Robert Hensing's Blog

Software Security . . . and stuff.

Blogs

WOLF sizes up the MySQL bot / worm / spreader thing . . . a live system perspective

  • Comments 12
  • Likes

So it seems that there is a new MySQL bot that is spreading to Windows machines running MySQL with weak SA (or whatever MySQL's equivalent is) passwords.

You can read more about it here http://news.zdnet.com/2100-1009_22-5553570.html and here: http://isc.sans.org//diary.php?date=2005-01-27

This is all great information on how the bot gets on the system - but let's have a look at what it does once it's on the system through the eyes of WOLF. :)
I got this data from a customer who was running MySQL on an XP SP2 machine.  They had configured the XP SP2 firewall with an exception to allow the MySQL service (among others) to receive packets from all networks.


I didn't really have any leads when I started looking at the .CAB file so I checked for the presence of any new or suspicious services that have been installed and I found some:

Copied from Services:

Event Monitor  -  [stopped]
    Disabled
    LocalSystem
    \"C:\WINDOWS\system32\spoolcll.exe\" -netsvcs
   

Copied from Services:

rpcservice  -  [running]
    Automatic
    LocalSystem
    C:\WINDOWS\system32\rpccontrol.exe
    rpccontrol service


Next I get the MAC times for 'spoolcll.exe':

Copied from: Search Results for: spoolcll
==========================
Files containing instances of 'spoolcll'

Number of Files Searched: 10
Time to Search Files: 11 seconds

dir_creation_time_C_drive.txt
====================
    Directory of c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4TCVEXMH
         01/26/2005  08:57a             166,912 spoolc~1.exe    spoolcll[1].exe

    Directory of c:\WINDOWS\Prefetch
         01/26/2005  01:56p               9,110 spoolc~1.pf     spoolcll.exe-06e977be.pf

    Directory of c:\WINDOWS\system32
         01/26/2005  08:57a             166,912                 spoolcll.exe


dir_last_access_time_C_drive.txt
====================
    Directory of c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4TCVEXMH
         01/26/2005  03:50p             166,912 spoolc~1.exe    spoolcll[1].exe

    Directory of c:\WINDOWS\Prefetch
         01/26/2005  04:43p               9,110 spoolc~1.pf     spoolcll.exe-06e977be.pf

    Directory of c:\WINDOWS\system32
         01/26/2005  04:33p             166,912                 spoolcll.exe


dir_last_write_time_C_drive.txt
====================
    Directory of c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4TCVEXMH
         01/26/2005  08:57a             166,912 spoolc~1.exe    spoolcll[1].exe

    Directory of c:\WINDOWS\Prefetch
         01/26/2005  01:56p               9,110 spoolc~1.pf     spoolcll.exe-06e977be.pf

    Directory of c:\WINDOWS\system32
         01/26/2005  08:57a             166,912                 spoolcll.exe

We have all kinds of useful information from this search.

  1. We know approximately when this file was dropped and we can start looking for other files dropped around the same time (~9am yesterday)
  2. It appears as if the file was dropped into the TIF (Temporary Internet Files) folder using the 'LocalService' user account (a built-in low privilege account).
  3. The files were then probably copied to SYSTEM32 and then run later after a reboot and cached via the prefetch directory.


Next I get the MAC times for 'rpccontrol.exe':

Copied from: Search Results for: rpccontrol
==========================
Files containing instances of 'rpccontrol'

Number of Files Searched: 10
Time to Search Files: 4 seconds

dir_creation_time_C_drive.txt
====================
    Directory of c:\WINDOWS\Prefetch
         01/26/2005  02:11p               8,306 rpccon~1.pf     rpccontrol.exe-348acdff.pf

    Directory of c:\WINDOWS\system32
         01/26/2005  09:01a             574,976 rpccon~1.exe    rpccontrol.exe


dir_last_access_time_C_drive.txt
====================
    Directory of c:\WINDOWS\Prefetch
         01/26/2005  04:43p               8,306 rpccon~1.pf     rpccontrol.exe-348acdff.pf

    Directory of c:\WINDOWS\system32
         01/26/2005  04:49p             574,976 rpccon~1.exe    rpccontrol.exe


dir_last_write_time_C_drive.txt
====================
    Directory of c:\WINDOWS\Prefetch
         01/26/2005  02:11p               8,306 rpccon~1.pf     rpccontrol.exe-348acdff.pf

    Directory of c:\WINDOWS\system32
         09/10/2004  08:00p             574,976 rpccon~1.exe    rpccontrol.exe

Wow - same deal, dropped in the TIF and then copied to SYSTEM32 at the same time (roughly).


Now I have a date / time I'm interested in looking at so we go to Date View for the gory details.

Copied from: Date View
==========================
2005-01-26   08:57:00   | dir_creation_time_C_drive.txt   |   c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4TCVEXMH -  166,912 spoolc~1.exe    spoolcll[1].exe
2005-01-26   08:57:00   | dir_creation_time_C_drive.txt   |   c:\mysql-4.1.8-win\data\mysql -  45,056 app_re~1.dll    app_result.dll
2005-01-26   08:57:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32 -  166,912                 spoolcll.exe
2005-01-26   08:57:00   | dir_last_write_time_C_drive.txt   |   c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4TCVEXMH -  166,912 spoolc~1.exe    spoolcll[1].exe
2005-01-26   08:57:00   | dir_last_write_time_C_drive.txt   |   c:\mysql-4.1.8-win\data -  <DIR>                          mysql
2005-01-26   08:57:00   | dir_last_write_time_C_drive.txt   |   c:\mysql-4.1.8-win\data\mysql -  <DIR>                          .
2005-01-26   08:57:00   | dir_last_write_time_C_drive.txt   |   c:\mysql-4.1.8-win\data\mysql -  <DIR>                          ..
2005-01-26   08:57:00   | dir_last_write_time_C_drive.txt   |   c:\mysql-4.1.8-win\data\mysql -  45,056 app_re~1.dll    app_result.dll
2005-01-26   08:57:00   | dir_last_write_time_C_drive.txt   |   c:\mysql-4.1.8-win\data\mysql -  579                 func.myd
2005-01-26   08:57:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32 -  166,912                 spoolcll.exe
2005-01-26   08:57:32   | system_eventlog.txt   |    0 7035 Service Control Manager NT AUTHORITY\SYSTEM  SYSTEM The Event Monitor service was successfully sent a start control. 
2005-01-26   08:57:32   | system_eventlog.txt   |    0 7036 Service Control Manager N/A SYSTEM The Event Monitor service entered the running state. 
2005-01-26   08:57:55   | system_eventlog.txt   |    0 4226 Tcpip N/A SYSTEM  
2005-01-26   08:59:00   | dir_creation_time_C_drive.txt   |   c:\Documents and Settings\USER\Local Settings\History\History.IE5\MSHist012005012620050127 -  49,152                 index.dat
2005-01-26   08:59:14   | application_eventlog.txt   |    1 101 ESENT N/A SYSTEM wuauclt (1380) The database engine stopped. 
2005-01-26   08:59:14   | application_eventlog.txt   |    1 103 ESENT N/A SYSTEM wuaueng.dll (1380) SUS20ClientDataStore: The database engine stopped the instance (0). 
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\System Volume Information\_restore{A8F1E086-2979-49E7-8501-90915E0AFFC6}\RP348 -  1,444                 a0088629.dll
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\System Volume Information\_restore{A8F1E086-2979-49E7-8501-90915E0AFFC6}\RP348 -  1,444                 a0088640.dll
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\System Volume Information\_restore{A8F1E086-2979-49E7-8501-90915E0AFFC6}\RP348 -  1,459                 a0089642.dll
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\System Volume Information\_restore{A8F1E086-2979-49E7-8501-90915E0AFFC6}\RP349 -  1,444                 a0089651.dll
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\System Volume Information\_restore{A8F1E086-2979-49E7-8501-90915E0AFFC6}\RP349 -  1,459                 a0089648.dll
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32 -  <DIR>                          recycler
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32 -  1,323                 mw.dll
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32 -  1,459                 rpc.dll
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32 -  153                 auto.bat
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32 -  242                 mc.dll
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32 -  574,976 rpccon~1.exe    rpccontrol.exe
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler -  <DIR>                          .
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler -  <DIR>                          ..
2005-01-26   09:01:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\Temp -  628,007                 extra.exe
2005-01-26   09:01:00   | dir_creation_time_X_drive.txt   |   x:\Temp -  <DIR>                          cygwin
2005-01-26   09:01:00   | dir_creation_time_X_drive.txt   |   x:\Temp\cygwin -  <DIR>                          .
2005-01-26   09:01:00   | dir_creation_time_X_drive.txt   |   x:\Temp\cygwin -  <DIR>                          ..
2005-01-26   09:01:00   | dir_hidden_files_C_drive.txt   |   c:\WINDOWS\system32\recycler -  <DIR>                          dmp
2005-01-26   09:01:00   | dir_hidden_files_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>                          .
2005-01-26   09:01:00   | dir_hidden_files_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>                          ..
2005-01-26   09:01:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32 -  <DIR>                          recycler
2005-01-26   09:01:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler -  <DIR>                          .
2005-01-26   09:01:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler -  <DIR>                          ..
2005-01-26   09:01:00   | dir_last_write_time_X_drive.txt   |   x:\ -  <DIR>                          temp
2005-01-26   09:01:00   | dir_last_write_time_X_drive.txt   |   x:\Temp -  <DIR>                          .
2005-01-26   09:01:00   | dir_last_write_time_X_drive.txt   |   x:\Temp -  <DIR>                          ..
2005-01-26   09:01:28   | system_eventlog.txt   |    0 7035 Service Control Manager NT AUTHORITY\SYSTEM  SYSTEM The rpcservice service was successfully sent a start control. 
2005-01-26   09:01:28   | system_eventlog.txt   |    0 7036 Service Control Manager N/A SYSTEM The rpcservice service entered the running state. 

Okay we have lots of data to digest here.
First we see the DLL that is discussed in the SANS article linked too above - this is the initial pieces of malware dropped on the box.  It is actually a downloader that when loaded inside of a host process (or maybe run with rundll32.exe) will use WININET API's to download the other files to the TIF and then run them.  How do I know this?  I got a copy from the customer and ran strings against it - it's not packed with anything so you are able to see a lot. 

So now the picture is becoming clear - a login to MySQL is performed by guessing a password, executable code is written to the database using that logon, then persisted to the file system in the form of a DLL and then loaded and executed (this part I'm not clear on how this works). 

Once the DLL loads it uses WININET API's to start downloading the other malware (the EXE's etc.) to the machine via either FTP or HTTP and then running them.  You can see the stuff I highlighted in red pretty clearly shows the EXE's getting downloaded to the box, copied to SYSTEM32 and then started as a service.  But what's that lone event ID I highlighted in blue above?

http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Tcpip&EvtID=4226&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.2

Hooray for XP SP2's built-in rate limiting which kicked in, presumably when this stuff started scanning! 
The rate-limiting built-in to XP SP2 has been the topic of much heated debate amongst security professionals but its real-world data like this showing that it works against even new malware that makes me favor it.  Sure it can be subverted by skilled miscreants - but draw your own conclusions based on this evidence.

At this point, after a while, the user of the machine started to get suspicious that something was up (perhaps network performance was sluggish) and started rebooting and installing things like Microsoft Antispyware . . . here's the next cluster of 'interesting' data:


It's really hard to write solid code - the miscreants are not the best coders either - here's proof:

Copied from: Date View
==========================
2005-01-26   13:56:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\Prefetch -  17,284 taskmg~1.pf     taskmgr.exe-20256c55.pf
2005-01-26   13:56:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\Prefetch -  9,110 spoolc~1.pf     spoolcll.exe-06e977be.pf
2005-01-26   13:56:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\Prefetch -  9,110 spoolc~1.pf     spoolcll.exe-06e977be.pf
2005-01-26   13:56:12   | system_eventlog.txt   |    0 4202 Tcpip N/A SYSTEM  HP WLAN 802.11a/b/g W500 - Packet Scheduler Miniport 
2005-01-26   13:56:17   | system_eventlog.txt   |    0 32003 ipnathlp N/A SYSTEM The Network Address Translator (NAT) was unable to request an operation  of the kernel-mode translation module.  This may indicate misconfiguration, insufficient resources, or  an internal error.  The data is the error code. 
2005-01-26   13:56:26   | system_eventlog.txt   |    0 7031 Service Control Manager N/A SYSTEM The Event Monitor service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1 milliseconds: Restart the service. 
2005-01-26   13:56:28   | system_eventlog.txt   |    0 7036 Service Control Manager N/A SYSTEM The Event Monitor service entered the running state. 
2005-01-26   13:56:43   | system_eventlog.txt   |    0 7031 Service Control Manager N/A SYSTEM The Event Monitor service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 1 milliseconds: Restart the service. 
2005-01-26   13:56:45   | system_eventlog.txt   |    0 7036 Service Control Manager N/A SYSTEM The Event Monitor service entered the running state. 
2005-01-26   13:56:48   | system_eventlog.txt   |    0 7031 Service Control Manager N/A SYSTEM The Event Monitor service terminated unexpectedly.  It has done this 3 time(s).  The following corrective action will be taken in 1 milliseconds: Restart the service. 
2005-01-26   13:56:51   | system_eventlog.txt   |    0 7036 Service Control Manager N/A SYSTEM The Event Monitor service entered the running state. 

Sadly the miscreants have set the service to restart automatically so it keeps on trucking.


Now the next cluster of events let you know that this is not just a standard worm that spreads and does little else - this bot phoned home to someone and then that someone started preparing the server to host warez after it got the message:

Copied from: Date View
==========================
2005-01-26   14:11:00   | dir_creation_time_C_drive.txt   |   c:\System Volume Information\_restore{A8F1E086-2979-49E7-8501-90915E0AFFC6}\RP349 -  18,108 change~1.1      change.log.1
2005-01-26   14:11:00   | dir_creation_time_C_drive.txt   |   c:\System Volume Information\_restore{A8F1E086-2979-49E7-8501-90915E0AFFC6}\RP349 -  46,822                 change.log
2005-01-26   14:11:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\Prefetch -  10,146 attrib~1.pf     attrib.exe-39eafb02.pf
2005-01-26   14:11:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\Prefetch -  17,818 extrae~1.pf     extra.exe-03550c8c.pf
2005-01-26   14:11:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\Prefetch -  8,306 rpccon~1.pf     rpccontrol.exe-348acdff.pf
2005-01-26   14:11:00   | dir_last_write_time_C_drive.txt   |   c:\Program Files\Microsoft AntiSpyware -  1,716                 errors.log
2005-01-26   14:11:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\Prefetch -  10,146 attrib~1.pf     attrib.exe-39eafb02.pf
2005-01-26   14:11:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\Prefetch -  17,818 extrae~1.pf     extra.exe-03550c8c.pf
2005-01-26   14:11:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\Prefetch -  8,306 rpccon~1.pf     rpccontrol.exe-348acdff.pf
2005-01-26   14:11:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\Temp -  628,007                 extra.exe
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          00-_-_~1        00 -+-=o0o===========================================o0o=-+-
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          01-_-_~1        01 -+-=o0o=-+-      a  n e g a t i v e  f i b e s  e l i t e  s t r o   -+-=o0o=-+-
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          02-_-_~1        02 -+-=o0o===========================================o0o=-+-
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          03-_-_~1        03 -+-=o0o=-+-                             g a m e s                             -+-=o0o=-+-
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          04-_-_~1        04 -+-=o0o=-+-                          s o f t w a r e                          -+-=o0o=-+-
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          05_-_o~1        05 +-=o0o=-+-                              m o v i e s                            -+-=o0o=-+-
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          06-_-_~1        06 -+-=o0o=-+-                              m u s i c                              -+-=o0o=-+-
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          07-_-_~1        07 -+-=o0o=-+-                           c o n s o l e                           -+-=o0o=-+-
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          08-_-_~1        08 -+-=o0o==========================================o0o=-+-
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          09-_-_~1        09 -+-=o0o=-+-          h a c k e d  b y  t u t t 3 f r u t        -+-=o0o=-+-
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          10-_-_~1        10 -+-=o0o=-+-            f i l l e d  b y  t u t t 3 f r u t        -- -+-=o0o=-+-
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          11-_-_~1        11 -+-=o0o==========================================o0o=-+-
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\00 -+-=o0o===========================================o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\00 -+-=o0o===========================================o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\01 -+-=o0o=-+-      A  N e g a t i v e  F i b e s  E l i t e  S t r o   -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\01 -+-=o0o=-+-      A  N e g a t i v e  F i b e s  E l i t e  S t r o   -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\02 -+-=o0o===========================================o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\02 -+-=o0o===========================================o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\03 -+-=o0o=-+-                             G a m e s                             -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\03 -+-=o0o=-+-                             G a m e s                             -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\04 -+-=o0o=-+-                          S o f t w a r e                          -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\04 -+-=o0o=-+-                          S o f t w a r e                          -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\05 +-=o0o=-+-                              M o v i e s                            -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\05 +-=o0o=-+-                              M o v i e s                            -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\06 -+-=o0o=-+-                              M u s i c                              -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\06 -+-=o0o=-+-                              M u s i c                              -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\07 -+-=o0o=-+-                           C o n s o l e                           -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\07 -+-=o0o=-+-                           C o n s o l e                           -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\08 -+-=o0o==========================================o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\08 -+-=o0o==========================================o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\09 -+-=o0o=-+-          H a c k e d  b y  T u T T 3 F R u T        -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\09 -+-=o0o=-+-          H a c k e d  b y  T u T T 3 F R u T        -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\10 -+-=o0o=-+-            F i l l e d  b y  T u T T 3 F R u T        -- -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\10 -+-=o0o=-+-            F i l l e d  b y  T u T T 3 F R u T        -- -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\11 -+-=o0o==========================================o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_creation_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\11 -+-=o0o==========================================o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          00-_-_~1        00 -+-=o0o===========================================o0o=-+-
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          01-_-_~1        01 -+-=o0o=-+-      a  n e g a t i v e  f i b e s  e l i t e  s t r o   -+-=o0o=-+-
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          02-_-_~1        02 -+-=o0o===========================================o0o=-+-
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          03-_-_~1        03 -+-=o0o=-+-                             g a m e s                             -+-=o0o=-+-
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          04-_-_~1        04 -+-=o0o=-+-                          s o f t w a r e                          -+-=o0o=-+-
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          06-_-_~1        06 -+-=o0o=-+-                              m u s i c                              -+-=o0o=-+-
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          07-_-_~1        07 -+-=o0o=-+-                           c o n s o l e                           -+-=o0o=-+-
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          08-_-_~1        08 -+-=o0o==========================================o0o=-+-
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          09-_-_~1        09 -+-=o0o=-+-          h a c k e d  b y  t u t t 3 f r u t        -+-=o0o=-+-
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          10-_-_~1        10 -+-=o0o=-+-            f i l l e d  b y  t u t t 3 f r u t        -- -+-=o0o=-+-
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          11-_-_~1        11 -+-=o0o==========================================o0o=-+-
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\00 -+-=o0o===========================================o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\00 -+-=o0o===========================================o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\01 -+-=o0o=-+-      A  N e g a t i v e  F i b e s  E l i t e  S t r o   -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\01 -+-=o0o=-+-      A  N e g a t i v e  F i b e s  E l i t e  S t r o   -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\02 -+-=o0o===========================================o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\02 -+-=o0o===========================================o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\03 -+-=o0o=-+-                             G a m e s                             -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\03 -+-=o0o=-+-                             G a m e s                             -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\04 -+-=o0o=-+-                          S o f t w a r e                          -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\04 -+-=o0o=-+-                          S o f t w a r e                          -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\06 -+-=o0o=-+-                              M u s i c                              -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\06 -+-=o0o=-+-                              M u s i c                              -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\07 -+-=o0o=-+-                           C o n s o l e                           -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\07 -+-=o0o=-+-                           C o n s o l e                           -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\08 -+-=o0o==========================================o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\08 -+-=o0o==========================================o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\09 -+-=o0o=-+-          H a c k e d  b y  T u T T 3 F R u T        -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\09 -+-=o0o=-+-          H a c k e d  b y  T u T T 3 F R u T        -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\10 -+-=o0o=-+-            F i l l e d  b y  T u T T 3 F R u T        -- -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\10 -+-=o0o=-+-            F i l l e d  b y  T u T T 3 F R u T        -- -+-=o0o=-+- -  <DIR>                          ..
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\11 -+-=o0o==========================================o0o=-+- -  <DIR>                          .
2005-01-26   14:12:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\11 -+-=o0o==========================================o0o=-+- -  <DIR>                          ..

Welp - now we have some leads for law enforcement some day in the form of handles / nick's these guys go by.  Tooty fruit?  Umm . . . okay.
What's interesting is that while this was going on the user decided to reboot one more time - thereby interrupting the preparation of the new warez site which was in full swing . . .


Not to fear - looks like it resumed shortly after the reboot . . . :(


Copied from: Date View
==========================
2005-01-26   14:22:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp -  <DIR>          05_-_o~1        05 +-=o0o=-+-                              m o v i e s                            -+-=o0o=-+-
2005-01-26   14:22:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\05 +-=o0o=-+-                              M o v i e s                            -+-=o0o=-+- -  <DIR>                          .
2005-01-26   14:22:00   | dir_last_write_time_C_drive.txt   |   c:\WINDOWS\system32\recycler\dmp\05 +-=o0o=-+-                              M o v i e s                            -+-=o0o=-+- -  <DIR>                          ..


Okay enough of that - let's do some more investigating - here's a registry search for app_result.dll


Copied from: Search Results for: app_result.dll
==========================
Files containing instances of 'app_result.dll'

Number of Files Searched: 2
Time to Search Files: 3 seconds

registry.txt
====================
   [HKEY_USERS\S-1-5-21-1085031214-1292428093-xxxxxxxx-yyyyyy\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
         "i"=(REG_SZ)"C:\\mysql-4.1.8-win\\data\\mysql\\app_result.dll"

   [HKEY_USERS\S-1-5-21-1085031214-1292428093-xxxxxxxx-yyyyyy\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll]
         "b"=(REG_SZ)"C:\\mysql-4.1.8-win\\data\\mysql\\app_result.dll"

Doesn't give us much . . .


Let's check out the XP SP2 firewall policy


Copied from: Date View
==========================
2005-01-26   09:14:20   | security_eventlog.txt   |    6 848 Security NT AUTHORITY\SYSTEM  SYSTEM No Domain All interfaces On Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Enabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain iTunes C:\Program Files\iTunes\iTunes.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain java C:\Documents and Settings\USER\.netbeans\3.6\modules\profiler-ea-vm\jre\bin\java.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain java C:\java\j2sdk1.4.2_05\bin\java.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain Java(TM) 2 Platform Standard Edition binary C:\java\jdk1.5.0\bin\java.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain Java(TM) 2 Platform Standard Edition binary C:\java\jdk1.5.0\jre\bin\javaw.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain javaw C:\java\j2sdk1.4.2_05\bin\javaw.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain javaw C:\java\j2sdk1.4.2_05\jre\bin\javaw.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain mIRC C:\Program Files\mIRC\mirc.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain MSN Messenger 7.0 C:\Program Files\MSN Messenger\msnmsgr.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain mysqld-nt C:\mysql\bin\mysqld-nt.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain mysqld-nt C:\mysql-4.1.5-gamma-win\bin\mysqld-nt.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain mysqld-nt C:\mysql-4.1.8-win\bin\mysqld-nt.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain Remote Assistance %windir%\system32\sessmgr.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain runide C:\Program Files\NetBeans3.6\bin\runide.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain vvsys Application C:\Program Files\Polycom\ViaVideoNG\vvsys.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain Windows Messenger C:\Program Files\Messenger\msmsgs.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 849 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain Windows NetMeeting C:\Program Files\NetMeeting\conf.exe Enabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 850 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain All interfaces NetBIOS Datagram Service 138 UDP Disabled Local subnet only 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 850 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain All interfaces NetBIOS Name Service 137 UDP Disabled Local subnet only 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 850 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain All interfaces NetBIOS Session Service 139 TCP Disabled Local subnet only 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 850 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain All interfaces Remote Desktop 3389 TCP Disabled All subnets 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 850 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain All interfaces SMB over TCP 445 TCP Disabled Local subnet only 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 850 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain All interfaces SSDP Component of UPnP Framework 1900 UDP Disabled Local subnet only 
2005-01-26   09:14:20   | security_eventlog.txt   |    6 850 Security NT AUTHORITY\SYSTEM  SYSTEM Local Policy Domain All interfaces UPnP Framework over TCP 2869 TCP Disabled Local subnet only 

http://www.microsoft.com/technet/prodtechnol/winxppro/support/wftshoot.mspx
Windows Firewall uses the following event IDs:

• 848 - Displays the startup configuration of Windows Firewall.
 
• 849 - Displays an application exception configuration.
 
• 850 - Displays a port exception configuration.
 
• 851 - Displays a change made to the application exceptions list.
 
• 852 - Displays a change made to the port exceptions list.
 
• 853 - Displays a change made to the Windows Firewall operation mode.
 
• 854 - Displays a change made to Windows Firewall logging settings.
 
• 855 - Displays a change made to ICMP settings.
 
• 856 - Displays a change made to the Prohibit unicast response to multicast or broadcast requests setting.
 
• 857 - Displays a change made to the Remote Administration setting.
 
• 860 - Displays a change made to a different profile.
 
• 861 - Displays an application attempting to listen for incoming traffic.
 


Finally here are the MD5/SHA-1 values of the initial DLL dropped on the box via MySQL:

D:\malware\MySQL>fciv -both app_result.dll
//
// File Checksum Integrity Verifier version 2.05.
//
                MD5                             SHA-1
-------------------------------------------------------------------------
fa9e72f3f7073f285e18299260331a2f bbc6e88b4af5ee6fa101ada8eb2e31f33105450a app_result.dll


Here is some string data from the DLL obtained using strings:

ShellExecuteA
SHELL32.dll
InternetCloseHandle
FtpGetFileA
InternetConnectA
InternetOpenA
WININET.dll

GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
GetCurrentProcess
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
GetLastError
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
GetModuleHandleA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
HeapFree
WriteFile
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapAlloc
GetCPInfo
GetACP
GetOEMCP
VirtualAlloc
HeapReAlloc
GetProcAddress
LoadLibraryA
RtlUnwind
LCMapStringA
LCMapStringW
InterlockedDecrement
InterlockedIncrement
KERNEL32.dll
app_result.dll
app_result
open
PST
PDT


That's all for now - looks like the AV's are probably on top of this . . .

 

Comments
  • Thank God there are alternatives to that filthy worm ridden GPL crap

  • Robert -

    All negatives and trolls aside, your blog is one of the more useful ones that's come about in a while.

    It looks like WOLF is a wonderful tool. Is it available from a MS download site? MSDN Members?

    I'm assuming it's relatively intrusive and you wouldn't want to run it on a production system.

    Thanks for all your work!

    Chris

  • WOLF is a PSS support tool (like MPS reports) and thus it is not available for public download. The magic isn't in the data collection which is done using all off the shelf tools (and some custom tools) the magic is in the analysis and we have trained engineers who know how to interpret the data.

    And yes it is very intrusive - it's like hitting the server with a taser for 30 minutes or more. :)

    but when you need to know if you've been compromised - IMHO this is your best bet.

  • That's mighty cool analysis Robert.

    When I saw the url "wftshoot.mpsx" I transposed the 't' and 'f' in my head... ;-)

  • Very cool. Your blog is really great. Thanks for all your hard work :)

  • PingBack from http://will.supervidsdigest.info/taskmgrexe20256c55pf.html