bling.exe

[John Coutts]

I just spent several hours removing a SpyBot worm from a customer's machine.
This particular machine is on a small network with four other machines, and
all are Win2K. As a precaution, I had disabled port 445 on all the other
machines, but somehow I missed this one. It was connected to the Internet
behind a firewall, so I didn't worry about it. But these machines are also
connected to a private government network through another router. The hacker
used this port on the government network and one of the Microsoft
vulnerabilities to install a backdoor Trojan called bling.exe; one of the many
variants of the SpyBot worm. Using this backdoor, they installed several other
programs:

10/04/2003 03:54 PM 16,384 hidden32.exe
04/06/2004 11:23 AM 245,624 kernel32.exe
05/12/2003 02:04 PM 35,898 kill.exe
09/27/2004 10:44 AM 290,290 msupdates.exe
09/29/2004 07:49 AM 100,338 mswin.exe
09/25/2004 10:36 AM 86,016 bling.exe
10/11/2004 10:11 AM 21,402 msdll.gif

and several batch files:
Run.bat
Rand.bat
WinRun.bat
regNHide.bat
Sys32.bat
Secure.bat

in a newly created directory C:\windows\system32\sys32.

Hidden32.exe was used to load Mswin.exe and msdll.gif on startup. Mswin.exe is
an IRC proxy program, and msdll.gif is the configuration file for it. It
connected to port 6667 on hub.pheared.com where it listened for instructions.
The server then closed the connection. This all happened over the course of 4
days.

Then nothing happened for 10 days. Yesterday, I logged in under an
administrator account and all hell broke loose. A SERV-U FTP server was
started and network traffic began in earnest. I simply pulled the network
connection until I could figure out what was wrong. As the government workers
came back to work today, they are having nothing but problems as they battle
this worm.

To protect yourself, I strongly advise disabling port 445 on XP/2000 by adding
the following key:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Value: SmbDeviceEnabled
Type: DWORD value (REG_DWORD)
Content: 0 (to disable)

I also advise changing the permissions (for those not using simple networking)
on Cmd.exe to Administrators only, and perhaps Power Users. In most cases, it
is the System permission that gives rise to the ability of these hacks to run
batch files.

J.A. Coutts

 

[SchroedingerzKat]

I just spent several hours removing a >SpyBot worm from a customer's >machine.

Spybot is both a trojan and a worm as i recall. the trojan form is a remote
administration tool that can connect to IRC. the worm also has IRC
capabilities. i'm not sure if infects automatically, but if it's a worm it
should auto-root machines.

i dunno if the worm and RAT are made by the same author or not. this caused me
some confusion one time.

This particular machine is on a small network with four other machines, and
all are Win2K. As a precaution, I had disabled port 445 on all the other
machines, but somehow I missed this one.

it must have been unpatched? i thought SpyBot worm used an older exploit. or
perhaps you can add custom exploits to it.

Then nothing happened for 10 days. >Yesterday, I logged in under an
administrator account and all hell broke >loose.

sound like you have a real infestation. also remember that 90% of hacks are
done by employees or contractors (possibly vindicative ones).

To protect yourself, I strongly advise >disabling port 445 on XP/2000 by
adding
the following key:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Value: SmbDeviceEnabled
Type: DWORD value (REG_DWORD)
Content: 0 (to disable)

that looks like it whacks out SMB, not just port TCP 445. i personally block
all unneeded ports at the perimeter including worm ports. but i patch so often
i will only be hit by a unpublished exploit (in which case i'll sell the code
to I Defense and retire for a year.)

I also advise changing the permissions >(for those not using simple
networking)
on Cmd.exe to Administrators only, and >perhaps Power Users. In most cases, it

is the System permission that gives rise >to the ability of these hacks to run

batch files.

Principle of least priveledge dictates tight permission sets. I run into this
at library and comm college computers. It takes me (hypothetically) 5 minutes
to circumvent because cmd.exe and others are accessible.

michael

 

[Richard S. Westmoreland]

I also advise changing the permissions (for those not using simple networking)
on Cmd.exe to Administrators only, and perhaps Power Users. In most cases, it
is the System permission that gives rise to the ability of these hacks to run
batch files.

The users that log in, are they added to the Adminstrators or Power Users
group? If so, and you want to really block access to cmd.exe, then I would
add a special account and add it to the Administrators group, and give only
that account access to cmd.exe.

 

[John Coutts]

The users that log in, are they added to the Adminstrators or Power Users
group? If so, and you want to really block access to cmd.exe, then I would
add a special account and add it to the Administrators group, and give only
that account access to cmd.exe.

***************** REPLY SEPARATER ******************
There are supposedly some intrusions that default to the privaleges of the
current logged in user (although I personally have never run across one), but
most of these intrusions are created by buffer overflows and default to the
SYSTEM or GUEST privaleges. If the SYSTEM or GUEST does not have access to the
CMD.EXE program, they cannot take advantage of it. However, systems that have
been previuosly compromised may have created copies of the cmd.exe file and use
that instead.

J.A. Coutts