Nuevos DATS 4370 de McAfee para backdoor AXJ y control IIS

Cerrado
Avatar de Usuario
msc hotline sat
Mensajes: 93500
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

Nuevos DATS 4370 de McAfee para backdoor AXJ y control IIS

Mensaje por msc hotline sat » 28 Jun 2004, 16:37

Ya estám disponibles los DAT 4370 qie McAfee ha publicado para control del virus backdoor , además de control del exploit MS04-013 sobre descarga de ficheros en las visitas de webs:



resumen de McAfee sobre actualizacion descripcion backdoor AXJ:

__________________________________________





Trojan Name Risk Assessment

BackDoor-AXJ Corporate User : Low-Profiled

Home User : Low-Profiled







Trojan Information

Discovery Date: 07/16/2003

Origin: Unknown

Length: varies

Type: Trojan

SubType: Remote Access

Minimum DAT: 4277 (07/16/2003)

Updated DAT: 4370 (06/25/2004)

Minimum Engine: 4.1.60

Description Added: 07/16/2003

Description Modified: 06/25/2004 6:15 AM (PT)

Description Menu

Trojan Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Trojan Characteristics:

-- Update June 25, 2004 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention, for example:



http://www.heise.de/security/news/meldung/48589

or

http://www.uscert.gov/current/current_activity.html



The media attention concerns recent IIS website hacks which have been performed in order to install this backdoor trojan on victim machines. For further details concerning vulnerable IIS servers and IE clients, see the following link:



http://www.microsoft.com/en/us/default.aspxsecurity/incident/download_ject.mspx





--------------------------------------------------------------------------------

The following EXTRA.DAT packages are being made available prior to the regularly scheduled weekly DAT release (working with EXTRA.DAT files ).



EXTRA.DAT

SUPER EXTRA.DAT



--------------------------------------------------------------------------------







-- Update June 24, 2004 --

Several websites were recently hacked to serve exploit script code that results in a new polymorphic variant of BackDoor-AXJ being installed. Detection is included in the Daily DAT files as BackDoor-AXJ.gen and will also be included in the 4370 DAT release. Detection is also provided in the EXTRA.DAT packages linked above.



Earlier variants of this remote access trojan were likely to be downloaded via a downloader trojan (detected as Downloader-DI ). Multiple versions of the downloader are known to have been spammed to users.



Multiple versions of this remote access trojan are known to exist, users are recommended to use the Daily DATs for optimal detection.



Once running on the victim machine, the trojan serves multiple functions:



acts as a web proxy

can check remote server for updates

cached passwords on the victim machine are logged (for sending to hacker)

When it is run, the remote access trojan installs itself into %SysDir% (eg. C:\WINNT\SYSTEM32) with a random 8 character filename. A DLL is also dropped into this directory, again with a seemingly random 8 character filename. For example:



C:\WINNT\SYSTEM32\OQLCINEI.EXE (39,140 bytes - copy of trojan)

C:\WINNT\SYSTEM32\BAGMBBPJ.DLL (5,633 bytes - dropped DLL)

Two ports are opened on the victim machine. Exact port numbers used vary between variants. One is used for the web proxy, the other for communication. Ports used in samples seen thus far include:



7714

8546

12334

12324

Notification is sent to the hacker via HTTP, sending data to a remote PHP script. This data includes IP of machine, plus port numbers opened. It also includes as "identification string" - presumably used to validate communication to trojan.



System startup is hooked (via the dropped DLL) by the following Registry modifications.



Once running, other data files are written to the victim machine (%SysDir%). These files have filename NTXGL16 with DAT, SYS and VxD extensions, for example:



C:\WINNT\SYSTEM32\NTXGL16.DAT - used for storing cached passwords retrieved from the victim machine, prior to sending to hacker.

C:\WINNT\SYSTEM32\NTXGL16.SYS

C:\WINNT\SYSTEM32\NTXGL16.VXD - contains contents of a remote data file which is retrieved (via HTTP) by the trojan.

Installation



The following values:



"(Default)" = (path to dropped DLL, eg: C:\WINNT\System32\Bbdgff32.dll)



"ThreadingModel" = Apartment

To the following key:



HKEY_CLASSES_ROOT\CLSID\

{79FA9088-19CE-715D-D85A-216290C5B738}\InProcServer32



and this value:



"Web Event Logger" = {79FA9088-19CE-715D-D85A-216290C5B738}

To the following key:



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

ShellServiceObjectDelayLoad

The DLL is then executes the (randomly named) EXE.



Other Registry modifications are also made:



The values:



"FormSuggest Passwords" = yes AutoSuggest

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete BUTTON

#32770 200 %s: %s %s %s %s WNetEnumCachedPasswords MPR.DLL

%s:%s %s [%s] '%s' [%s] %s : :// Internet Explorer PStoreCreateInstance

pstorec.dll k



"FormSuggest PW Ask" = yes AutoSuggest SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete BUTTON

#32770 200 %s: %s %s %s %s WNetEnumCachedPasswords MPR.DLL

%s:%s %s [%s] '%s' [%s] %s : :// Internet Explorer PStoreCreateInstance

pstorec.dll k



"Use FormSuggest" = yes AutoSuggest SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete BUTTON

#32770 200 %s: %s %s %s %s WNetEnumCachedPasswords MPR.DLL

%s:%s %s [%s] '%s' [%s] %s : :// Internet Explorer PStoreCreateInstance

pstorec.dll k

Are added to the following key:



HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Top of Page



Symptoms

existence of Registry keys files detailed above

Ports 7714 and 8546 open on victim machine



Top of Page



Method Of Infection

Earlier variants of this remote access trojan are likely to be downloaded via Downloader-DI which is known to have been spammed to users.



-- Update June 25th 2004 --

A new polymorphic variant of this is likely to be installed when the victim browses a specifically-hacked IIS website (see above).



Top of Page



Removal Instructions

All Users :

AVERT considers this to be a low risk threat.

Detection is already included in the Daily DAT files (beta) .



The following EXTRA.DAT packages are being made available prior to the regularly scheduled weekly DAT release (working with EXTRA.DAT files ).



EXTRA.DAT

SUPER EXTRA.DAT

This EXTRA.DAT package contains the following new detections:



BackDoor-AXJ.gen

BackDoor-AXJ.dll

And enhancements to the following detections (for detection of the script components):



VBS/Psyme

Exploit-MhtRedir

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).



Additional Windows ME/XP removal considerations



Top of Page



Variants

Name Type Sub Type Differences



Top of Page



Aliases

Name

BackDoor-AXJ.gen (polymorphic variant)

Backdoor.Berbew (NAV)

Webber



__________________________________________



Se recomienda a todos los usuarios de McAfee, actualizar a los actuales DAT 4370



De paso, ya que a 30 de Junio pasa a ser obsoleto el motor 4.2.60 en todos los productos e McAfee, quienes tuvieran cualquier producto con motor anterior, se le recomienda pasar añ actual 4.3.20:



http://download.nai.com/products/licensed/superdat/engine/intel/4320/4320eng.exe



saludos



ms, 28-06-2004

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”