File: 3011.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (73 lines) | stat: -rw-r--r-- 1,894 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Rule: 

--
Sid: 
3011
-- 
Summary: 
This event is generated when an attempt is made to find the System
directory on a target host with the RUX the Tick Trojan.

-- 
Impact: 
If successful, the attacker would gain unauthorized access to the system,
to upload and execute file on the target system. The attacker can use
this function to upload additional backdoors to the victim's system and
execute them.

--
Detailed Information:
When executed, RUX the Tick opens up its assigned port (default is
22222) for communication with the attacker. RUX the Tick has three
functions: Get Windows Directory, Get System Directory, and Upload And
Execute File. Get Windows Directory and Get System Directory are used
for reconnaissance. Upload And Execute File is mainly used to upload and
run other backdoors onto the victim's computer.

--
Affected Systems:
	Windows 95/98/ME/NT/2000

--
Attack Scenarios: 
The victim must first install the server. Be wary of suspicious files
because they often can be backdoors in disguise. Once the victim
mistakenly installs the server program, the attacker usually will employ
an IP scanner program to find the IP addresses of victims that have
installed the program. Then the attacker enters the IP address, port
number (which  is assigned to the server program by the attacker:
default is 22222), and presses the connect button and he has access to
the computer.

-- 

Ease of Attack: 
Simple.

-- 
False Positives:
None known

--
False Negatives:
None known

-- 
Corrective Action: 
Using Windows Task Manager, kill these processes: ruxserver.exe and server.exe.
Use Windows Explorer to find ruxserver.exe and delete the file.

Keep anti-virus programs updated with the latest definitions.

--
Contributors:
Sourcefire Research Team
Ricky Macatee <rmacatee@sourcefire.com>

-- 
Additional References:

PestPatrol:
http://www.pestpatrol.com/PestInfo/R/RUX.ASP

--