BLSS Cyber Center Report - 29 October 2007
------------------------------------------
www.blacklabsecurity.com
This BLSS Cyber Center Report is a continuation of the Cyber Center Report published on 29 October 2007. BLSS has initiated an immediate analysis on the China attack of our Honey Pot, which was reported yesterday, 28 October 2007. This report will be categorized into two separate sections; 1) Analysis Of Honey Pot Attack, and 2) Advised Immediate Action Required To Prevent The Attacks.
Analysis Of Honey Pot Attack
----------------------------
Below are the first 100 program file payloads detected by Shadow. There were many more payloads installed into the "i386" and "Service Pack" nested folders. The most interesting fact about the first 100 payloads below, is that almost all the payloads are related to "Remote Access" functions. The fact is that the RegCode.dll, Adfsocm.dll, ComAdmin.dll, Dialer.exe, the "System Configuration Install" (system.configuration.install.dll), Nfsocm.dll, Explorer.exe, etc. But most interesting, is the fact that remote access program payloads were updated, along with the \Windows\PCHealth\HelpCtr\System\RemoteAssistance\Interaction\Client\Raclient.js, Racontrol.js, Raserver.js and Common.js, along with a new RegEdit.exe.
The following are the first 100 payloads detected:
1. C:\WINDOWS\ASSEMBLY\GAC\REGCODE\1.0.5000.0__B03F5F7F11D50A3A\REGCODE.DLL
2. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\ADFSOCM.DLL
3. C:\WINDOWS\SYSTEM32\COM\COMADMIN.DLL
4. C:\WINDOWS\DIALER.EXE
5. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.CONFIGURATION.INSTALL\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.CONFIGURATION.INSTALL.DLL
6. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\NFSOCM.DLL
7. C:\WINDOWS\EXPLORER.EXE
8. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.DATA\1.0.5000.0__B77A5C561934E089\SYSTEM.DATA.DLL
9. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\OCWSS.DLL
10. C:\PROGRAM FILES\COMMONFILES\SPEECHENGINES\MICROSOFT\TTS\1033\SPTTSENG.DLL
11. C:\WINDOWS\HH.EXE
12. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.DATA.ORACLECLIENT\1.0.5000.0__B77A5C561934E089\SYSTEM.DATA.ORACLECLIENT.DLL
13. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTEASSISTANCE\INTERACTION\CLIENT\RACLIENT.JS
14. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\SUAIDMOG.DLL
15. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MUI\0409\MSCORSECR.DLL
16. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.DIRECTORYSERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.DIRECTORYSERVICES.DLL
17. C:\WINDOWS\NOTEPAD.EXE
18. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTEASSISTANCE\INTERACTION\COMMON\RACONTROL.JS
19. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTE ASSISTANCE\COMMON\COMMON.JS
20. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.ENTERPRISESERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.ENTERPRISESERVICES.DLL
21. C:\WINDOWS\REGEDIT.EXE
22. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTEASSISTANCE\INTERACTION\SERVER\RASERVER.JS
23. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTE ASSISTANCE\COMMON\CONSTANTS.JS
24. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.ENTERPRISESERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.ENTERPRISESERVICES.THUNK.DLL
25. C:\WINDOWS\SYSTEM32\MUI\0C0A\W03A2409.DLL
26. C:\WINDOWS\TWAIN.DLL
27. C:\WINDOWS\PCHEALTH\HELPCTR\VENDORS\CN=MICROSOFTCORPORATION,L=REDMOND,S=WASHINGTON,C=US\REMOTE ASSISTANCE\COMMON\COMMON.JS
28. C:\WINDOWS\SYSTEM32\MUI\0C0A\WS03RES.DLL
29. C:\WINDOWS\TWAIN_32.DLL
30. C:\WINDOWS\PCHEALTH\HELPCTR\VENDORS\CN=MICROSOFTCORPORATION,L=REDMOND,S=WASHINGTON,C=US\REMOTEASSISTANCE\COMMON\CONSTANTS.JS
31. C:\WINDOWS\SYSTEM32\MUI\0C0A\XPOB2RES.DLL
32. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.MESSAGING\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.MESSAGING.DLL
33. C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0001\DRIVERFILES\I386\PROCESSR.SYS
34. C:\WINDOWS\TWUNK_16.EXE
35. C:\WINDOWS\SYSTEM32\MUI\0C0A\XPSP2RES.DLL
36. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.RUNTIME.REMOTING\1.0.5000.0__B77A5C561934E089\SYSTEM.RUNTIME.REMOTING.DLL
37. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\DISKRAID.EXE
38. C:\WINDOWS\TWUNK_32.EXE
39. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.RUNTIME.SERIALIZATION.FORMATTERS.SOAP\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.RUNTIME.SERIALIZATION.FORMATTERS.SOAP.DLL
40. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDS.EXE
41. C:\WINDOWS\UDDISP.EXE
42. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.SECURITY\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.SECURITY.DLL
43. C:\WINDOWS\INF\UNREGMP2.EXE
44. C:\WINDOWS\SYSTEM32\WBEM\ADSTATUS\TRUSTMON.DLL
45. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDSDYNDR.DLL
46. C:\WINDOWS\VMMREG32.DLL
47. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.SERVICEPROCESS\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.SERVICEPROCESS.DLL
48. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDSLDR.EXE
49. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.DLL
50. C:\WINDOWS\WINHELP.EXE
51. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDSUTIL.DLL
52. C:\WINDOWS\SYSTEM32\WBEM\XML\WMI2XML.DLL
53. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB.MOBILE\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.MOBILE.DLL
54. C:\WINDOWS\WINHLP32.EXE
55. C:\WINDOWS\MSAGENT\AGENTANM.DLL
56. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB.REGULAREXPRESSIONS\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.REGULAREXPRESSIONS.DLL
57. C:\WINDOWS\MSAGENT\AGENTCTL.DLL
58. C:\WINDOWS\_DEFAULT.PIF
59. C:\WINDOWS\MSAGENT\AGENTDP2.DLL
60. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB.SERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.SERVICES.DLL
61. C:\WINDOWS\SYSTEM32\SERVERAPPLIANCE\WEB\ADMIN\HELP\0409\LINKCSS.JS
62. C:\WINDOWS\MSAGENT\AGENTDPV.DLL
63. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\MSCORLIB\1.0.5000.0__B77A5C561934E089_1C85CDAB\MSCORLIB.DLL
64. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\DAO\DAO360.DLL
65. C:\WINDOWS\MSAGENT\AGENTMPX.DLL
66. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM\1.0.5000.0__B77A5C561934E089_8DF1E0E7\SYSTEM.DLL
67. C:\WINDOWS\MSAGENT\AGENTPSH.DLL
68. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\IEINFO5.OCX
69. C:\WINDOWS\MSAGENT\AGENTSR.DLL
70. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE
71. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.DESIGN\1.0.5000.0__B03F5F7F11D50A3A_2DC1A7DB\SYSTEM.DESIGN.DLL
72. C:\WINDOWS\MSAGENT\AGENTSVR.EXE
73. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\SPEECH\SAPI.DLL
74. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.DRAWING\1.0.5000.0__B03F5F7F11D50A3A_66784F17\SYSTEM.DRAWING.DLL
75. C:\WINDOWS\MSAGENT\AGTINTL.DLL
76. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\SPEECH\SAPISVR.EXE
77. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.DRAWING.DESIGN\1.0.5000.0__B03F5F7F11D50A3A_271DA28B\SYSTEM.DRAWING.DESIGN.DLL
78. C:\WINDOWS\MSAGENT\MSLWVTTS.DLL
79. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TEXTCONV\MSCONV97.DLL
80. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.WINDOWS.FORMS\1.0.5000.0__B77A5C561934E089_9D99100D\SYSTEM.WINDOWS.FORMS.DLL
81. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TRIEDIT\DHTMLED.OCX
82. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.XML\1.0.5000.0__B77A5C561934E089_667035EA\SYSTEM.XML.DLL
83. C:\WINDOWS\SRCHASST\MSGR3EN.DLL
84. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TRIEDIT\TRIEDIT.DLL
85. C:\WINDOWS\SRCHASST\SRCHCTLS.DLL
86. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\ALINKUI.DLL
87. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VGX\VGX.DLL
88. C:\WINDOWS\SRCHASST\SRCHUI.DLL
89. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\CSCOMPUI.DLL
90. C:\PROGRAM FILES\COMMON FILES\SPEECHENGINES\MICROSOFT\SPCOMMON.DLL
91. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\VBC7UI.DLL
92. C:\WINDOWS\SYSTEM32\6TO4SVC.DLL
93. C:\PROGRAM FILES\COMMON FILES\SYSTEM\ADO\MSADER15.DLL
94. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\VSAVB7RTUI.DLL
95. C:\WINDOWS\SYSTEM32\AAAAMON.DLL
96. C:\PROGRAM FILES\COMMON FILES\SYSTEM\ADO\MSADO15.DLL
97. C:\WINDOWS\SYSTEM32\ACCTRES.DLL
98. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASP.NETCLIENTFILES\SMARTNAV.JS
99. C:\PROGRAM FILES\COMMON FILES\SYSTEM\ADO\MSADOMD.DLL
100.C:\WINDOWS\SYSTEM32\ACCWIZ.EXE
Advised Immediate Action Required To Prevent The Attacks
--------------------------------------------------------
The first step, is to enter the following ports into firewalls, if organizations can do so without inhibiting the normal operations of your network and software:
Port 7212
Port 1026
Port 1027
Port 1028
The second step, is to enter the following IP addresses into firewalls:
IP Address
----------
121.18.13.107
121.18.12.197
221.208.208.83
221.208.208.91
221.208.208.95
221.208.208.98
202.97.238.202
218.50.1.119
222.239.255.43
121.235.156.114
210.79.152.144
202.97.238.202
221.208.208.101
44.139.107.99
The third step, is to TURN OFF all Automatic Updates and Disable the Microsoft Help Center Remote Access Functions. As a "hardening method"
within BLSS, we actually erase the following java scripts:
Java Scripts
-----------
Raclient.js
Racontrol.js
Common.js
Raserver.js
Constants.js
The BLSS Cyber Center will be publishing a list of all IP addresses detected from China and Korea within the next 24 hours. It is recommended that all IP addresses from China and Korea be entered into firewalls as a security
(safety) precaution.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment