Network film triggered by the back door of the crisis-vulnerability warning-the black bar safety net

2006-01-22T00:00:00
ID MYHACK58:6220066561
Type myhack58
Reporter 佚名
Modified 2006-01-22T00:00:00

Description

A. The mystery of the network disconnection event

On the University really“free”, all chores are to your own take care of, and even the Dorm network to do it yourself...... As a Dorm only a technician, that the task of natural falling on my head. In the end, our hostel by ZyXEL SC642 ADSL Modem and TP-Link switch with the network, Modem way I set up Routing and Firewall, the dormitory is set to a peer to peer network, one semester down without incident.

However, by the end of the semester, the network has with exception: often all of a sudden you can not access the network, sometimes the wait is good, but more often only to restart the Modem. The network is interrupted when the Modem control interface is difficult to access, and the interface displays the network status is“normal”! It is obviously ADSL shut-off, but one semester down are no problem, how have only recently started drying it?

Due to the shut-off when difficult to connect the configuration interface, I'll try to ping it Modem, and found the response very slow, packet loss rate even reached 9 0 percent! Restart the Modem after ping returned to normal, but only too soon again began to disconnection and packet loss, is the Modem broken? I wrote a small program to monitor the Modem response, found in each shut-off start time, the Modem will timeout occurs, once the ping is normal, the network will return to normal, is the Modem broken? Testing the Modem the route is closed, waited a long time also there is no timeout, but once connected to the network will often stop it! Combination of multi-materials and phenomena, I confirm that this is the Viking chip suffered attacks after the reaction, did someone deliberately attacks our hostel? To view the Modem configuration interface of the firewall log, found here whether an external an internal scan records are there, it is difficult to distinguish the useful data, had confessed to the dormitory all the people on the QQ must be stealthy, avoid letting the attacker catch the IP. The subsequent few days, the network is still intermittent instability, I can only strive from day to day the Modem firewall log to find some clues, the defense work fall into a passive state.

II. Found the source of the attack

A few days down, with the firewall logs, I finally found some regularity: within the network of 1 9 2. 1 6 8. 1. 1 3 This machine every day there is a firewall of the recording operation, but the machine masters of the day did most of the things just listen to the song and watching some downloaded from the network movie only, how is the Modem seen as a threat? You want to know the Dorm another to play online games which is the maximum of the network resources occupied by it. Or is his system The Network Module out of the question? I tried to take his network cable is pulled, the result then still drying, don't the problem is not here, check the work again and again plunged into the fog.

Then a few days later, I noticed another important regularity: every morning at 6 points to 8 points between The are no exception, and once the time towards a 1 0 point in the future, then the occurrence of network disconnection begins. It can be inferred, this shut-off must be artificial, because the attacker may not get up too early. But I also just can know these information, because the attacker is always in the dark, and like there's Magic like tightly bite our hostel's IP, no matter how many times to restart Modem to change IP, but 1 0-Modem will again timeout is unstable, and then stop it randomly appeared!

Due to network instability, the Roomates are gone, the usual mood, the network the shut-off time, we will rely on to play a LAN game or watch a movie to pass the time, because the IP is 1 9 2. 1 6 8. 1. 1 of 3 roommates usually use card Alliance like P2P software download some horror films, so occasionally in the he there see, that day in the Ghost to call, suddenly pop up a small web page, since in this case the network is not available, into a“the page cannot be displayed”, the roommate of this seems very familiar, he said he downloaded several movies are in the viewing process pop out some advertising, but he felt that this kind of advertising is meaningless, because sometimes opening in full screen you can't see, until the end of the movie it will find the desktop more than a Web ad.

Web page advertising? My mind was flashed a term: web Trojans!

Immediately to he just Upload a previously downloaded one of those“pop up ads”of the movie to me, in a show to about 5 minutes of fragments of time, pop up a web page, the above really is advertising, but I see the following progress bar delaying the intake to 1 0 0 percent! Immediately unplug the network line, view it's HTML code, found at the end of the file some strange things, in order to confirm, I opened the IRIS capture, and sure enough found this page to an IP issued“GET /RMVB.exe”the request! This is the one connected to the web Trojan the movie file! Then the roommate of the machine must be in the horse no doubt!

Restart the Modem, let that which catch on the no shut-off prior to rising online virus scanning site to scan it, to my surprise, actually report the machine is not poisoning! I did not give up, run Msconfig check the“startup”item is not an exception, but check the“services”item when they find a“Rundll32 Management”Services, Rundll32 also need this service to maintain the running? 服务 管理 器 显示 这个 服务 对应 的 文件 是 WINDOWS 目录 下 的 RManage32.exe but I open the relevant directory but didn't found this file, don't heck? Reboot into Safe Mode, actually found the file is there, too late to think about what is going on, and copy it to your own computer, get Roomates to delete this file, restart several times after confirming the file is not there.

Next I direct on your own machine run this file, just run soon after the discovery of the network transmission instruction has been lit, while the Modem monitor program will report timeout, and after a while, the network once again stop it! Immediately see the Modem's firewall log and found that my IP 192.168.1.8 is considered SingleHost DOS, attack the source.

III. Tracing“Wrangler”

Clean RManage32 processes and services, hostel network and never stop, it seems the real Killer is this little thing! Currently due to the rising not killing this file, I also not good to speculate what it is use, but one thing for sure is that this app in an attempt to with a remote or anything for data transmission, a result due to internal network NAT mapping's sake lead to the establishment of the connection fails, the program of multiple connection attempts to eventually to be the Modem as denial of service attacks, and accidental evoked Modem processing chip bug, cause the Modem of the strike caused the dormitory network shut-off is!

Since antivirus software does not know the real data, then I can only be your own analysis, open the“system monitor the Three Musketeers”IRIS Network Monitor, and NTRegMon(the registry monitoring, the FileMon file monitor, the 然后 运行 RManage32.exe intercepted to these actions:

File behavior: 1. Copy itself to the system directory WINNT, and 名字 为 RManage32.exe 2. 创建 文件 RManage32.dll And RManage32_Hook.dll And RManage32Key.dll 3. 删除 原来 的 感染 体 RManage32.exe 4. System directory RManage32. exe process starts

Registry act: 1. Create service sub-key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RManage32_Server and the related data sub-keys 2. Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RManage32_Server the“Start”entry is 0x02, i.e. to run automatically

Network behavior: 1. Connected http://xxx.yeah.net 2. Returns a domain name corresponding to the IP of the HTML data steering 3. Connecting the IP 8 0 0 0 port 4. No data returned

Thus infer, this program is Service way to start, but on the network connection behavior should be in order to perform some important operation, but since the machines on Skynet Firewall, the inside network NAT translation and the monitor level is too high the Modem firewall three protective measures together with the obstruction of the reason of the failure to achieve, could it be a rebound Trojan. Immediately look for information, and found that this Trojan is the famous gray pigeons!

Because it has been monitored to document behavior, and therefore not afraid of this Trojan and also what will be the remaining scourge, but in order to capture the behind the scenes black hand, I can only re-take a risk, and in the Modem to set up NAT rules in the IP mapping RDR all ports to my IP, once again open the IRIS monitor data, my only one purpose, that is to obtain the controller's IP, because the Dove gray of the“automatic on-line”reporting function must allow the control end of the monitor 8 0 0 0 port, then the service end through parsing the domain name to get the control end of the IP, and then connect the control terminal to achieve the automatic on-line, so that the control terminal does not need to own to connect the service end. However, this method has a weakness that will expose the control's own IP, and now I just want to through this method to Ferret out the control!

Network behavior: 1. Connected http://xxx.yeah.net 2. Returns a domain name corresponding to the IP of the HTML data steering 3. Connecting the IP 8 0 0 0 port 4. To establish a connection 5. To start the data transfer

In the data transmission start time, I just want to unplug the network cable, the network and the shut-off....... Depressed, this pony makes us miserable to!

In fact, in the DNS, the control, this IP would have been exposed, and continue to let the Trojan work of reason is to confirm the controller not in line. Since online, that's good to do, because those movies is to open a fixed IP of web Trojan, it can be concluded that the controller must belong to these three cases: 1. The controller's IP is statically fixed, and open a WEB service in order to get victims to download a Trojan 2. The controller IP is dynamic, but through the dynamic update dove gray calls the domain name to the completion of the synchronization update download Trojan IP, so you must open the WEB service 3. Trojan download where with the controller independent of, the controller is hacked a website and put up the Trojan

The first two cases in my favor, because this way, all data streams are from the controller directly, if control of the WEB service vulnerability exists that I will be able to reverse the invasion of him, if it is the last one, that only further think of a way, after all, can be the invasion of the site should also not is what Defense measures good site, I can also be the opportunity to invasion.

In order to confirm the control is with your own machine to do the hunted submarine, 我直接在IE浏览器里输入http://入侵者IP/RMVB.exe also remember the front of the IRIS monitor to the data? This is a Trojan download address. After a while, the IE pop up a download window, the controller in line with the first two! I immediately opened the scanner and found the controller to open 4 ports: 8 0, the 1 3 5 and 1 3 9, 8 is 0 0 0, the WEB service is IIS 5.1, the scan is less than General vulnerability.

Behind the scenes black hand finally floating on the surface of the water, and now the rest of the things, is the invasion of technology in the confrontation.

IV. Through the IIS write permission for a reverse invasion

According to the roommate providing the information that intruder is by card Union this P2P movie sharing tool to achieve the movie stallion, thus, protected by intruder hazard number may be many, must think of a way to stop him! But according to the X-Scan of scan reports speculated that the intruder's machine is hit with all patches Windows XP system IIS version number can be speculated that Win2000 for 5. 0, XP to 5. 1, The 2 0 0 3 for 6. 0, only open a few ports, dove gray open port can't be invaded, it is impossible for NetBIOS and IPC$invasion, then only can breakthrough theThe possibilities only the WEB service, but with IE opened but it is“the site is not configured”prompt, apparently intruders do WEB services just to put a Trojan file to victim download, the above there can be no Forum like you can break something, don't only give up? I reconciled, check out some on the IIS technical information after the discovery of an important term:“IIS write permissions to it!”

Here I simply describe what is the“written permission”, which is composed of the year caused a large vulnerability in the WebDAV component provides a server extension function, for directly to the server directory to write the file, for the administrators to perform some remote operation provides a convenient, but also to the server has security implications, if lucky, a station does not configure the IIS is open to anonymous write access, the intruder may be to WEB directories write some with harmful files, such as WebShell script.

The first test of the intruder there is no special configuration of IIS, if WebDAV is turned off, then everything is lost...... Open a Telnet into the other 8 0 port, input: OPTIONS / HTTP/1.1 Host: www.s8s8.net

Two carriage returns after the returns the following data: HTTP/1.1 2 0 0 OK Server: Microsoft-IIS/5.0 Date: Tue, 1 2 Jul 2 0 0 5 0 3:3 9:5 0 GMT MS-Author-Via: DAV Content-Length: 0 Accept-Ranges: none DASL: DAV: 1, 2 Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIN D, PROPPATCH, LOCK, UNLOCK, SEARCH Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK Cache-Control: private

Server open the WebDAV and supports PUT, this is the“permission to write”basic, Next, and then further verify that opens the“write access”, the Telnet input: PUT /file.txt HTTP/1.1 Host: intruder IP Content-Length: 1

Returns: HTTP/1.1 1 0 0 Continue Server: Microsoft-IIS/5.1 Date: Tue, 1 2 Jul 2 0 0 5 0 4:2 3:5 5 GMT

Input 1 character, responded as follows:

HTTP/1.1 2 0 1 Created Server: Microsoft-IIS/5.1 Date: Tue, 1 2 Jul 2 0 0 5 0 4:2 4:1 2 GMT Location: http:// intruder IP /file.txt Content-Length: 0 Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

The server supports the“write permissions”, since it is so, let me give it a WebShell! Use SuperHei the iiswrite. pl script to put the network spread has long been that classic write files to the back door put up, and then it is written I modified the ocean to the top of the ASP Trojan(limited to articles blessing, here is not written out, after some search, discovered his film catalog, the estimate all is added Trojan-treated, so delete all, then clean up the system's important files and startup files, as a result, his next boot it will find the system has been paralyzed, let him taste of the deceased person's final injury own taste!

Consecutive days down the dormitory network never stop, everything is back to normal. And those movie files due to being an intruder setting to change it back too much trouble, of course, also not can not change, so to that which was deleted, thus the back door of the crisis lifted.

Five. Back

  1. Movie files spread of Trojan horse of truth

Some readers may feel terrible, even the movie files will also Poison, that later also how to see the movie? How do I check the movie file is not infected with a virus? Don't panic, this is not what deep the“infection technique”, but the RealMedia format file that comes with being referred to as the“event”function is causing the problem, this feature allows the video player to a pre-set period of time automatically when you open a page, I don't know the Real company in the end what to think, but today this function is heavily used for Trojan propagation has become a reality: the intruders do a Web Trojan, and then modify the Real format of the movie files, adding in a certain period of time to open this web page Trojan the URL of the event, and then you can peace of mind to sit back and wait. Highlight the movie file itself is not a Trojan, it just carries a open a web page of the event only, the problem is that it does not know that this page is harmful to!

  1. Dove gray hidden principle

Dove gray in the General case cannot be found, because this Trojan protection measures is through the intercept API calls makes the system unable to enumerate domain, IT related information, so whether it is from the resource Manager or process Explorer, you are unable to find it in the file body and the process, perhaps it only exposed itself in the place is the Service Manager in the service list, but here slightly changes after the fact can be just as hidden, in addition because it is a rebound Trojan, the so-called rebound Trojan, is the service end of the initiative to connect the control end of the Trojan, so it will not open the port, as a result, dove gray can confuse many users, so that they unknowingly victimized. However, this concealment method has one of the biggest failure of the environment, that is safe mode or a non-Windows system, because even though it is the HOOK function and then powerful must also be composed of one EXE to put the relevant functional modules of the DLL loaded into memory, otherwise it can only be a waste of a beach, and remember, the DLL Trojan of the principle, and antivirus vendors will soon be able to killing a new version of the Trojan, and therefore the reader without being too scared, which infected the Dove gray is because is separately applied shell and changed some settings result in signature changes and not check it out, it's just a one-sided phenomenon.

  1. Summary

This incident exposure is because the Modem firewall level is too high, the service end and in a LAN environment, and thus leads the Trojans with an external interaction when is Modem to intercept and cause the Modem to overload, although specific details I can not know, but precisely because of this chip there is a bug in the Modem, only to avoid a Trojan of the plot, perhaps change unless the Modem, the Trojans have committed sin, therefore, set the Modem firewall is necessary to work!

Since the Trojan is by having the IE vulnerability web download, and IE vulnerabilities forever also fill not finished, and therefore can not be arbitrary to say“regularly go to repair system vulnerability”, because there have been actual cases prove that some IE vulnerability patch was also equal to the no Supplement, so can give the reader suggestions only often keep an eye on their system in more than what files and services and the like, as well as some abnormal phenomenon, to master the basicintrusion detectiontechnology in order to ensure their own in this chaotic network is not compromised on!