|
List Info
Thread: Help with Exploit
|
|
| Help with Exploit |
|
2007-02-02 13:25:24 |
Hello List,
We're experiencing a serious problem on our networking with
an exploit.
After running the Microsoft rootkit detector we found the
following:
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLMSECURITYPolicySecretsSAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLMSECURITYPolicySecretsSAI*
Key name contains embedded nulls (*),3/24/2005 11:56,0
bytes,HKLMSECURITYPolicySecretsXATM:148d93c5-f0a9-4110-8
d38-f44f341e286d*
Hidden from Windows API.,1/31/2007 15:25,13.00
KB,C:WINNTsystem32pfplgflt.dll
Hidden from Windows API.,1/31/2007 16:32,7.50
KB,C:WINNTsystem32pfplgnfo.dll
Hidden from Windows API.,1/31/2007 16:32,9.50
KB,C:WINNTsystem32pfplgprx.dll
Hidden from Windows API.,1/31/2007 16:32,12.50
KB,C:WINNTsystem32pfplgscn.dll
Did some research on the pfplgflt.dll files and found this:
http://vi
l.nai.com/vil/content/v_122073.htm
All of the files and registry settings listed on the McAfee
site were
found on the system, and also a strange a.exe file. Found
some general
info about the a.exe file, but all of it was useless and did
not relate
at all to this exploit IMHO. I guess it uses a.exe just
because. The
boxes had the latest AV updates and engines, and also the
latest OS
updates (Windows 2000). Even worst, after reinstalling one
of the
boxes, and updating to the latest everything once more, the
box was
infected once more. I am know trying to find a way to end
this email
with a "professional" sounding question, but to be
honest, I don't know
how to proceed with this one. Please help!
Thanks in advance.
Vic
-- _____________________
__/
/ Vic Brown |
| Comp Supp Spec |
| FSU-Panama |
| Phone: (507)-314-0367 |
| vabrown mailer.fsu.edu |
________________________/
------------------------------------------------------------
----
|
|
| Re: Help with Exploit |
|
2007-02-02 15:18:43 |
There are a couple of methods you could employ to determine
whether or
not this is a problem:
1. Monitor the network using tcpdump, ethereal or other
monitoring tool
and shut down all non-necessary services on this host. If
you see
suspicious traffic, this might indicate who or where it is
going to so
you can validate it and/or the contents.
2. Use the sysinternals tools from Microsoft to discover who
is doing
what on your server:
download from:
http://www.microsoft.com/technet/sysinternals/default.
mspx
One problem here is that if it's malicious code at work
you're defending
hosts when you should be defending your network(s). Find
out where the
problem is coming from and shut it down at the firewall.
Thanks,
Josh Miller
Vic Brown wrote:
> Hello List,
>
> We're experiencing a serious problem on our networking
with an exploit.
> After running the Microsoft rootkit detector we found
the following:
>
> Key name contains embedded nulls (*),8/13/2001 12:06,0
> bytes,HKLMSECURITYPolicySecretsSAC*
> Key name contains embedded nulls (*),8/13/2001 12:06,0
> bytes,HKLMSECURITYPolicySecretsSAI*
> Key name contains embedded nulls (*),3/24/2005 11:56,0
>
bytes,HKLMSECURITYPolicySecretsXATM:148d93c5-f0a9-4110-8
d38-f44f341e286d*
>
> Hidden from Windows API.,1/31/2007 15:25,13.00
> KB,C:WINNTsystem32pfplgflt.dll
> Hidden from Windows API.,1/31/2007 16:32,7.50
> KB,C:WINNTsystem32pfplgnfo.dll
> Hidden from Windows API.,1/31/2007 16:32,9.50
> KB,C:WINNTsystem32pfplgprx.dll
> Hidden from Windows API.,1/31/2007 16:32,12.50
> KB,C:WINNTsystem32pfplgscn.dll
>
> Did some research on the pfplgflt.dll files and found
this:
> http://vi
l.nai.com/vil/content/v_122073.htm
>
> All of the files and registry settings listed on the
McAfee site were
> found on the system, and also a strange a.exe file.
Found some general
> info about the a.exe file, but all of it was useless
and did not relate
> at all to this exploit IMHO. I guess it uses a.exe
just because. The
> boxes had the latest AV updates and engines, and also
the latest OS
> updates (Windows 2000). Even worst, after reinstalling
one of the
> boxes, and updating to the latest everything once more,
the box was
> infected once more. I am know trying to find a way to
end this email
> with a "professional" sounding question, but
to be honest, I don't know
> how to proceed with this one. Please help!
>
> Thanks in advance.
> Vic
> -- _____________________
> __/
> / Vic Brown |
> | Comp Supp Spec |
> | FSU-Panama |
> | Phone: (507)-314-0367 |
> | vabrownmailer.fsu.edu |
> ________________________/
>
>
>
>
>
>
------------------------------------------------------------
----
>
>
>
|
|
| RE: Help with Exploit |
|
2007-02-04 22:30:40 |
Hi Vic.
I found that you can actually see the Security hive under
HKLM if you run
regedit interactively:
One way of doing this is: run the command at in a cmd prompt
like this:
at 9:23am /interactive regedit.exe
Change the time here to suit-that is a few minutes into the
future.
When regedit opens up then you can simply check the hive but
some keys are
'secret' and I don't know how to access them...yet.
I actually received a very similar flag from RR when running
it on a
friend's machine and I'm wondering if the first two lines
are normal.
-----Original Message-----
From: Murda Mcloud [mailto:murdamcloudbigpond.com]
Sent: Monday, February 05, 2007 8:52 AM
To: 'Vic Brown'; 'focus-mssecurityfocus.com'
Subject: RE: Help with Exploit
Hi Vic-are the timestamps/datestamps here significant to
you?
>> Key name contains embedded nulls (*),8/13/2001
12:06,0
bytes,HKLMSECURITYPolicySecretsSAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLMSECURITYPolicySecretsSAI*
I've done some googling and am finding that the new RR
version checks the
security hive(which I believe to be 'invisible' to
regedit-can someone
correct me if I'm wrong?).
These two keys maybe some password store perhaps and are the
timestamps
indicative of some s/w install date? Or even the OS?
You might find it useful to post on the Sysinternals forums
too
http://forum.sysintern
als.com/
-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Vic Brown
Sent: Saturday, February 03, 2007 5:25 AM
To: focus-mssecurityfocus.com
Subject: Help with Exploit
Hello List,
We're experiencing a serious problem on our networking with
an exploit.
After running the Microsoft rootkit detector we found the
following:
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLMSECURITYPolicySecretsSAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLMSECURITYPolicySecretsSAI*
Key name contains embedded nulls (*),3/24/2005 11:56,0
bytes,HKLMSECURITYPolicySecretsXATM:148d93c5-f0a9-4110-8
d38-f44f341e286d
*
Hidden from Windows API.,1/31/2007 15:25,13.00
KB,C:WINNTsystem32pfplgflt.dll
Hidden from Windows API.,1/31/2007 16:32,7.50
KB,C:WINNTsystem32pfplgnfo.dll
Hidden from Windows API.,1/31/2007 16:32,9.50
KB,C:WINNTsystem32pfplgprx.dll
Hidden from Windows API.,1/31/2007 16:32,12.50
KB,C:WINNTsystem32pfplgscn.dll
Did some research on the pfplgflt.dll files and found this:
http://vi
l.nai.com/vil/content/v_122073.htm
All of the files and registry settings listed on the McAfee
site were
found on the system, and also a strange a.exe file. Found
some general
info about the a.exe file, but all of it was useless and did
not relate
at all to this exploit IMHO. I guess it uses a.exe just
because. The
boxes had the latest AV updates and engines, and also the
latest OS
updates (Windows 2000). Even worst, after reinstalling one
of the
boxes, and updating to the latest everything once more, the
box was
infected once more. I am know trying to find a way to end
this email
with a "professional" sounding question, but to be
honest, I don't know
how to proceed with this one. Please help!
Thanks in advance.
Vic
-- _____________________
__/
/ Vic Brown |
| Comp Supp Spec |
| FSU-Panama |
| Phone: (507)-314-0367 |
| vabrownmailer.fsu.edu |
________________________/
------------------------------------------------------------
----
|
|
| RE: Help with Exploit |
|
2007-02-04 16:52:16 |
Hi Vic-are the timestamps/datestamps here significant to
you?
>> Key name contains embedded nulls (*),8/13/2001
12:06,0
bytes,HKLMSECURITYPolicySecretsSAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLMSECURITYPolicySecretsSAI*
I've done some googling and am finding that the new RR
version checks the
security hive(which I believe to be 'invisible' to
regedit-can someone
correct me if I'm wrong?).
These two keys maybe some password store perhaps and are the
timestamps
indicative of some s/w install date? Or even the OS?
You might find it useful to post on the Sysinternals forums
too
http://forum.sysintern
als.com/
-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Vic Brown
Sent: Saturday, February 03, 2007 5:25 AM
To: focus-mssecurityfocus.com
Subject: Help with Exploit
Hello List,
We're experiencing a serious problem on our networking with
an exploit.
After running the Microsoft rootkit detector we found the
following:
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLMSECURITYPolicySecretsSAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLMSECURITYPolicySecretsSAI*
Key name contains embedded nulls (*),3/24/2005 11:56,0
bytes,HKLMSECURITYPolicySecretsXATM:148d93c5-f0a9-4110-8
d38-f44f341e286d
*
Hidden from Windows API.,1/31/2007 15:25,13.00
KB,C:WINNTsystem32pfplgflt.dll
Hidden from Windows API.,1/31/2007 16:32,7.50
KB,C:WINNTsystem32pfplgnfo.dll
Hidden from Windows API.,1/31/2007 16:32,9.50
KB,C:WINNTsystem32pfplgprx.dll
Hidden from Windows API.,1/31/2007 16:32,12.50
KB,C:WINNTsystem32pfplgscn.dll
Did some research on the pfplgflt.dll files and found this:
http://vi
l.nai.com/vil/content/v_122073.htm
All of the files and registry settings listed on the McAfee
site were
found on the system, and also a strange a.exe file. Found
some general
info about the a.exe file, but all of it was useless and did
not relate
at all to this exploit IMHO. I guess it uses a.exe just
because. The
boxes had the latest AV updates and engines, and also the
latest OS
updates (Windows 2000). Even worst, after reinstalling one
of the
boxes, and updating to the latest everything once more, the
box was
infected once more. I am know trying to find a way to end
this email
with a "professional" sounding question, but to be
honest, I don't know
how to proceed with this one. Please help!
Thanks in advance.
Vic
-- _____________________
__/
/ Vic Brown |
| Comp Supp Spec |
| FSU-Panama |
| Phone: (507)-314-0367 |
| vabrownmailer.fsu.edu |
________________________/
------------------------------------------------------------
----
|
|
| Re: Help with Exploit |
|
2007-04-17 05:11:10 |
> I've done some googling and am finding that the new RR
version checks the
> security hive(which I believe to be 'invisible' to
regedit-can someone
> correct me if I'm wrong?).
Hello,
I know I am coming late on this one, but registry keys that
contain NULL
characters cannot be accessed through REGEDIT. You have to
rely on the
low-level NTDLL API to access them. It is known "copy
protection" trick 
More information here:
http://www.microsoft.com/technet
/sysinternals/information/tipsandtrivia.mspx#E3B
BTW, Vic, if you happen to have a copy of the mysterious
"a.exe" file, I
am interested in having a look at it.
Regards,
- Nicolas RUFF
|
|
[1-5]
|
|