Spybot (OPEN_ME.exe). How'd I get it?

On 2005-01-22, cquirke (MVP Win9x) <cquirkenews.TakeThisOut@nospam.mvps.org> wrote:
> On 21 Jan 2005 19:24:49 -0800, "Jim Marshall" <marshall.jim.TakeThisOut@gmail.com>
>
> I'm going to re-phrase you a bit, for terseness and clarity and also
> so you can check whether I understand you correctly...
>
Sure. Thanks for taking the trouble.
>>I have a small home network:
>
> XP Home
> ---> ADSL Intel PRO/2100 card
> - File & Print Sharing disabled
> - Internet Connection Sharing host
> Hub <--- Built-in NIC
> - File & Print Sharing enabled ???
Yes
> - Firewall ???
Yes, sort of. The "firewall" I referred to is a
software firewall. It monitors all the interfaces
on the XP machine.
> Windows (what version ??? )
None. There's no other Windows machine; just the one above. Sorry.
>
> Linux
> Hub <--- NIC
> - File & Print sharing via Samba
> - Internet Connection Sharing client
Right.
>
> XBox
> Hub <--- NIC
Right. It hasn't even been turned on in days, and is not "modded" or
anything, so is very likely irrelevant here.
>
> At this point I'd make the following recommendations:
> - rather use a ADSL router than ADSL "modem" + ICS
> - avoids exposing complex/vulnerable/exploitable OS to 'net
Yes, that'd certainly be better. I guess I should look into that.
> - don't ever full-share C:\ or any part of the startup axis, ever
> - kill off the hidden admin shares e.g. c$ etc. in XP
I don't, and have. I only share a few folders down the directory tree,
and that's where these would-be trojans were found.
> This should be true, but there are other ways in. My guess; the RAT
> entered the XP system via direct network attack, or any system via web
> browsing or emaul attackment. From there it blitzed across all PCs,
> most likely via File and Print Sharing, but could be via other
> methods. That the .EXE are only in shared locations points more to
> F&PS dropping than these other methods.
>
As far as I can tell, the only way these files could've gotten there
would have been via F&PS exposed to the internet. I don't run Outlook
(don't even read email on the Windows machine), and rarely use IE. I
pretty much just use the XP machine for playing occasional games, and
as a means for the linux machine to reach the internet.

A full virus scan and Ad-Aware run on the XP machine didn't reveal any
infections.

> Well, if Kerio allows F&PS, it will allow F&PS.
I don't think that's right. The Kerio/Tiny personal firewall software
has a special tab for Windows Networking-related activity that
overrides all other rules. One of the options on that tab is to allow
Windows Networking traffic from only specified addresses or networks. I
have it set to "trust" only 192.168.0.0/255.255.255.0, my local network
being on that range of ips. For more on this, see the end of this post.

> Writing a file that
> happens to be a RAT to a writable share is the same as writing any
> other file to the share, as far as the firewall is concerned; it's
> only the av that will take an interest in what's in the file itself.
>
Right.
> I'd really hope so; F&PS to the 'net is absurdly dangerous.
Definitely! It freaked me out pretty hard to find out that I was somehow
"exposed".
>
> But what this illustrates is some "security in depth" principles.
> Assume whatever you do to protect yourself will fail, and then plan on
> what happens when this is so.
Absolutely. That's why I took care to make special rules for Windows
Networking in the software firewall when, from what (little) I know
about FP&S, having disabled it from the DSL card interface should've
made it inaccessible from the internet.

>
> If you full-share a minimum of locations, in which no code files
> should be present and no auto-run behaviors (\Autorun.inf processing,
> "View As Web Page") are permitted, then it's easy; you'd spot and kill
> the dropped files, without them ever getting to run.

Yes, this is what happened.
>
> If you full-share the whole of C:\, as dumb-ass XP does by duhfault
> (those hidden "admin" shares c$ etc.) then the malware can drop
> directly into a StartUp group so it will run on next boot, integrate
> itself in other ways, and hide in a crowd of existing code files.
Yes, that'd have been much worse. I checked the startup folder,
msconfig.exe, and searched with regedit (in addition the virus scan) and
didn't find anything.
>
> Finally, a hardware router presents a smaller and harder target
> surface than a complex OS such as XP or Linux. If you used a router,
> your complex OSs would be hidden behind the router's NAT so that
> direct network attacks would be more difficult.
>
Yes, that'd be better. I've stuck with this old DSL card for a long time
out of laziness, mostly.

Thanks for the help, though I still don't really know what happened. As
an update, when I took a look at the Windows machine this morning, I
AGAIN found OPEN_ME.exe files in all (four of) the shared folders. The
software firewall had been running the whole time, this time. The files
were now identified by the AVG anti-virus as some sort of (really nasty
sounding) PE infector. Again, I deleted them without them being run.

Directly after, I came to my senses and disabled all the shares.
Frankly, I have no idea what's going on. The only thing that seems even
*remotely* plausible to me is that the *linux* machine (from which I am
typing this) somehow got owned, but it doesn't show any signs at all of
anything unusual. That's the only thing that would seem to make it
possible, though, for those .exes to show up on the Windows machine,
given that F&PS is disabled on the DSL card, and that my firewall is set
to only allow Windows Networking traffic from the local network, anyway.
I guess the best way to test that would be to disconnect from the
internet, enable a share, and see if one of those .exes shows up again.

Anyway, thanks for having taken the time to help.
 >> Stay informed about: Spybot (OPEN_ME.exe). How'd I get it? 

On Sat, 22 Jan 2005 22:13:36 GMT, Jim Marshall
>On 2005-01-22, cquirke (MVP Win9x)
>> On 21 Jan 2005 19:24:49 -0800, "Jim Marshall"

>>>I have a small home network:
>>
>> XP Home
>> ---> ADSL Intel PRO/2100 card
>> - File & Print Sharing disabled
>> - Internet Connection Sharing host
>> Hub <--- Built-in NIC
>> - File & Print Sharing enabled ???
> Yes
OK

>> - Firewall ???
> Yes, sort of. The "firewall" I referred to is a
> software firewall. It monitors all the interfaces
> on the XP machine.
So Kerio is on the XP system? Or is that XP's own firewall?

>> Windows (what version ??? )
>None. There's no other Windows machine; just the one above. Sorry.
Ahhhh.... so it's 3 systems; XP, Linux and XBox.
Heterogenious, dear Watson!

>> Linux
>> Hub <--- NIC
>> - File & Print sharing via Samba
>> - Internet Connection Sharing client
>Right.
>>
>> XBox
>> Hub <--- NIC
>Right. It hasn't even been turned on in days, and is not "modded" or
>anything, so is very likely irrelevant here.
OK. I don't know anything about XBox, never having seen one.

>> At this point I'd make the following recommendations:
>> - rather use a ADSL router than ADSL "modem" + ICS

>Yes, that'd certainly be better. I guess I should look into that.

>> - don't ever full-share C:\ or any part of the startup axis, ever
>> - kill off the hidden admin shares e.g. c$ etc. in XP

>I don't, and have. I only share a few folders down the directory tree,
>and that's where these would-be trojans were found.

Brilliant! That's load off my mind

>> This should be true, but there are other ways in. My guess; the RAT
>> entered the XP system via direct network attack, or any system via web
>> browsing or emaul attackment. From there it blitzed across all PCs,
>> most likely via File and Print Sharing

>As far as I can tell, the only way these files could've gotten there
>would have been via F&PS exposed to the internet.

Oy, let me count the ways...

1) Direct network attack

Firewall on the XP system should block this, as should patches that
fix exploitable "edge" defects e.g. RPC/DCOM (Lovesan et al) or LSASS
(Sasser et al). There may also be TCP/IP services that can allow file
dropping or code injection, if unblocked by firewall and especially if
the code is broken i.e. has exploitable defects.

2) Malware pulldown

If some other malware is active on either PC, it can pull down more
malware or open new holes in your settings etc.

3) Via the Linux box

I don't know Linux well enough to list possible weaknesses and risks
there, but some may apply even though it's hidden by ICS.

4) User outreach

Web browsing and dropper attacks from web sites

5) User inreach

Unsolicited email "message text", attachments, IM attachments, that
sort of thing. May autorun if email app is exploitable.

6) Troj or intrafile infectors

Some material you intended to use may have been drilled out ant
trojanized, or infected by an intrafile code infector, added
autorunning macros or scripts, etc.

Many of the above may be clickless attacks, i.e. no user action
required. Do you have reason to expect adverse human attention? If
so, then you'd have to consider one-off attacks that av won't
recognise even if well up to date. Have you assumed Linux to be
attack-proof, and how well do you know such issues on that OS?

>(don't even read email on the Windows machine), and rarely use IE. I
>pretty much just use the XP machine for playing occasional games, and
>as a means for the linux machine to reach the internet.

Ah; last para applies even more, then.

>A full virus scan and Ad-Aware run on the XP machine didn't reveal any
>infections.

Was the virus scan formal? Did you scan the Linux PC? At least the
Linux PC should be easier to formally scan, via a Linux boot CDR.

>> Well, if Kerio allows F&PS, it will allow F&PS.

>I don't think that's right. The Kerio/Tiny personal firewall software
>has a special tab for Windows Networking-related activity that
>overrides all other rules. One of the options on that tab is to allow
>Windows Networking traffic from only specified addresses or networks. I
>have it set to "trust" only 192.168.0.0/255.255.255.0, my local network
>being on that range of ips. For more on this, see the end of this post.

Not thinking F&PS from WAN, but on LAN. By design, you wish this to
be permitted, therefore once on the system, the malware can blitz your
LAN via F&PS. That doesn't imply it entered the system via F&PS, or
even that what entered the initial system was the same malware (it may
be something undetected that unwrapped and dropped the RAT)

>> I'd really hope so; F&PS to the 'net is absurdly dangerous.

>Definitely! It freaked me out pretty hard to find out that I was somehow
>"exposed".

Test that by attempting to browse into your PCs from the Internet.
Remember to use programmatic methods that access hidden shares such as
c$ (you want to check these are as dead as you hoped; if F&PS off
doesn't "stick" then kill-c$ is equally likely to not "stick").

Post back what you find. Remember that RPC$ cannot be killed, and may
be exploited by ways other than straightforward F&PS. In some ways, a
blank password may be paradoxically safer than a trivial one; in some
contexts, XP is smart enough to suppress remote use with a blank pwd,
but will allow this with any non-blank pwd.

>> But what this illustrates is some "security in depth" principles.
>> Assume whatever you do to protect yourself will fail, and then plan on
>> what happens when this is so.

>Absolutely. That's why I took care to make special rules for Windows
>Networking in the software firewall when, from what (little) I know
>about FP&S, having disabled it from the DSL card interface should've
>made it inaccessible from the internet.

You may need a networking guru on this, not to mention folks up to
speed with Linux. I'm neither, I'm afraid.

>> If you full-share a minimum of locations, in which no code files
>> should be present and no auto-run behaviors (\Autorun.inf processing,
>> "View As Web Page") are permitted, then it's easy; you'd spot and kill
>> the dropped files, without them ever getting to run.

>Yes, this is what happened.

I'd guessed as much, given your earlier comments

You can even enforce a policy of "no .EXE allowed here" via sweeps
that quarantine and alert on any unexpected code files found.

>Thanks for the help, though I still don't really know what happened. As
>an update, when I took a look at the Windows machine this morning, I
>AGAIN found OPEN_ME.exe files in all (four of) the shared folders. The
>software firewall had been running the whole time, this time. The files
>were now identified by the AVG anti-virus as some sort of (really nasty
>sounding) PE infector. Again, I deleted them without them being run.

Well, malware code can be infected just as anything else can; that's
why I exclude even known-good code files from data sets and backups.
ERUNT is troublesome in that respect.

What PE infector was it? You generally sound pretty clued, I'm
surprised you lose detail on malware names etc.

>Directly after, I came to my senses and disabled all the shares.

I'd open up in stages to see where the infection is from, i.e.
- isolate off LAN and Internet
- re-connect LAN, F&PS off
- re-enable F&PS on LAN
- disable F&PS again, reconnect Internet
- re-enable F&PS on LAN (i.e. back to normal)

If you're re-infected while off LAN and 'net, then it's a malware
persistence or auto-re-infection (e.g. from malware hidden in an
unscannable mailbox relaunching itself).

If you're re-infected on LAN, but off Internet and before F&PS, then
the other PC's infected and is infecting the XP system via methods
other than F&PS (unless F&PS is more broken that we think, and if so
I'd have thought we'd have heard about that by now).

If re-infected once F&PS is on, but before Internet, then you really
do need to check out that Linux box, and even the XBox! Do further
testing to determine which of those two is the infecting agent.

If only re-infected once Internet is connected, then our attention
turns back to your initial premise. What happens when on Internet but
with F&PS totally off will be illustrative; may mean a non-F&PS
primary method, or that F&PS isn't "off" when it should be.

>Frankly, I have no idea what's going on.

Neither have I, but I have guesses and ideas on how to find out.
Often, that's all one has, and often, it's enough.

>*remotely* plausible to me is that the *linux* machine (from which I am
>typing this) somehow got owned, but it doesn't show any signs at all

Yep. There are black hats with decades of UNIX experience out there.

The other possibility is that the XBox got exploited.



>------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
>------------ ----- --- -- - - - -
 >> Stay informed about: Spybot (OPEN_ME.exe). How'd I get it? 

On 2005-01-23, cquirke (MVP Win9x) <cquirkenews.RemoveThis@nospam.mvps.org> wrote:
Hi again,
> So Kerio is on the XP system? Or is that XP's own firewall?
Right, Kerio.

> surprised you lose detail on malware names etc.

Sorry about that. The first was identified (by AVG) as Win32/Spybot.
The second, the PE infector, as Win32/Parite.

> Test that by attempting to browse into your PCs from the Internet.
> Remember to use programmatic methods that access hidden shares such as
> c$ (you want to check these are as dead as you hoped; if F&PS off
> doesn't "stick" then kill-c$ is equally likely to not "stick").
>

That, of course, is a good idea. So....

having disabled all my "real" shares, checked and unchecked the F&PS box
on the DSL interface just to make sure it was *really* unchecked, I create a
new, empty, writable share on my XP machine called "Scary".

From a shell on a linux machine way across the internet, I attempt to access
that share:
> [foo]~ % smbclient -I xxx.xxx.xxx.xxx //doze/Scary
> Password:
> Domain=[DOZE] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
> smb: \> put test.txt
> putting file test.txt as \test.txt (0.0 kb/s) (average 0.0 kb/s)
> smb: \> ls
> . D 0 Tue Jan 25 03:25:10 2005
> .. D 0 Tue Jan 25 03:25:10 2005
> test.txt A 0 Tue Jan 25 03:25:10 2005
>

Sure enough, my XP machine's shares are wide open accessible to the internet,
even though I have disabled F&PS in the DSL modem's properties.

Not only that, but my firewall obviously isn't working right, either. For
that, I finally figured out that if I uncheck the "Is running an internet
gateway" the firewall *does* block attempts to access shares on my
XP machine from the internet.

It seems likely to me that my XP shares have probably been accessible to the
internet ever since I installed XP Home, and that the firewall was just
blocking (probably automated) attempts to access them.

The question now, which I guess is no longer even remotely appropriate to this
group, is how do I get my shares to not show up to the internet at large?
Shouldn't it just be a matter of unchecking "File and Printer Sharing" on the
DSL modem like I've already done?

I guess I should take this to a networking group of some sort, because
it's really not (and I guess never was) related to viruses at all.

Many thanks for all your help.
 >> Stay informed about: Spybot (OPEN_ME.exe). How'd I get it? 

"Jim Marshall" <marshall.jim.RemoveThis@gmail.com> wrote in message
news:slrncvbh1a.sm8.marshall.jim@mojo.chicken.com...

> I guess I should take this to a networking group of some sort, because
> it's really not (and I guess never was) related to viruses at all.

General security issue discussions are also on topic for this group.
This particular issue of open shares is even more so since (as you have
demonstrated) it is a malware ingress vector much used by worms.
 >> Stay informed about: Spybot (OPEN_ME.exe). How'd I get it?