Trojan deleted, attack continues? - Newbie

Discussion in 'Trojan Defence Suite' started by optigrab, Sep 11, 2003.

Thread Status:
Not open for further replies.
  1. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Howdy - my apologies in advance for my ignorance of TDS 's functions.

    I've been having trouble the last couple of days with system.exe continually trying to connecting to IANA, as logged by my firewall. The folks over at the firewall's forum helped eliminate a lot of possibilities, then suggested that I might have a Trojan attemtping to execute a DoS attack from my machine. What a great time to evaluate TDS-3!

    Almost immediately, TDS identifed one item:
    DDoS.RAT.SDBot in C:\WINNT\System32\STDE9.exe

    Being an extreme newbie, I did the intuitive thing, right-clicked on the item at the bottom of the TDS panel, and chose "Delete".

    Then I ran a Full scan again - no alarms this time. Then I manually updated the radius database :p

    Here's the problem (assuming I did not create more problems in my haste): the connection attempts are still occurring (one every minute or so). Another "quick scan" and "process memory scan" showed nothing - but I see there are other scans that can be performed.

    I would greatly appreciate any help that can be offered.

    Thanks
    Optigrab
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    A good time to look at Port Explorer too, which will show you exactly WHAT is making those connections

    From the TDS Process List, please kill that system.exe process immediately, to me it sounds like a GT Bot - mIRC based trojan which is script based. These are tricky to detect sometimes, but the major culprit is the EXE file, probably that system.exe. It will be listening on port 113 and connected to an IRC server, probably on port 6667 (remote)

    Please send a copy of that file to gavin@diamondcs.com.au and I'll let you know anything more I can after seeing it :)
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Optigrab, and welcome,
    not a nice situation yet.
    In the system analyses > processlist, do you see suspicious processes which need killing?
    Same area > Autostart explorer, suspicious registry keys which need deletion?
    Under the other tabs, in the system files and windows startup links, anything else?

    If you're on XP, is it an option for you to go back to a former system restore -- disable system restore -- reboot -- enable system restore if you're clean (you might like to scan first) and make manually a new system restore point?

    And i think of using Port Explorer to look at and kill suspicious connections.

    *Edited; hi Gavin, had not seen you posting in the meantime :) *
     
  4. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Thank you very much for the kind replies Gavin & Jooske, but I don't believe I've made any progress yet. I will be calling it quits for the evening at any moment, but I though a few screenshots would help...
    (1) "Caught in the act"
     

    Attached Files:

  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I would really like you to get Port Explorer
    www.diamondcs.con.au/portexplorer free evaluation version, reboot after install and when the process comes back add the PID to the socket spy list and look at the data packets, and which program files have to do with it; you can disable all traffic and kill the connection/process itself; you might like to look in today's new version at more specific info about the process and specialties.
    There simply mast be more which made it restarting again.

    I don't see it in the screenshots yet, except for the one your firewall caught and i wonder about a few things more, investigating first.
    In the autostart explorer, is there nothing suspicious in the startup folders tab?

    Hope you located and sent the system.exe file (zipped if possible please) to gavin, which might unveil some actions and other files belonging to the nasty which Gavin will tell you asap.

    Once at the DCS site anyway, also get the Autostartviewer (free tools)
    Check all options and save the log as a txt which you can post to see if there are illegal things starting.
     
  6. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Hi Jooske

    Installed portexplorer; I couldn't identify anything obvious. Saw two processes called system, PID 0 and PID 8. PID 0 couldn't be added to the socket spy, PID 8 could, but again no suspicious activity as far as I could tell.

    As far as system.exe, windows explorer can't find any file. See attached screen shot

    Regards
     

    Attached Files:

  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi optigrab

    In regards to your earlier screenshot "caughtintheact", that is nothing to worry about. Just a blocked inbound DHCP broadcast.

    Regards,

    CrazyM
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Ho Optigrab, Looking at your first screenshot from outpost - Isn't the 10.***.**.*** IP address a local address i.e not routable over yhe Internet or have I missed something? :D
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    A *SYSTEM 0 is a socket. It should be part of an application which system.exe should be if that is the one.
    If you see it in the TDS scan alerts, you can rightclick and look where it is in the full path info. Then you just press submit and it is sent to the TDS lab.
    Make sure all hidden files are shown too in windows.
    If there is any kind of connection to the outside world, somehow it must be possible to get info about it, what it is, whois connected, ports, etc.
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Pilli

    With some ISP's, in particular cable from posts I have seen, it is not unusual to see a private IP associated with DHCP broadcasts on their network.

    Regards,

    CrazyM
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    CrazyM, Thanks for the clarification I think :doubt:
     
  12. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Thanks for the input Jooske, CrazyM, and Pilli

    CrazyM: I have trouble discerning "inbound" vs "outbound" attempts reading my firewall's log, however I've assumed they're outgoing (?).

    Here is another screenshot that leads me to believe this is not normal. Note that the attempts appear in the "Allowed" log when I check the "Allow outgoing DHCP" rule, but appear in the "Blocked" log when the rule is unchecked.

    BTW, I'm n a cable modem, Win2k. There's not much more info I can send until after work (d'oh!).

    P.S., I hope to get this all sorted out, hopefully with the kind assistace of the members of this board. I'm willing to learn and be patient. But I have to ask, what are the odds that something like this can't be sorted out short of reformatting? Good, bad, fair?

    Regards,
    Optigrab
     

    Attached Files:

    • pic2.jpg
      pic2.jpg
      File size:
      93.5 KB
      Views:
      831
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Interesting, I googled this link about bootps:
    http://lists.jammed.com/vuln-dev/2001/05/0071.html - I am still non the wiser :oops:
     
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    The first screenshot "caughtintheact" showed a blocked inbound.

    That allowed DHCP traffic in your last screenshot, while alot, appears normal. Any idea what happened at 9:29:40 pm? It appears you lost your IP and you can see your system going through the process of getting a new one.

    That would make sense if checked = rule enabled, unchecked = rule disabled. You will need to leave your DHCP rule enabled, without it you will loose your IP (and why you would see the attempts to get one in the blocked log).

    Regards,

    CrazyM
     
  15. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    "The Bootstrap Protocol (BOOTP) [RFC951] describes an IP/UDP bootstrap protocol (BOOTP) which allows a diskless client machine to discover its own IP address, the address of a server host, and the name of a file to be loaded into memory and executed. The Dynamic Host Configuration Protocol (DHCP) [RFC1531] provides a framework for automatic configuration of IP hosts." from iana.org

    With Bootp/DHCP traffic you will usually see:
    Bootps -> Bootstrap Protocol Server (port 67)
    Bootpc -> Bootstrap Protocol Client (port 6:cool:

    Is that what you were after?

    Regards,

    CrazyM
     
  16. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Hi CrazyM

    I assumed it was not normal because (1) Exery minute seems excessive to a newbie (me). (2) When "allowed" over extended periods (twice, recently), the firewall twice nearly locked up; I presumed :p because of all the logging o_O - anyway, that's what you see... the firewall stopped logging at 3pm (PC unattended) until I shut down the firewall and rebooted at 9:29pm. (3) The folks at the firewall forum seemed to think it was not normal.

    That said, I'd be pleased if it turned out I had nothing to worry about.

    Still seeking advice,
    Optigrab
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    :D Cheers CrazyM
     
  18. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi optigrab

    I took a quick look at the post in the other forum. From your screenshot of ipconfig your lease time is 24hrs for your public IP. So you might reasonably expect to see lease renewal attempts (DHCP traffic) after 12hrs. This renewal of your public IP may be handled by your cable modem as those public IP's are not showing in the logs you have posted here.

    What is showing in your logs/screenshots posted here involves an IP in a private range, 10.46.64.1, which I suspect has something to do with your cable provider.

    Perhaps you should give your ISP tech support a call. See how this private range is used within their network, how it relates to your cable modem, what traffic would there be between your modem and system, and what may account for this traffic. This could be normal or could be a problem with something like your cable modem.

    You mention having to shut down the firewall and reboot. Why?

    Regards,

    CrazyM
     
  19. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Hi CrazyM

    Will contact my ISP, and will report back here in either case.

    And thanks again to you, CrazyM, et al -- These forums are really great because of the opportunity to learn and because there are really some awfully nice folks.

    Regards

    Optigrab :D
     
  20. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Just for the record, there is no system.exe - SYSTEM is the OS itself and is NOT a file. If it was, it would be Kernel32.dll and others :)
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That's why i thought when it was named it was a trojan by that name. Not any doubt, not a single moment, so a possitive id of that would have been logical and have triggered the "send to Gavin" button immediately.
     
  22. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Hello CrazyM, Jooske, Gavin, et al:

    I have determined that the connections are INCOMING.

    I must now squeeze a response out of my Cable ISP (New York City RoadRunner) as to why 10.46.64.1 must connect every minute. I suspect it is handling IP leasing/renewal in lieu of the ISP's DHCP server - but the frequency of the connections seems absurd.

    I am relieved that my machine appears to be clean according to TDS and NOD32. Thanks to TDS-3 for detecting DDoS.RAT.SDBot - it seems that that particualar infection is unrelated to the connection attempts that have been troubling me.

    Many, many thanks. :D
     
Thread Status:
Not open for further replies.