?

Log in

No account? Create an account
 
 
25 August 2007 @ 09:43 pm
Mailspectre. Ну-с приступим. English text, as asked. ;-)  
Or the great hunt.

Soo. Apparently I was baptised by fire today.

Today was a big game hunt. It started as a small recon of the network, but ended with the hunt for the big game.

And the game we caught was REAL big.

The back story:
A big network. A lot of people work. Some subnetworks go to computers of people who rent a room of our office. Those computers are routed differently then everyone else.

Last week and admin was fired. That admin DID NOT do any network maintenance or somesuch for THREE months he was employed and the place is now a MESS.

It still worked, since the original admin did a good job during 10 years he was with the people I work with, and still appears from time to time (now to help me learn the ropes of this system).

The story:
There were virus troubles, and mail black list woes for our domain.

Today we found out the reason for that. Cornered it. And barricaded it with some firewall rules.
It is a stealthy spam mail server (that we could not dislodge from the system quick, detect yes, dislodge - no). Something people would call a root kit. Also, google does not know about it.

And its called MailSpectre. Anyone heard about it?

We found it when I was shown what system is in place to count traffic. Traffic is counted using a log. (I'd have to write a simple script to parse the log btw). Usual traffic logs of computers from that subnet is somewhere between 1 and 4 mb. This month it is 170mb (and also during the hour we were fighting viruses it grew 1mb).

This means come monday some disk formatting and windows reinstallation is going to happen. :-\

Also, I'll write where I work on monday. :D
 
 
 
Zastrazzizastrazzi on August 25th, 2007 05:58 pm (UTC)
Mm... rootkit. Any chance you want to zip it up and send it my way?
Стихийный Эйсид и Пиченька Судьбыxnrrn on August 25th, 2007 06:11 pm (UTC)
Once I find where it lives, I could. I only currently know that it exists on that machine, and that it uses port 25 to send mail, and some other port 2xxx something to receive control from outside. That machine is now under quarantine internet connetion wise. Also, it is possible that user of machine might format disk c, although I asked not to. :>

Anyhow, if you want it. If it survives. If I can locate it (and I suspect I will, no windows rootkit beats linux boot cd, and search function). You will have it.
Zastrazzizastrazzi on August 25th, 2007 06:34 pm (UTC)
And it stands even less a chance if you The Coroners Toolkit to it :) Just remember to literally pull the plug on it rather than doing a clean shutdown *nodnod*
Стихийный Эйсид и Пиченька Судьбыxnrrn on August 25th, 2007 06:40 pm (UTC)
Well yeah. Thing is, it shutdowns the computer for about 5 minutes. During that time I was able to locate it, as with some poking windows complains that program MailSpectre is taking to long to respond and shut down. :>

And it is not in the process list. :>

I'll look into coroner's toolkit.
Zastrazzizastrazzi on August 25th, 2007 06:50 pm (UTC)
http://www.remote-exploit.org/backtrack.html

Sleuthkit - similar tool, works good

Backtrack is probably, hands down, the best livecd out there for anything security related.
Стихийный Эйсид и Пиченька Судьбыxnrrn on August 25th, 2007 06:56 pm (UTC)
Aha. Thanks. :-)

from the list of apps of Frenzy I don't think it has coroner's toolkit, only chkrootkit. :>
Here's the list.

:-) I'll give Backtrack a spin.
Zastrazzizastrazzi on August 25th, 2007 06:58 pm (UTC)
chkrootkit is generally disappointing. Not enough detection, too many false positives that waste your time trying to track down.

Стихийный Эйсид и Пиченька Судьбыxnrrn on August 25th, 2007 07:02 pm (UTC)
There's also rkhunter.
Only 10 tools listed in security. On other hand it has a lot of other good tools. :>
And I've already downloaded it, and getting Backtrack too.
Will take them both for a spin on monday.
Стихийный Эйсид и Пиченька Судьбыxnrrn on August 25th, 2007 06:42 pm (UTC)
Any boot cd distro that has it built in?

I know that there is some ukrainean freebsd live disk that is real good for stuff like that, but Im not sure it has that toolkit or not.
Zastrazzizastrazzi on August 25th, 2007 06:56 pm (UTC)
Complete list of tools on Backtrack

http://backtrack.offensive-security.com/index.php?title=Tools

aka, LOTS. If you can't hack the tubes with this baby, yer hosed :)
Zastrazzizastrazzi on August 25th, 2007 07:01 pm (UTC)
btw, if you can get cygwin running on that box, you could take advantage of some clean/trusted binaries like lsof etc.

If you go that route, pre-install it elsewhere, copy the entire directory over after you've got it, then re-run the installer and point it at the directory you copied... lightening fast at that point.

I'm off for the day, but if you feel the need to get extra help/input I have my cell with me.

1-403-826-1196 (not sure how you dial that from Russian, but yer a smart monkey *grin*)

Стихийный Эйсид и Пиченька Судьбыxnrrn on August 25th, 2007 07:10 pm (UTC)
Im not likely to use phone to call overseas, but thanks anyway.

Anyhow, I see what you are suggesting me to do. And yeah, I guess I could get cygwin up on there. So I could check for the rootkit on the live system.
But first of all, I am going to do the simple and dumb thing.

Boot live cd. Mount offending drive. Run search on word mail. Or maybe spectre. Or maybe some others like that. :>

Then come the rootkit detectors, then come rootkit detectors on live system via cygwin. I expect to find where the rootkit lives somewhere on one of the first steps.

On other hand I am now in a production enviroment, with me being the only admin. I will only have enough time between when I arrive, when the person from that room arrives, and when everyone else arrive (or evening on monday, which is unlikely. They'd like me to have that machine running asap, I'd think).
Стихийный Эйсид и Пиченька Судьбыxnrrn on August 25th, 2007 06:43 pm (UTC)
Oh, I remember now, its called Frenzy, and its quite good from what I remember.
Стихийный Эйсид и Пиченька Судьбыxnrrn on August 25th, 2007 06:47 pm (UTC)
(Anonymous) on August 25th, 2007 09:00 pm (UTC)
I also discovered this file today on one of my pc's. It was located in C:\Windows\System32\

I mentioned it because once my firewall wanted to know, if this file should be let into the www. And I reacted like everytime, I searched Google for this file .... and just only found your site...

So I tried to delete it, didn't work, so I went into the windows mode (pardon, I'm German, don't know how it's called in English, in German "abgesicherter Modus", that's the way to start windows with a minum of drivers etc. via F5 or F8 after BIOS) and deleted it. After that I made a rootkit scan with AntiVir and found one other. But till know I'm glad, that no other program wanted to have access...
Стихийный Эйсид и Пиченька Судьбыxnrrn on August 25th, 2007 09:06 pm (UTC)
Cool. Thanks for the info, I'll get it zipped for a friend, so he can do virus analysis on it.

And yeah, its definately a virus, and spam mailer related.

You really saved my time, thanks again. :-)
(Anonymous) on August 25th, 2007 09:03 pm (UTC)
I also know this file...
I also discovered this file today on one of my pc's. It was located in C:\Windows\System32\

I mentioned it because once my firewall wanted to know, if this file should be let into the www. And I reacted like everytime, I searched Google for this file .... and just only found your site...

So I tried to delete it, didn't work, so I went into the windows mode (pardon, I'm German, don't know how it's called in English, in German "abgesicherter Modus", that's the way to start windows with a minum of drivers etc. via F5 or F8 after BIOS) and deleted it. After that I made a rootkit scan with AntiVir and found one other. But till know I'm glad, that no other program wanted to have access...
Touch of Greytouchofgrey on August 25th, 2007 10:03 pm (UTC)
You seem to be ahead of the game on this one. This is all I found:
http://spywarefiles.prevx.com/RRHFDG043491914/MAILSPECTRE%2EEXE.html
Стихийный Эйсид и Пиченька Судьбыxnrrn on August 26th, 2007 08:29 am (UTC)
Well. It -is- stealthy (as far as not being reported in process tree) spam mailserver. Possibly with outside control ability.
(Anonymous) on August 27th, 2007 02:59 am (UTC)
Worse than you think
This guy is worse than you think. First off, it's a dummy. Deleting it does not fix anything. It gets re-created by something else. I could not figure out that "something else" is. If someone has any pointers, please post them here.
Стихийный Эйсид и Пиченька Судьбыxnrrn on August 27th, 2007 04:48 am (UTC)
Re: Worse than you think
Hmm, I'll look into it today.
Стихийный Эйсид и Пиченька Судьбыxnrrn on May 1st, 2009 06:21 am (UTC)
Ha, they report it as first discovered two (three?) days after this post.

It is probably most cool thing in my history as IT worker, that I've done. :D
(I mean my report is earlier then any listed ones, and I've been 1st result for google search, for almost a month before I got placed somewhere on 2nd page).

And spam bots still post some stuff here to this day.
Стихийный Эйсид и Пиченька Судьбыxnrrn on November 4th, 2012 10:51 pm (UTC)
Haha, yup it was the coolest thing I did as an IT worker. :D
I mean, I get spam comments to this and next entry even after 5 years, and am still at the 3rd page of google search results for "mailspectre".

Yay me. :D
(Anonymous) on August 30th, 2007 07:57 am (UTC)
bitdefender and ikarus classify the MailSpectre.exe$; i have 2 samples one with md5 116978ff19868a4fd5480b0ab4cac98c and aa511de045246e7d6d6cc2ce70eb3e2b as Trojan.Pandex.L which is one part of the Trojan-Downloader.Win32.Agent.cnh
if you want to get these files write to kuckuck2000.ruftausdemwalde (AT) yahoo.de
(Anonymous) on February 6th, 2008 10:11 am (UTC)
lorryuncori here!
Hi! I'm Lorryuncori.
How are you? :)
Стихийный Эйсид и Пиченька Судьбыxnrrn on February 6th, 2008 10:21 am (UTC)
Re: lorryuncori here!
Ho-hum. Yes, but are you another spam bot? Forgive me, if not. :>