========================================================
RPC-DCOM Worm Infection Vectors
========================================================

"Security Reseachers use latest RPC exploit to conduct
  a Coridinated Distributed Denial of Service Attack"

or,  my network has been attacked by security reseachers 
     a factual analysis

-----------------------------------------------------------





Donnie Werner
http;//exploitlabs.com
http://e2-labs.com



cc: to

security@tampabay.rr.com  - Road Runner
security@charter.net - Charter Networks
noc@internap.com - ( InPhonic, Inc. (INPHONIC3-DOM)
ipoperations@bellsouth.net - BellSouth



preface:
--------
 
1000's of host within a central infection region compromized
 via RPC-DCOM exploit ( all tested samples scan as "vunerable" )

all atacking parties are in the infosec / security arena and are
 contributers to Full Disclosure and Bugtraq

the mass localization of zombied hosts will match to the basic
 home locale of the main characters outlined within , this aids
 in the forensics and investigation to find the guilty parties

the "perps" made a souviner of thier own attack

http://pimp.ladyofwisdom.edu/morning_wood-fun.txt





INVESTIGATIVE ANALYSIS
======================


atacking "enities"
----------------------
the "nopninjas" and "majestik" 
hacking / bot / effnet kiddies groups


method of attack:
-----------------
SDbot 05b via compromised ( zombie ) systems


executable / virus filename:
----------------------------
trojan: SdBot 05b 
executable: proc32.exe  

note: every infected system containd this file
with the attack target set to "exploitlabs.com"  ( see link bot.txt )
sdbot has the ability to change the names of the executable after instalation

controllers of attacking urls:
------------------------------
http://66.151.154.251/  <----- 66.151.xxx.xxx one major source of attacking bots
irc 66.151.154.251:6667
pimp.ladyofwisdom.edu 

http://64.203.4.70/
http://user-10cm126.cable.mindspring.com/

irc 24.118.20.172:6667  


exploited networks used as zombies:
-----------------------------------
68.154.xxx.xxx  - BellSouth  
68.158.xxx.xxx
24.71.xxx.xxx  - Road Runner, Tampa Bay
24.241.xxx.xxx  - Charter 


network under attack:
---------------------
exploitlabs.com


background / analysis
---------------------



"majestic" irc ( 24.118.20.172:6667 ) shows "sdbot" type of activity

------------- snip --------------

#majestic lwbiv H tkgd@majestic-14B30142.cvx17-bradley.dialup.earthlink.net :0 lwbiv
#majestic jeshmq H xrlka@majestic-1454E413.vie.surfer.at :0 jeshmq
#majestic njgu H eljro@majestic-11FDDDC2.ipt.aol.com :0 njgu
#majestic ppqg H fdisx@majestic-14B2477A.ipt.aol.com :0 ppqg
#majestic bekf H xqduwi@majestic-2248A681.crlsca.adelphia.net :0 bekf
#majestic HaX H johndoe@majestic-ABDD6BF.potshe01.pa.comcast.net :0 john doe
#majestic 

lwbiv Owner sam jeshmq njgu ppqg wEc[4336] bekf Warren73 gxdtqf Joey
 Chibata38 TERRI PochiX1512 pietroush5113 HaX majestic_ wEc[63397] 

----------- snip ---------------



Factual Statement:
------------------

My support center at ( exploitlabs.com ) was "invaded" by aprox 20 live hosts from a
 "hacking" group from efenet, "nopninjas" 



note: i am <XssKing> and <morning_wood> 192.168.0.*
the folowing was provided to me from the atacking crew itself ( i guess their proud )

---------- snip ----------

*** poofie (~int80@awww.jeah.net) has joined #0sec
<XssKing> wb
*** b0f (~b0f@c3p0.reverse.net) has joined #0sec
<poofie> hi
<XssKing> heh
<buRdeN> everything you'd need to uncap yer modem
<XssKing> sup b0f
<buRdeN> in one product
*** karkark (~malevolent@c-df0971d5.019-83-6370682.cust.bredbandsbolaget.se) has joined #0sec
<XssKing> yea
<XssKing> i was looking fopr a tftp
<b0f> hi
<XssKing> and founfd that
<karkark> hello
*** demiurge (~root@h0stname.net) has joined #0sec
<XssKing> long time
<buRdeN> hi everyone
<XssKing> b0f
<b0f> yah ?
*** phaze (~phaze@24-117-163-233.cpe.cableone.net) has joined #0sec
<XssKing> i rember you from like 2 years ago
<karkark> hey morning_wood why don't you answer my emails?
<demiurge> yo w00d
<demiurge> back
<demiurge> sup man?
<XssKing> wat mails?
<b0f> any xss 0day for trade ?
<karkark> XssKing hang on
<XssKing> not todayu i been busy
<karkark> hey morning_wood why don't you answer my emails?

<morning_wood> wat mails?

<karkark> this one http://lists.netsys.com/pipermail/full-disclosure/2003-July/011927.html


--------- snip ------------


after much lame chat we see
the DoS begin



--------- snip ------------


<kokanin> my god morning_wood you're so retarded you don't even get it when you're being insulted
<phaze> 
uid=0(root) 
gid=0(root) 
groups=0(root)
,1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
<phaze> I am prolly very vuln this is ooooold version


[kokanin:#0sec MORNING_WOOD] is a fag
<kokanin> [morning_wood Invalid reply]: CTCP command.
<kokanin> jeez
<phaze> lol
<b0f> lol
[kokanin:#0sec REPLY_TO_THIS_IF_YER_GAY]
<kokanin> yay morning_wood is gay
<kokanin> but we knew that
<kokanin> you trade a lot of 0day xss?
<kokanin> lol


ωνω SignOff kokanin: #0sec (Quit: kiss my ass)

ωνω SignOff demiurge: #0sec (Quit: [BX] Leggo my Eggo!)


<b0f> yah ill give u apache 0day for xss in lame.com

ωνω phaze [~phaze@xxxxxxxxxxxxxx.cpe.cableone.net] has left #0sec 
[Xchizat for the real hommies]


<b0f> moo

<b0f> exploitlabs.com is vuln to remote exploit

<b0f> ***** suprise *****


ωνω ysmcju [kfeq@xxxxx.73-24.tampabay.rr.com] has joined #0sec

ωνω nlfwky [ftyq@xxxxx.73-24.tampabay.rr.com] has joined #0sec

ωνω aojx [~lbkf@xxxx.73-24.tampabay.rr.com] has joined #0sec

ωνω htpdd [kwmq@xxxxx.73-24.tampabay.rr.com] has joined #0sec

ωνω tlhyic [ofjbx@xxxxxx.73-24.tampabay.rr.com] has joined #0sec

ωνω tqubox [utaik@xxxxxx.73-24.tampabay.rr.com] has joined #0sec

ωνω cmqcpn [isss@xxxxxx.73-24.tampabay.rr.com] has joined #0sec

ωνω vvkr [joeiom@xxxxxx.73-24.tampabay.rr.com] has joined #0sec

ωνω replwe [whmd@xxxxxx.73-24.tampabay.rr.com] has joined #0sec

ωνω zkmc [wnbuz@xxxxxx.73-24.tampabay.rr.com] has joined #0sec
ωνω ffea [gachhh@xxxxx.73-24.tampabay.rr.com] has joined #0sec

ωνω uqlk [hojh@xxxxxx.73-24.tampabay.rr.com] has joined #0sec

ωνω SignOff xternal_: #0sec (Excess Flood)

<buRdeN> wtf

<b0f> haha


----------------- snip -----------------


at which time I am invaded by over 1000 connecting hosts
from 24.241.xxx.xxx , 24.73.xxx.xxx and the 68. occets





IDENTEFICATION:
===============


who is karkark:
---------------
Knud Erik Hψjgaard kain@ircop.dk
 
http://www.google.com/keyword/Knud+Erik+H%C3%B8jgaard



perpetrator "nicks" on this attack: 
----------------------------------------



1.

sloth (~sloth@pimp.ladyofwisdom.edu)  /  sloth@nopninjas.com
http://www.ircnick.com/index.php?sloth
http://www.b0red.com/people/sloth-starbucks.jpg

http://packetstormsecurity.nl/worms/mindjail.txt
http://hack.datafort.net/~newlevel8/  <----  this style looks a bit familar from FD


2.

b0f [~b0f@xxxx.reverse.net]
http://www.b0f.com/

3.
Matthew McGehrin (mcgehrin@reverse.net)
http://mail.gnu.org/archive/html/help-emacs-windows/2002-08/msg00017.html


4.

int80 (~int80@216.111.239.130)
poofie [~unf@awww.jeah.net]
http://www.jeah.net/
http://blitzed.org/linkapp.phtml?linkapp=pan.wi.us

he has had trouble in the past as we can see by..

http://www.acky.net/forums/DCForumID14/21.html



5.

liamfoy (~buf@213.122.88.79)
http://www.sepulcrum.org/
http://virtus.ath.cx/~liam/me2.jpg

Liam-Foy
United Kingdom
Age: 15
liamfoy@sepulcrum.org

http://www.btinternet.com/~liam_foy/newss.jpg
http://www.btinternet.com/~liam_foy/about/network.jpg.JPG



6.

yobeee (~reimannj@12.109.93.111)

Nik Reiman // nik@aboleo.net 
http://12.109.93.111 = http://aboleo.net



7.

opy (~opy@pc4-ruth2-4-cust63.renf.cable.ntl.com)
http://www.dtors.net



8.
dvdman (~dvdman@reptile.cube11.net)
http://l33tsecurity.com/



dead (~dead@h24-76-147-162.wp.shawcable.net)

soot (~soot@ip68-10-112-148.hr.hr.cox.net)

(~phaze@24-117-163-233.cpe.cableone.net)

wood_sux (~4440655a@66.111.35.90)

demiurge (~demiurge@halfpint.org)

Defiance (~mitchell@fl1-24.217.211.126.charter-stl.com)

timberland (~hk@24-116-60-114.cpe.cableone.net)

ekom (~inout@203.170.68.103)



this was a log not recorded by me
---------------------------------

http://exploitlabs.com/attack/morning_wood-fun.txt


this was logged by me with some help:
-------------------------------------

<xxxxxx> talked to Hax
<xxxxxx> from majestic
<MrWood> whats up with mak?
<xxxxxx> he showed me his new bot
<MrWood> get it the fuck off me
<xxxxxx> ne way... u see mayj
<xxxxxx> on the site...
<xxxxxx> just a kid!
<MrWood> why is he fucking with me?
<xxxxxx> and I qutoe "he doesn't know shit" end quote
<xxxxxx> quote "he needs to shut his piehole" end quote
<MrWood> i c


sdbot string analysis:
----------------------

http://exploitlabs.com/attack/sdbot.txt


live sdbot binary from infected system:
---------------------------------------

http://exploitlabs.com/attack/proc32.zip


this is a netstat dump
-----------------------

http://exploitlabs.com/attack/netstat.txt


this is a screenshot of bot connections on an infected server
provided with the cooperation of an infected customer i contacted
and worked closely with 
------------------------

http://exploitlabs.com/attack/screenshot.jpg



 
furthermore, the only "exploit" i am vuln to is 1000's of sdbots on infected 
 hosts directed at my network



analysis by:
------------

Donnie Werner
morning_wood@e2-labs.com
http://e2-labs.com


 I would like to thank the cooperation of "Bob" the businessman
for helping me analyse his compromised system in the 24.73.xxx.xxx address
and his network tech for working with me in this investigation.