Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mailbag and DShield items generate a post VNC exploitation fun question

Published: 2006-11-26
Last Updated: 2006-11-26 23:10:06 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Over the last 3 months or so Handlers have responded to a number of submissions concerning the use of an "older" vulnerability in VNC to exploit systems and install what is typically identified as RBot variants. Reports generally say something along the lines of "I've seen multiple reports from admins who have seen their systems remote controlled by a new Spybot worm via RealVNC.  They actually see the start button pushed, the Run command filled....". 

One report mentioned that "This appears to be an automated attack on this version of RealVNC.". Another says "I happened to be standing near the PC with iTunes playing and noticed it minimized and restored very quickly. That got my attention.  I noticed the VNC icon was black and within a couple of seconds the hacker clicked Start, then Run and ran (an executable).".

A number of readers have also noted and reported upticks in Port 5900 (VNC) scanning, which has certainly changed character this year, it changed character right after the vulnerability was announced, and then more noticeably in July, check out the increase in the number of reported sources for destination port 5900 at DShield.

So a question someone might have an answer for is, are the reports we're receiving, combined with the nature in the change in Port 5900 scanning, indicative of some development of Metasploit post VNC exploitation payload, ala what's described in "Post-exploitation fun in Metasploit 3.0"? All responses will be appreciated.

And thanks to everyone who submitted information.

Current Vulnerability information is at;
RealVNC Password Authentication Bypass Vulnerability

Cisco Security Response: RealVNC Remote Authentication Bypass Vulnerability

0 comment(s)

Backdoor Trojans significant and tangible threat to Windows users - MS Antimalware Team

Published: 2006-11-26
Last Updated: 2006-11-26 17:04:40 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Windows Malicious Software Removal Tool: Progress Made, Trends Observed is a paper published in early November by the Microsoft Antimalware Team giving "perspective of the malware landscape based on the data collected by the MSRT". The tool, by default, "only looks for malware that are currently running or linked to through an auto-start point, such as in the registry.".

Anyone with network security monitoring or malware IR responsibilities should consider giving it a read. Some highlights (ymmv) include;

"Backdoor Trojans" .... "are a significant and tangible threat to Windows users.".

"Out of the 5.7 million computers cleaned, the MSRT has removed a backdoor Trojan from over 3.5 million (62%) of them.". "Bots, a sub-category of backdoor Trojans" ..... "represent a majority of the removals.". Rbot, Sdbot, and Gaobot "compose three of the top five slots in terms of total number of removals.".

"The increase in Win32/Rbot removals is due to a large number of variants of that malware family being added to the MSRT each release. On average, approximately 2,000 new variants of Win32/Rbot have been added to the tool each month.".

Correlations in the paper;

"The largest correlation shown" .... "is between rootkits and backdoor Trojans. In approximately 20% of the cases in which a rootkit was found on a computer, at least one backdoor Trojan was found as well. This emphasizes the trend of a large number of rootkits being distributed or leveraged by backdoor Trojans."  (handler emphasis/bold). "The percentages are also high between P2P worms and backdoor Trojans and IM worms and backdoor Trojans. The high values here are also expected given that many P2P worms and IM worms will often drop bots on the computer when they are run."
0 comment(s)
Diary Archives