File: 3013.txt

package info (click to toggle)
snort 2.9.15.1-5
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 59,656 kB
  • sloc: ansic: 310,441; sh: 13,260; makefile: 2,943; yacc: 497; perl: 496; lex: 261; sed: 14
file content (85 lines) | stat: -rw-r--r-- 2,405 bytes parent folder | download | duplicates (8) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
Rule: 

--
Sid: 
3013
-- 
Summary: 
This event is generated when an attacker attempts to connect to the
victim using the Asylum 0.1 trojan.

-- 
Impact: 
If successful, the attacker would gain unauthorized access to the
system, enabling him to upload and execute files on the computer and
reboot it at will, resulting in a full compromise of the victim's computer. 

--
Detailed Information:
When executed, Asylum 0.1 opens up its assigned port (default is 23432)
for communication with the attacker. Asylum 0.1 has four functions:
Upload File, Open File, Reboot Computer, and Remove Server. 

Upload File: Look for traffic on port 23432 containing UPL followed by a file location.
Open File: Look for traffic on port 23432 containing RUN followed by a file location.
Reboot: Look for the string "RBT" on port 23432.
Remove Server: Look for the string "DIE" on port 23432.

--
Affected Systems:
Windows 95/98/ME/NT/2000

--
Attack Scenarios: 
The victim must first install the server. Be wary of suspicious files
because they often can be backdoors in disguise. Once the victim
mistakenly installs the server program, the attacker usually will employ
an IP scanner program to find the IP addresses of victims that have
installed the program. Then the attacker enters the IP address, port
number (which  is assigned to the server program by the attacker:
default is 23432), and presses the connect button and he has access to
the computer.

-- 
Ease of Attack: 
Simple.

-- 
False Positives:
None known

--
False Negatives:
None known

-- 
Corrective Action:

Delete the System Administration key (if found) in 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices or
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

Open the system.ini and (if found) replace shell=Explore.exe win32cmp.exe to shell=explore.exe

Open the win.ini and (if found) delete load=c:\windows\wincmp32.exe or run=c:\windows\wincmp32.exe

Find and delete the Asylum 0.1 trojan server file, usually called wincmp32.exe.

Keep anti-virus programs updated with the latest definitions.

--
Contributors:
Sourcefire Research Team
Ricky Macatee <rmacatee@sourcefire.com>

-- 
Additional References:

PestPatrol:
http://www.pestpatrol.com/PestInfo/A/Asylum.asp

Dark-E:
http://www.dark-e.com/archive/trojans/asylum/01/index.shtml

--