General discussion

Locked

OWNE I was a zombie spybot slave

By robo_dev ·
Last Friday one of my home PCs took part in a cyber-attack against a server in California, all thanks to a trojan virus my youngster downloaded from the 'net.

On Friday afternoon, I get a call from the home with the report of 'the Internet connection is down'.

The LAN was not 'down', it was very much alive, as the traffic LEDs on my 3Com switch were lit solid. Something was sending a whole-lotta traffic.

I narrowed it down to one PC, but that PC had no programs running on it. I plugged in a sniffer/hub between the LAN and the WAN and....HOLY cheese and crackers! This PC was sending like 1000 UDP packets a second to one 75.x.x.x address in California. (a DDOS attack in process).

I did a netstat on this PC, and, sure enough, it showed a port 3070 connection to an IP address in Texas, and I later saw an IP from Florida establish a SSL connection to the PC (the port 3070 connection is the zombie 'checking in' or reporting for duty to the bot herder, and the SSL connection is the command-and-control communication from the bot herder him/herself.

I did a ipconfig -b (show what process is performing what connection) and saw that the CSRSS.exe application was using port 3070.

A quick check found that CSRSS is a Windows component, but this one was the wrong size and in the wrong directory (e.g. is a virus). The file size was about 50K too big, and it was in a directory called \windows\config which is not standard.

As it turns out, my AV had missed this one....Backdoor.Win32.Poison. I sent the sample to them (Sunbelt software Vipre) and they applied the signature immediately, so I was able to make sure that it was not on any other machines.

The source? One of my young-uns downloaded a 'Nintendo Wii Points Generator' that was linked to a YouTube video.

It had this nasty virus in it, and the AV did not catch it. This child only has supervised usage of the Internet, and knows to scan downloads for viruses.

I am going to ramp-up my defenses to include a 'Sandbox PC' running SandBoxie which is on a separate LAN...a more systematic software testing process. I am also going to leave my hub/sniffer hooked up full-time so I can monitor things more quickly (on Friday I spent five frantic minutes looking for a Netgear power supply).

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Great troubleshooting details.

by CharlieSpencer In reply to OWNED: I was a zombie spy ...

This may come in handy in the future, although I hope not!

Collapse -

Nice post. Thanks for sharing :) ~nt~

by jck In reply to OWNED: I was a zombie spy ...
Collapse -

Thanks for sharing this

by Tink! In reply to OWNED: I was a zombie spy ...

and providing great details. My kids don't download without asking me first, it's the hubby I have to worry about.

Collapse -

Ooops....correction Netstat -B , not ipconfig

by robo_dev In reply to Thanks for sharing this

Netstat -b shows which process is using what port and connection.

I have to give a security presentation in October. I saved sniffer traces and screen-shots from this little bot adventure.

So, in this case the presentation materials literally fell from the sky (well from the Internet).

Another interesting tidbit is that each UDP packet has the string

...X-R own you b**ch!...... (** censored :) )

Oh the humor of hackers.

Collapse -

Great detective work, Sherlock :-)

by CaptBilly1Eye In reply to OWNED: I was a zombie spy ...

An excellent job of identifying and correcting!

I've been lucky for over three years in that I haven't run into a bad one like you did. But if and when I ever do again, I'll remember your steps.

after all... experience is not the best teacher. ... it is the the experience of <u>others,</u> that is.

Thanks.

Collapse -

"Experience"

by CharlieSpencer In reply to Great detective work, She ...

What you had to settle for with when you didn't get what you really wanted.

Collapse -

thanks v/ BTW: web site for identifying what virus is in a file

by robo_dev In reply to Great detective work, She ...

http://www.virustotal.com/

the support tech at Sunbelt Software had me upload my virus to that site. Virustotal does an analysis and tells exactly what virus the file contains.

Collapse -

Careful, Flash'll get you

by GSG In reply to OWNED: I was a zombie spy ...

I'm also very careful, but recently got a virus that my AV missed.

While mine wasn't sending out like yours was, I'm sure that it was just waiting for the call from the Mothership.

I've mentioned in another forum that I was trying to identify the site I got the infection from. I finally did identify the site, and notified the site administrator. Of course, I've not heard anything back, and in a controlled test, went back to the site, and of course it tried to infect me again.

The site was running flash, and it kept trying to update flash on my laptop. Each time it tried is when I got my alert from my new AV that it had the virus. Luckily, this time it was blocked before it downloaded.

I'm beginning to be converted to the "flash is evil" way of thinking.

Back to Networks Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums