Tuesday, January 24, 2006

Hide, Go Seek

Where could I find hidden files?

  • There's the "hidden" attribute. The hidden attribute can be set on directories, not just files.
  • The "hide in plan sight" strategy is at least as old as Poe's "The Purloined Letter." Its longevity reflects its effectiveness. Finding files that don't belong amongst the hundreds of files that do is a challenge. Using a utility to find unsigned executables and confirming that the signatures that are found are authenticate will produce a long list that includes many benign conditions. See sigcheck from Sysinternals. (sigcheck -s -v c:\ >result.csv)
  • Suspect recent files in C:\Winnt\System32 (or C:\Windows\System32). The date stamp is rarely modified. Similarly, suspect recent files in C:\Winnt (or C:\Windows) and in the user's temporary files (C:\Documents and Settings\\Local Settings\Temp).
  • Hide in a system folder, such as "C:\Windows\Downloaded Program Files" (or "C:\Winnt\Downloaded Program Files"). There's a real folder of that name, but you won't see its contents when you're using Windows Explorer. Use a command window instead. Expect hidden, system files and search subdirectories. (dir "C:\Winnt\Downloaded Program Files" /ah /s) (dir "C:\Winnt\Downloaded Program Files" /s)
  • Hide using the Directory and System attributes. Foundstone's hfind utility hunts for files with the hidden attribute, directories with the hidden attribute and directories with the system attribute. There are a lot of hidden files and folders, a lot of benevolent conditions. (hfind \\remote\c$ >> remote.txt)
  • Hide behind other files, using Alternate Data Streams (ADS). Foundstone's sfind utility searches for just the streams. (Windows Explorer caches thumbnails using ADS. XP SP2 attaches a "Zone.Identifier" tag to downloaded files using ADS. These are benign uses.) There's also an LADS utility that can search for ADS on the network. The Sysinternals streams utility can also be used to search for Alternate Data Streams. (streams -s *.* to find ADS, streams -s -d *.jpg to delete the cached thumbnails).
  • Sysinternals' Rootkit Revealer is time consuming and reports some benevolent conditions. When used in conjunction with psexec, it can scan remote systems. (psexec \\remote -c rootkitrevealer.exe -a c:\windows\system32\rootkit.log)
  • Stegdetect (stegdetect *.jpg) can be used to find steganographic content (hidden information) in JPEG images.

Saturday, January 21, 2006

Block access to InterCage and Inhoster

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

Use your firewall to block access. If you have no firewall, use route commands to divert traffic. Sample route commands (appropriate for some Windows users):
route -p add 69.50.160.0 mask 255.255.224.0 192.168.100.51
route -p add 85.255.112.0 mask 255.255.240.0 192.168.100.51

When the route command is successful there is no response. "192.168.100.51" is an arbitrarily selected and unused IP address on the local network. "192.168.0.51" or "192.168.1.51" may be more appropriate choices, depending upon the local network configuration. The "-p" (persistent) option is not available in Windows 95 or 98.

Why? InterCage and Inhoster are Internet Service Providers (ISPs) who permit malicious web activity. A SANS handler diary entry mentions this. ZDNet malware blog. Search Google Groups for either name. Search for an individual IP address using Google. One frightening malicious activity is the substitution of their name servers for the name servers supplied by the user's ISP's name servers.

Further information about browser attacks:
http://www.mnin.org/

Further information about routing:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/route.mspx
http://spam.abuse.net/adminhelp/ip.shtml
http://www.linuxgazette.com/issue36/tag/a.html
http://www.hackfaq.org/null-route.shtml

Handy "netmask calculators"
http://jodies.de/ipcalc
http://www.csc.fi/english/funet/calc/laskin2.html

Handy network utilities, including a reverse IP lookup
domaintools.com

Inhoster IP addresses known to have been involved in malicious activities:














































85.255.112.5Name server
85.255.112.6Name server
85.255.112.7Name server
85.255.112.10Name server
85.255.112.11Name server
85.255.112.103Name server
85.255.112.116Name server
85.255.112.119Name server
85.255.112.120Name server
85.255.112.182Name server
85.255.112.200Name server
85.255.113.10/?to=nan82&from=in 
85.255.113.10/?to=zonder&from=in 
85.255.113.22/inc/nan82.htmlHTML_MHTREDIR.A
85.255.113.22/inc/trove.html 
85.255.113.100Name server
85.255.113.101Name server
85.255.113.134Name server
85.255.113.142Name server
85.255.113.149Name server
85.255.113.170/345/count3.gifBackdoor.Sdbot.gen
85.255.113.174/w/adult.wmfmalicious WMF file
85.255.113.212/5/s1s/image.gif 
85.255.113.212/5/wind/index.htmdistributes various exploits
85.255.113.212/5/i3.phpdistributes various exploits
85.255.113.212/5/sl/payload.aniTrojan-Downloader.Win32.Ani.b
85.255.113.212/5/s2t/tes.exeTrojan-Downloader.Win32.Zlob.cc
85.255.113.242/adv/057/count.jarExploit.Java.ByteVerify
85.255.114.54Name server
85.255.114.89Name server
85.255.114.99Name server
85.255.114.195Name server
85.255.115.3Name server
85.255.115.45Name server
85.255.115.53Name server
85.255.115.75Name server
85.255.115.98Name server
85.255.115.108Name server
85.255.115.154Name server
85.255.115.171/bt/7/wmf/wmf_dcode.wmfmalicious WMF file
85.255.115.171/pa/4/inp.php 
85.255.115.174 updatesecurity.comrogue anti-spyware application
85.255.115.226/1/gdnUS1402.exeSpyAxe rogue anti-spyware application
85.255.115.227/1/gdnUS1402.exeSpyAxe rogue anti-spyware application



85.255.115.227 is also 2awm.com, 2youx.net, awmgate.com, awmnet.com, check-wire.com, find-by-web.com, lab-wire.com, lipdolls.net, netvoine.biz, online-more.com, search4com, zlex.org, zllin.info, and ztrf.net
































zllin.info/e/us053/e.anrTROJ_ANICMOO.AD
zllin.info/e/us053/index1.php 
zllin.info/e/us053/Anima.class 
zllin.info/e/us053/jar.jar 
zllin.info/e/us053/index.php 
zllin.info/e/us24/e.anrTROJ_ANICMOO.AD
zllin.info/e/us24/jar.jar 
zllin.info/e/us24/Anima.class 
zllin.info/e/us24/index.php 
zllin.info/e/us24/index1.php 
zllin.info/e/us24//main.chmCHM_MINER.A
zllin.info/e/us26/e.anrTROJ_ANICMOO.AD
zllin.info/e/us26/index.php 
zllin.info/e/us26/index1.php 
zllin.info/e/us26/index1.php 
zlex.org/fr/?id=us27 
zlex.org/fr/tp/?id=us27&tp=lan 
zlex.org/new/us27/Anima.class 
zlex.org/new/us27/zl.anrTROJ_ANI.L
zlex.org/per/jara.jar (Gummy.class)JAVA_BYTEVER.A-1
zlex.org/per/?ct=lan 
zlex.org/per/aAnima.class 
zlex.org/psg/us27/indexa.php 
zlex.org/psg/us27/index.php 
zlex.org/psg/us27/psg.anrTROJ_ANI.H



























85.255.115.230/1/gdnUS1402.exeSpyAxe rogue anti-spyware application
85.255.116.29 Name server 
85.255.116.43 Name server 
85.255.116.149 Name server 
85.255.116.212/pa/inp/inpl.php?id=pt6 
85.255.116.213/pa/inp/inpl.php?id=pt4 
85.255.117.38/_cnt2.htmHTML_HTHELP.A
85.255.117.38/cnt8_secret.htm 
85.255.117.38/cnt8.ani 
85.255.117.38/cnt8.htmTROJ_ANICMOO.N
85.255.117.38/cnt7_dhycnft.htm 
85.255.117.38/site.htm?lng=1&trg=rc 
85.255.117.50/pa/1/newe/assemble1.htm 
85.255.117.50/pa/1/newe/css.wmfEXPL_WMF.GEN
85.255.117.50/pa/1/newe/index.ani 
85.255.117.50/pa/1/newe/makeit.htm 
85.255.117.50/pa/1/newe/prepare.htmJS_EXPLOIT.AC
85.255.117.50/pa/inp/i.php?id=pa1 
85.255.117.51/pa/inp/newver/WkNRT3JrVXl0Sm9BQUVYMVV3RUFBQURV.wmf
EXPL_WMF.GEN
85.255.117.53/pa/inp/img/aC1QUUZVVXl0Sm9BQUdWc2xHNEFBQUZq.htmlEXPL_WMF.GEN
85.255.117.53/pa/inp/img/aHA4eE5VVXl0Sm9BQUg2RWZZZ0FBQUpM.htmlEXPL_WMF.GEN
85.255.117.53/pa/inp/img/akBVcGVrVXl0Sm9BQUU3eno0MEFBQUo3.wmfEXPL_WMF.GEN
85.255.117.53/pa/inp/img/bzl6OExrVXl0Sm9BQURLRThQa0FBQUZI.wmfEXPL_WMF.GEN
85.255.117.52/pa/inp/img/cDlHdGpFVXl0Sm9BQUIzSmV3VUFBQUJD.htmEXPL_WMF.GEN
85.255.117.53/pa/inp/img/ZXZhVmhVVXl0Sm9BQUR1QkxQSUFBQUZx.wmfEXPL_WMF.GEN