe
    [2005-11-26T05:17:18] http://xxx.254.87.42:2808/x.exe
    [2005-11-26T05:54:57] ftp://1:1@xxx.33.118.195:21917/sysdriver.exe
    [2005-11-26T06:33:14] ftp://1:1@xxx.243.186.155:15752/sysdriver.exe
    [2005-11-26T06:45:02] link://xxx.239.227.28:55987/lQMviA==
    [2005-11-26T07:32:47] ftp://1:1@xxx.22.237.166:15582/msdevices.exe
    [2005-11-26T08:34:37] ftp://1:1@xxx.137.254.53:62011/msgms.exe
    [2005-11-26T08:44:13] ftp://1:1@xxx.168.10.113:24539/sysdriver.exe
    [2005-11-26T08:55:42] ftp://1:1@xxx.137.254.53:62011/msgms.exe
    [2005-11-26T09:12:10] ftp://1:1@xxx.137.254.53:62011/msgms.exe
    [2005-11-26T10:50:28] ftp://1:1@0.0.0.0:10389/intel32.exe
    [2005-11-26T11:03:37] ftp://1:1@xxx.172.103.221:5964/intel32.exe
    [2005-11-26T11:19:40] ftp://1:1@xxx.137.81.14:23325/msgms.exe
    [2005-11-26T11:41:15] http://xxx.210.165.206:3654/x.exe
    [2005-11-26T11:46:48] tftp://0.0.0.0/msni.exe
    [2005-11-26T11:48:59] ftp://1:1@xxx.137.254.53:29623/msgms.exe
    [2005-11-26T12:08:36] ftp://1:1@xxx.137.254.53:29623/msgms.exe
    [2005-11-26T12:13:41] ftp://1:1@xxx.206.229.29:24493/intel32.exe
    [2005-11-26T12:45:18] tftp://xxx.142.40.191/msni.exe
    [2005-11-26T12:59:35] ftp://1:1@xxx.203.213.97:22868/intel32.exe
    [2005-11-26T13:09:19] ftp://1:1@xxx.56.224.53:30570/servs.exe
    [2005-11-26T13:10:12] creceive://xxx.162.60.220:7062
    [2005-11-26T13:10:43] creceive://xxx.162.60.220:36109
    [2005-11-26T13:17:15] ftp://1:1@xxx.211.8.47:2730/intel32.exe
    [2005-11-26T13:20:42] ftp://1:1@xxx.139.202.151:4027/intel32.exe
    [2005-11-26T13:32:02] ftp://1:1@0.0.0.0:22727/intel32.exe
    [2005-11-26T13:40:43] http://xxx.121.80.65:4380/x.exe
    [2005-11-26T14:05:41] http://xxx.16.16.11:6947/x.exe
    [2005-11-26T14:39:04] ftp://1:1@xxx.137.254.53:29623/msgms.exe
    [2005-11-26T14:48:02] ftp://1:1@xxx.137.254.53:29623/msgms.exe
    [2005-11-26T15:58:02] creceive://xxx.162.58.155:37044
    [2005-11-26T15:58:39] creceive://xxx.162.58.155:35143
    [2005-11-26T16:00:47] link://xxx.125.184.138:44528/m6t7GQ==
    [2005-11-26T16:05:25] ftp://1:1@xxx.137.254.53:29623/msgms.exe
    [2005-11-26T16:15:49] ftp://1:1@xxx.137.254.53:29623/msgms.exe
    [2005-11-26T16:29:45] ftp://1:1@xxx.251.144.239:12352/intel32.exe
    [2005-11-26T16:31:01] ftp://1:1@xxx.137.254.102:6027/msnwindows.exe
    [2005-11-26T16:37:34] ftp://1:1@xxx.82.176.132:7170/intel32.exe
    [2005-11-26T16:47:20] ftp://1:1@xxx.137.254.102:6027/msnwindows.exe
    [2005-11-26T16:47:41] ftp://1:1@xxx.137.254.126:12353/msnwindows.exe
    [2005-11-26T16:59:46] ftp://1:1@0.0.0.0:6027/msnwindows.exe
    [2005-11-26T17:07:59] ftp://1:1@0.0.0.0:6736/intel32.exe
    [2005-11-26T17:12:44] ftp://1:1@0.0.0.0:6027/msnwindows.exe
    [2005-11-26T17:23:06] http://xxx.168.1.101:1959/x.exe
    [2005-11-26T17:24:43] ftp://1:1@xxx.137.254.53:29623/msgms.exe
    [2005-11-26T17:55:07] ftp://1:1@xxx.137.81.14:24791/servs.exe
    [2005-11-26T18:01:23] ftp://1:1@xxx.137.81.14:24791/servs.exe
    [2005-11-26T18:14:08] tftp://xxx.137.98.245/winsys.exe
    [2005-11-26T18:30:57] ftp://1:1@xxx.137.254.53:29623/msgms.exe
    [2005-11-26T18:38:08] ftp://1:1@xxx.250.247.79:1506/intel32.exe
    [2005-11-26T18:40:00] tftp://xxx.137.98.245/winsys.exe
    [2005-11-26T18:54:24] http://xx.10.28.171:6115/x.exe
    [2005-11-26T19:29:01] tftp://xxx.137.254.114/winsys.exe
    [2005-11-26T19:59:04] tftp://xxx.137.254.114/winsys.exe
    [2005-11-26T20:07:05] ftp://1:1@xxx.137.81.14:10386/updt.pif
    [2005-11-26T21:02:52] tftp://0.0.0.0/winsys.exe
    [2005-11-26T21:05:16] ftp://1:1@xxx.125.1.106:21286/intel32.exe
    [2005-11-26T21:43:35] ftp://1:1@xxx.138.107.167:20120/intel32.exe
    [2005-11-26T21:47:12] http://xxx.168.1.131:1052/x.exe
    [2005-11-26T21:57:41] ftp://1:1@xxx.137.254.53:29623/msgms.exe
    [2005-11-26T22:46:18] http://xxx.254.29.162:2450/x.exe
    [2005-11-26T23:04:08] ftp://1:1@xxx.56.94.45:21249/servs.exe
    [2005-11-26T23:21:35] ftp://1:1@xxx.137.254.53:29623/msgms.exe
    [2005-11-27T01:29:21] ftp://1:1@xxx.128.167.195:17006/pcxlscx.exe
    [2005-11-27T01:29:26] tftp://xxx.128.167.195/pcxlscx.exe
    [2005-11-27T01:31:21] http://xxx.254.29.162:2450/x.exe
    [2005-11-27T01:54:10] ftp://1:1@xxx.56.94.45:21249/servs.exe
    [2005-11-27T01:59:03] link://xxx.39.151.36:37637/WWFYcw==
    [2005-11-27T02:18:13] ftp://1:1@xxx.237.94.189:12282/sysdriver.exe
    [2005-11-27T02:41:37] ftp://1:1@xxx.55.94.155:32944/servs.exe
    [2005-11-27T04:11:58] link://xxx.98.204.174:63298/Pk8FpQ==
    [2005-11-27T04:22:13] link://xxx.85.202.12:27563/BGqNaA==
    [2005-11-27T07:00:44] http://xxx.197.198.47:4224/x.exe
    [2005-11-27T08:40:14] http://xxx.168.0.103:4926/x.exe
    [2005-11-27T09:14:03] http://xxx.168.1.100:3182/x.exe
    [2005-11-27T10:30:11] tftp://xxx.137.254.114/winsys.exe
    [2005-11-27T11:00:03] tftp://xxx.137.98.245/winsys.exe
    [2005-11-27T11:18:58] http://xxx.168.0.103:1127/x.exe
    [2005-11-27T11:37:18] tftp://0.0.0.0/winsys.exe
    [2005-11-27T11:56:41] tftp://xxx.137.98.245/winsys.exe
    [2005-11-27T12:35:11] tftp://xxx.137.98.245/winsys.exe
    [2005-11-27T12:38:24] tftp://xxx.137.98.245/winsys.exe
    [2005-11-27T12:56:37] tftp://0.0.0.0/winsys.exe
    [2005-11-27T13:01:58] tftp://xxx.137.98.245/winsys.exe
    [2005-11-27T13:07:36] tftp://0.0.0.0/winsys.exe
    [2005-11-27T13:23:41] ftp://1:1@xxx.46.249.251:32096/servs.exe
    [2005-11-27T13:39:17] tftp://xxx.137.98.245/winsys.exe
    [2005-11-27T13:41:33] tftp://xxx.137.98.245/winsys.exe
    [2005-11-27T13:59:53] http://xxx.254.244.255:6783/x.exe
    [2005-11-27T14:34:31] tftp://xxx.137.40.106/winsys.exe
    [2005-11-27T14:36:42] http://83.97.169.212:6110/x.exe
    [2005-11-27T14:40:55] tftp://xxx.137.254.114/winsys.exe
    [2005-11-27T15:34:09] ftp://1:1@0.0.0.0:15727/taskmnegr.exe
    [2005-11-27T15:45:28] ftp://1:1@xxx.38.113.74:14819/servs.exe
    [2005-11-27T15:53:37] tftp://xxx.38.171.109/msni.exe
    [2005-11-27T15:55:50] tftp://xxx.137.98.245/winsys.exe
    [2005-11-27T15:58:54] tftp://xxx.137.98.245/winsys.exe
    Here we can see the frequency at which an unpatched machine is successfully exploited together with the file names and protocols used to download the malware. Notice how we have been successfully exploited approximately 4-500 times in the space of just one week or about once every 20 mins on average.

    Malware are automatically stored in a collection directory and saved using their md5 checksum values as the filename to prevent collection of multiple copies of the same file. Next I scanned the collected files for viruses using Kaspersky Antivirus (version 5). Here is a scan log of 30 unique files collected during the last week:

    Code:
    File name (md5sum)
    
    042774a2b7784ee0f7462e3ce721ec0f is infected with a virus Worm.Win32.Padobot.gen
    0ce902df00a2fa022b8a842761d0617e is a Trojan Backdoor.Win32.Rbot.aeu
    138ac96711f222f8a57a03866bb45f41 is infected with a virus Net-Worm.Win32.Padobot.m
    1aa37fa047998c842507f07715495062 is infected with a virus Net-Worm.Win32.Padobot.i
    26bb109a7053dc0f502f5fcf2b44c40e is a Trojan Backdoor.Win32.Rbot.gen
    32a0d7d0e06ece92f98c22954902d20d is infected with a virus Net-Worm.Win32.Padobot.e
    37de07cb866ecf433726e0bb90e57173 is infected with a virus Net-Worm.Win32.Padobot.h
    3ae357d17b1d2e0174bf477c28422c29 is infected with a virus Worm.Win32.Padobot.gen
    47105cabdee46d057ea068736de194da is a Trojan Backdoor.Win32.Rbot.aeu
    492957db81b3542d7a4261be05adcf3c is infected with a virus Worm.Win32.Padobot.gen
    75690fb6b0fe3d2ea7406b71bfb9321f is a Trojan Backdoor.Win32.Rbot.gen
    7ccc041582c7f41fbcd6e49cca5b3404 is infected with a virus Virus.Win32.Parite.a
    7d99b0e9108065ad5700a899a1fe3441 is infected with a virus Net-Worm.Win32.Padobot.m
    7f60162c2c0bd2cc7531e51328e98290 is infected with a virus Net-Worm.Win32.Padobot.n
    80e70f5b88f945ed4dbdbeeda3b50081 is a Trojan Backdoor.Win32.Rbot.gen
    94c00b7e5bc7acd621f902b332462232 is infected with a virus Net-Worm.Win32.Padobot.m
    986b59708d2ca33f4c1ad682a5d7a673 is infected with a virus Net-Worm.Win32.Padobot.h
    a0139d7ad8c6d91f13b21e85186331c1 is infected with a virus Net-Worm.Win32.Padobot.p
    a0625ea068200d706e4c83b7a47b04f2 is a Trojan Backdoor.Win32.Rbot.aeu
    af35b68f1e87b2ae99f6524be8ee4e12 is infected with a virus Worm.Win32.Padobot.gen
    b6a8262e99939c2d989c341f67bd2493 is a Trojan Backdoor.Win32.Rbot.adf
    bc3e2bb76dc8f3eeecea95eba7ac066f is infected with a virus Virus.Win32.Tenga.a
    c05385e6008590e20dd6c83773340175 is infected with a virus Worm.Win32.Padobot.gen
    c4a968fc54b4c7eb6b3fcd03fdeb3948 is infected with a virus Net-Worm.Win32.Padobot.m
    ca47a36342c23f5c291ae4fc6d4f6416 is infected with a virus Worm.Win32.Padobot.gen
    d42c1cc7c02828c4ca6065d2bce714c2 is infected with a virus Net-Worm.Win32.Padobot.g
    d6df3972a0ae1b094b434de0980e596c is infected with a virus Net-Worm.Win32.Padobot.k
    db98f3f4532a9e3a4e163ed474984e42 is infected with a virus Net-Worm.Win32.Vesser.a
    dd5a39c1281a7a7cb0a1978aa5412fd8 is a Trojan Backdoor.Win32.PoeBot.b
    ff8d2b14bef38e6af475c7d5daf99b58 is a Trojan Backdoor.Win32.Rbot.aeu
    
    We can see that we have quite a varied collection of the latest bots plus a few other worms and viruses.

    Of course all of the above malwares exploit known vulnerabilities. The frequency of attack is an indicator of the number of infected Windows machines out there and hence the number of unpatched Windows machines as all of the above may be easily prevented on a fully patched machine. Further, a NAT router will block many of the ftp-based attacks and an stateful packet inspection (SPI) firewall would block the rest. These are, after all, unsolicited attacks.

    For those interested in further locking down a machine, we should note the extensive use of the tftp protocol for downloading malwares. For example, simply renaming or removing c:\windows\system32\tftp.exe will prevent it's use in such activities and may be useful in blocking exploitation of newly discovered unpatched vulnerabilities (and when was the last time you legitimately used the tftp protocol anyway?).

    Hope you find this as interesting as I did,

    Ned
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.