Author: Lawrence Baldwin
Contributors: Philip Sloss
This case study of a recent intrusion I analyzed. Thought it would be helpful to document the tools and processes that were used to identify what was going on.
The first sign of trouble was detected by myNetWatchman (mNW) as a series of Netbios port probes:myNetWatchman Event data
I contacted the administrator of the source of these probes and we began to investigate. This particular host was a user desktop where the only services that were *supposed* to be running was Microsoft networking.
ftp> open 127.0.0.1 60000 Connected to 170.xxx.xxx.xxx 220-Serv-U FTP Server v3.0 for WinSock ready... 220- #Hiphop_hookup Ownz 220-Administrator: FaSt 220- 220-+++++++++++++++++++++++++++++++++++++++ 220- 220-(»`+._(The Local time is 17:07:18,)_.+¦») 220-(»`+._(13523 users have visited in the last 24 hours.)_.+¦») 220-(»`+._(This server has been running since)_.+¦») 220-(»`+._(2 Days, 21 Hours, 13 Mins, 47 Secs)_.+¦») 220- 220-+++++++++++++++++++++++++++++++++++++++ 220- 220-(»`+._(Ammout of Logins Since Server Started: 11804 total)_.+¦») 220-(»`+._(Logged in Users: 156)_.+¦») 220-(»`+._(Total Kb downloaded: 42709096 Kb)_.+¦») 220-(»`+._(Total Kb uploaded: 2030805 Kb)_.+¦») 220-(»`+._(Ammout of Files downloaded: 3601)_.+¦») 220-(»`+._(Ammout of Files uploaded: 206)_.+¦») 220-(»`+._(Average Speed: 179.522 Kb/sec)_.+¦») 220-(»`+._(Current Speed: 1089.505 Kb/sec)_.+¦») 220-(»`+._(Free Disk Space: 8444.47 KB)_.+¦») 220- 220 +++++++++++++++++++++++++++++++++++++++ User (107.xxx.xxx.xxx:(none)):
Yep, its an FTP server...namely Serv-U FTP.
Note: "Logged in Users" 156!
Note: "Total Kb downloaded" 42709096KB
Folks, that's 42 Gigabytes of downloads served by this host in less than three days. Do the math, that a full 1.5Mbps of bandwidth comsumed by this one host.
Let's dig deeper, find out where Serv-U is installed and exactly what it's serving up.
Looks like Serv-U FTP servers running here:
992 Explorer -> 43958 TCP c:\progra~1\Microsoft\Update\DLL\tk\Explorer.exe 992 Explorer -> 60000 TCP c:\progra~1\Microsoft\Update\DLL\tk\Explorer.exe
Something running here:
9496 scvhost -> 4297 TCP c:\progra~1\Microsoft\Update\DLL\tk\scvhost.exe
Reviewed the ServUDaemon.ini in the suspect directory:Serv-U FTP Init file
Serv-U home directory is here:HomeDir=c:\winnt\system32\microsoft\groups
: 5.9 GBs of pirated Games!
Ran strings against xscan.exe.
This identified the .exe as Xscan 1.3 from Xfocus.org, a Chinese security "research" group.
Xscan appears to be a pretty powerful multi-vulnerability scanner. It can test for varies Ftp, RPC, IIS vulnerabilities, as well as do brute force password cracking for FTP, Microsoft Networking, and more.
The username and password dictionary that was installed on this host looked like:
[ntuser.dic] admin administrator database guest root sql sqlagent wwwadmin [ntpass.dic] %username% %null% admin root 1 111 123 1234 12345 123456 654321 !@#$ asdf asdfgh !@#$% !@#$%^ !@#$%^& !@#$%^&* server passwd password %username%123 %username%!@#$
The sysadmin indicated that he recognized the username/password of this host in these dictionary files. This was both distressing, but also reassuring at the same time as we felt we had identified how the attacker got in.
Note: scvhost.exe vs. svchost.exe ... cute
Attempts to navigate to anything beyond the 'Update' directory fail with 'access denied' message (even though logged in as Administrator).
Run the 'cacls' utility to view Access control lists on the DLL directory: C:\Program Files\Microsoft\Update>cacls DLL DLL NT AUTHORITY\SYSTEM:F
Nice..don't even give Administrator access...only the system-level account. Had to edit security permissions to grant access back to Administrator....that got us in.
Run 'strings' command on scvhost.exe yields:
iroffer v1.2b13 [November 10th, 2001] by PMG, Usage: %s -v (Display Version) %s -c (Generate Encrypted Password) %s
[...] (Normal Operation) %s -b [...] (Background Operation)
Conclusion: scvhost.exe is iroffer
From the iroffer website:
What is iroffer?
iroffer is a fileserver for irc (commonly referred to as a DCC bot). It uses the DCC feature of irc to send files to other users. iroffer will connect to an irc server and let people request files from it. Unlike similar programs, iroffer is not a script, it is a standalone executable written entirely in c from scratch with high transfer speed and effeciency in mind. iroffer has been known to reach 2MByte/sec or higher bandwidth usage when multiple transfers are occuring at the same time.
Iroffer is used to remotely distribute content to this host using IRC DCC.
Noticed a scvhost.bat file in the same directory which contained:
Thus windows.dll is the init file for iroffer.
Contents of windows.dll file is here.
Iroffer is setup to connect to:
and connect to channel: #FaSt-BoTs
Using IRC client, connected to server and control channel.
Ran Iroffer command to get a list of other hosts connected to same channel.
See output of 'XDCC LIST' here.
This compromise was interesting in that none of the tools utilized were overtly hostile (e.g. Xscan, Iroffer, Serv-U FTP), however, when packaged together essentially enables an attacker to construct a high speed, public, distribution network (aka 'Pubstro').
This is a great example of where anti-virus scanners are completely useless...there's no hostile code to match against.