Lock IT Down: IRC Trojan suspected of causing mysterious Win2K attacks

Explanation of IRC Trojan vulnerability in Windows 2000

Beginning in late August, users started to report a number of baffling attacks against Windows 2000 Server, which Microsoft struggled to explain. The Redmond giant still isn’t really sure whether the cause of these attacks is a new vulnerability or just poor configuration, but it’s leaning toward the latter. The good news is that the number of incidents has been declining.

The attacks themselves have been Trojan attacks, and all of them appear to be associated with Backdoor.IRC.Flood, which installs an ICQ instant messaging client on the system.

In the original advisory—a Microsoft Knowledge Base article—the company essentially did little more than report that the attacks had taken place. It said it was completely in the dark about the background or underlying cause, having been unable to locate any specific vulnerability that would account for the successful attacks.

By Sept. 6, 2002, Microsoft had released an updated notice, Knowledge Base article Q328691, which blamed the attacks on poor system configuration, provided a number of guidelines for securing Win2K servers, and denied that there were any undiscovered vulnerabilities to blame.

Essentially, Microsoft said, the problem was due to weak passwords. But, as pointed out in its September 10 story on this threat, Microsoft didn't provide any explanation for why all of the successful attacks have been made against Windows 2000 and not other operating systems with weak password protection.

Microsoft did say at the beginning of Q328691 that this series of attacks doesn’t appear to be linked to a worm or virus, so the targets have been individually selected. That could explain why all the reported successful attacks have been against Windows 2000 servers—those are simply the systems that were targeted by the attackers.

All the successful attacks so far have been against servers running Windows 2000, but if this isn’t due to some as-yet-undiscovered flaw in that operating system, other platforms could be equally at risk and simply haven’t been targeted yet. Administrators may want to watch for suspicious activity similar to that seen in the attacks on Windows 2000.

Based on Microsoft's initial analysis of compromised systems, any hacked computers will contain some specific code that makes it easy to spot a successful attack. Some of these files are intended to make it easier to compromise the system again and others are legitimate files you may not have installed.

The attack will leave a modified security policy in its wake on domain controllers, but it will also leave the Backdoor.IRC.Flood IRC client, which makes reentry by the hacker very simple.

According to Microsoft, some of the files left during this attack have no apparent function, such as the Gates.txt file, which contains a list of IP addresses. Microsoft reports that its specialists have been unable to determine just what these addresses indicate or are used for, if anything.

Of the remaining files, GG.bat will attack other servers and attempt to log on with administrator privileges, and Seced.bat alters the system’s security settings.

In addition, if you find good copies of Psexec, Ws_ftp, and/or Flashfxp on a system and haven’t installed them yourself, the system has probably been compromised.

Altered versions of MDM.exe and Taskmngr.exe are also found on compromised systems, so check those commonly installed files, especially if the Backdoor.IRC.Flood file is also detected.

Microsoft reports that in addition to being Windows 2000 platforms, all the compromised systems its security experts have analyzed appeared to share one common factor: They all had very weak or blank administrator passwords.

Risk level critical
Compromised systems are essentially left entirely open to the attacker and, if undetected, will remain compromised until the ICQ client is cleaned out and proper security settings are reestablished.

The Microsoft notice said that a successful attack will also cause denial of service to legitimate users because they will be unable to log on to the server. Access to Active Directory snap-ins (Microsoft Management Console) is also disabled for all users.

Mitigating factors
The IRC Trojan is detected by most current antivirus software with up-to-date signature files. Microsoft said this attack is succeeding only against poorly secured servers, so any system with properly configured security parameters—especially those using strong administrator passwords—will be safe. Although some in the security community are scoffing at this contention, no one has, to date, provided any proof of a specific vulnerability in Windows that could be the cause of this problem.

Since this doesn’t appear to be an actual vulnerability at this time, all you can do is clean out the infection and take steps to block future attacks. After you clean out the system of the compromised files and the ICQ back door, Microsoft recommends you follow usual security procedures, including installing or properly configuring firewall software on the affected system, eliminating the Guest account, and strengthening any administrator passwords. Details of the cleaning process aren’t given in the notice, so you will probably want to contact Microsoft Support for help.

Final word
Unless it turns out that there really is some new flaw in Windows 2000, Microsoft appears to have been on top of this problem. Certainly, we all know that a lot of poorly secured servers are floating around out there, so the idea that someone is attacking them through weak administrator passwords isn’t that far-fetched.

The fact that only Win2K systems have been affected, or at least reported, isn’t necessarily an indication that the OS has a hidden flaw leaving it open to this attack. It may simply be that the vandals have targeted only Windows systems or that attacks on other platforms don’t cause the same denial of service event and therefore may not have drawn much attention yet.

If you have servers that don't run Windows 2000, and anything seems amiss, I would still give it a quick check for unusual activity that might be related to a similar attack. I realize that’s not very helpful. With most busy servers, some kind of nagging issue is usually going on. Nevertheless, this is one more thing to be aware of.

Editor's Picks