OWNED: I was a zombie spybot slaveLocked
Last Friday one of my home PCs took part in a cyber-attack against a server in California, all thanks to a trojan virus my youngster downloaded from the ‘net.
On Friday afternoon, I get a call from the home with the report of ‘the Internet connection is down’.
The LAN was not ‘down’, it was very much alive, as the traffic LEDs on my 3Com switch were lit solid. Something was sending a whole-lotta traffic.
I narrowed it down to one PC, but that PC had no programs running on it. I plugged in a sniffer/hub between the LAN and the WAN and….HOLY cheese and crackers! This PC was sending like 1000 UDP packets a second to one 75.x.x.x address in California. (a DDOS attack in process).
I did a netstat on this PC, and, sure enough, it showed a port 3070 connection to an IP address in Texas, and I later saw an IP from Florida establish a SSL connection to the PC (the port 3070 connection is the zombie ‘checking in’ or reporting for duty to the bot herder, and the SSL connection is the command-and-control communication from the bot herder him/herself.
I did a ipconfig -b (show what process is performing what connection) and saw that the CSRSS.exe application was using port 3070.
A quick check found that CSRSS is a Windows component, but this one was the wrong size and in the wrong directory (e.g. is a virus). The file size was about 50K too big, and it was in a directory called \windows\config which is not standard.
As it turns out, my AV had missed this one….Backdoor.Win32.Poison. I sent the sample to them (Sunbelt software Vipre) and they applied the signature immediately, so I was able to make sure that it was not on any other machines.
The source? One of my young-uns downloaded a ‘Nintendo Wii Points Generator’ that was linked to a YouTube video.
It had this nasty virus in it, and the AV did not catch it. This child only has supervised usage of the Internet, and knows to scan downloads for viruses.
I am going to ramp-up my defenses to include a ‘Sandbox PC’ running SandBoxie which is on a separate LAN…a more systematic software testing process. I am also going to leave my hub/sniffer hooked up full-time so I can monitor things more quickly (on Friday I spent five frantic minutes looking for a Netgear power supply).