General discussion

  • Creator
  • #2199887

    OWNED: I was a zombie spybot slave


    by robo_dev ·

    Last Friday one of my home PCs took part in a cyber-attack against a server in California, all thanks to a trojan virus my youngster downloaded from the ‘net.

    On Friday afternoon, I get a call from the home with the report of ‘the Internet connection is down’.

    The LAN was not ‘down’, it was very much alive, as the traffic LEDs on my 3Com switch were lit solid. Something was sending a whole-lotta traffic.

    I narrowed it down to one PC, but that PC had no programs running on it. I plugged in a sniffer/hub between the LAN and the WAN and….HOLY cheese and crackers! This PC was sending like 1000 UDP packets a second to one 75.x.x.x address in California. (a DDOS attack in process).

    I did a netstat on this PC, and, sure enough, it showed a port 3070 connection to an IP address in Texas, and I later saw an IP from Florida establish a SSL connection to the PC (the port 3070 connection is the zombie ‘checking in’ or reporting for duty to the bot herder, and the SSL connection is the command-and-control communication from the bot herder him/herself.

    I did a ipconfig -b (show what process is performing what connection) and saw that the CSRSS.exe application was using port 3070.

    A quick check found that CSRSS is a Windows component, but this one was the wrong size and in the wrong directory (e.g. is a virus). The file size was about 50K too big, and it was in a directory called \windows\config which is not standard.

    As it turns out, my AV had missed this one….Backdoor.Win32.Poison. I sent the sample to them (Sunbelt software Vipre) and they applied the signature immediately, so I was able to make sure that it was not on any other machines.

    The source? One of my young-uns downloaded a ‘Nintendo Wii Points Generator’ that was linked to a YouTube video.

    It had this nasty virus in it, and the AV did not catch it. This child only has supervised usage of the Internet, and knows to scan downloads for viruses.

    I am going to ramp-up my defenses to include a ‘Sandbox PC’ running SandBoxie which is on a separate LAN…a more systematic software testing process. I am also going to leave my hub/sniffer hooked up full-time so I can monitor things more quickly (on Friday I spent five frantic minutes looking for a Netgear power supply).

All Comments

  • Author
    • #3001402

      Great troubleshooting details.

      by charliespencer ·

      In reply to OWNED: I was a zombie spybot slave

      This may come in handy in the future, although I hope not! :O

    • #3001382

      Nice post. Thanks for sharing :) ~nt~

      by jck ·

      In reply to OWNED: I was a zombie spybot slave


    • #3001370

      Thanks for sharing this

      by tink! ·

      In reply to OWNED: I was a zombie spybot slave

      and providing great details. My kids don’t download without asking me first, it’s the hubby I have to worry about. 😀

      • #3001355

        Ooops….correction Netstat -B , not ipconfig

        by robo_dev ·

        In reply to Thanks for sharing this

        Netstat -b shows which process is using what port and connection.

        I have to give a security presentation in October. I saved sniffer traces and screen-shots from this little bot adventure.

        So, in this case the presentation materials literally fell from the sky (well from the Internet).

        Another interesting tidbit is that each UDP packet has the string

        …X-R own you b**ch!…… (** censored 🙂 )

        Oh the humor of hackers.

    • #3001351

      Great detective work, Sherlock :-)

      by captbilly1eye ·

      In reply to OWNED: I was a zombie spybot slave

      An excellent job of identifying and correcting!

      I’ve been lucky for over three years in that I haven’t run into a bad one like you did. But if and when I ever do again, I’ll remember your steps.

      after all… experience is not the best teacher. … it is the the experience of others, that is.


    • #3001324

      Careful, Flash’ll get you

      by gsg ·

      In reply to OWNED: I was a zombie spybot slave

      I’m also very careful, but recently got a virus that my AV missed.

      While mine wasn’t sending out like yours was, I’m sure that it was just waiting for the call from the Mothership.

      I’ve mentioned in another forum that I was trying to identify the site I got the infection from. I finally did identify the site, and notified the site administrator. Of course, I’ve not heard anything back, and in a controlled test, went back to the site, and of course it tried to infect me again.

      The site was running flash, and it kept trying to update flash on my laptop. Each time it tried is when I got my alert from my new AV that it had the virus. Luckily, this time it was blocked before it downloaded.

      I’m beginning to be converted to the “flash is evil” way of thinking.

Viewing 4 reply threads