Compromise, play by play

Security

Below is more detail on yesterday’s post.

We’ve found that the machine was directly connected to the internet at
home and was left on all night, getting scanned and poked.

The initial compromise was through the Big Yellow vulnerability in Symantec:

The process ‘C:\Program Files\Symantec AntiVirus\test.exe’ (as user NT AUTHORITY\SYSTEM) attempted to access ‘C:\WINDOWS\system32\wbem\unsecapp32.exe’. The attempted access was a write (operation = OPEN/CREATE).

It then accessed the Windows run registry key to ensure it’s run with every boot.

It then accessed the following system files:

ibmpmsvc.exe
rpcnet.exe
TPHDEXLG.exe
TpKmpSvc.exe
TpScrLk.exe
TpShocks.exe
tcpip.sys

As it was accessing the system files, it also slowly connected to
other remote machines on TCP/2967: 3 total in an hour.

An hour and a half after initial compromise it phoned home on TCP/7654.

Two hours after it had been on our corporate network and unable to
communicate with the mother ship, it started an aggressive scan of the
211.251.0.0/16 subnet for TCP/445, which didn’t stop until we got
unsecapp32.exe killed.

posted by Michael on 05.02.07 @ 8:38 am |

Persistent little bugger…

By LonerVamp on 05.03.07 2:54 pm

Aren’t they all, lol.

By Michael on 05.03.07 3:41 pm

[...] network. We had the HIPS downgraded to HIDS mode for troubleshooting a problem so we were able to determine the extent of compromise easily and [...]

By mcwresearch.com » My Black Tuesday Routine on 03.26.08 10:50 am

RSS feed for comments on this post. TrackBack URI