Remote Access Security Issues (DameWare NT Utilities/FireDaemon/PsExec)

Due to a recent round of port scanning and the subsequent infection of one of our customer's machines, we thought it imperative that customers be made aware of the dangers of lax security. Because we had ready access to this particular customer, and the computer was not being used for a while, we were able to determine to a certain degree what happened.

During the morning hours of Feb 28, 2003, we noticed an unusual amount of activity (3.2 GB) on one of our router ports. When we investigated, we found that an individual had left Remote Operating software (pcAnywhere) running on their machine in the office. We thought nothing of it at the the time and asked them to turn off the remote software.

Then in the early morning hours of Mar. 7, 2003, we noticed a large outbound spike coming from the same port. Investigation revealed the same machine in the process of sending Spam through the use of the Microsoft Messenger service (port 445) and an IRC Chat channel (port 6667). It was subsequently disconnected pending further investigation.

We first suspected that pcAnywhere was used to gain initial access to the machine, but we now believe that simple NetBios was used to remotely login to the computer using a UserID with a blank password. All the scanning activity that we experienced on port 139 was simply looking for vulnerable computers. They found at least one, and on Feb. 25, 2003 proceeded to load the DameWare client utility. After turning off the event logger, this tiny (72 KB) readily available utility was used to load FireDaemon and Serv-U FTP Server from a server in Russia. We do not know the source of the initial attack, but it doesn't really matter because it was problably also a hacked computer. Aside from the scanning activity, all this took about 3 minutes.

In the early morning hours of Mar. 1, 2003, they then proceeded to upload to the customer's computer 3.2 GB of game files (look like XBOX). These files were stored in a sub directory of the Recycler directory to avoid detection. One would normally have expected to see a lot of outbound traffic as the Chat Room leeches sucked up the files, but it appears that there was an install problem with the FTP server. Either that or the sofware required a restart to activate.

On Mar. 6, 2003, the hackers then loaded a program called PsExec. This is a more sophisticated remote operating tool (again readily available) that loads itself as a service. The advantage of a service is that it is always running, and the hacker does not leave behind any tracks as he/she turns the logger on and off.

Next the hackers loaded a program called "Dvldr32.exe", and some associated data files that are in binary code. Originally thought to be Spam Engine it is now known to be "w32/Deloder". This is a self propagating Trojan that attempts to install itself on any open port 445 that it can find, and attempts to connect to a pre-configured IRC server.

ALWAYS, ALWAYS, ALWAYS use password protection on any Windows NT, Windows 2000, or Windows XP UserId (or any computer for that matter). You can protect yourself further by following some of the suggestions in Hardening XP. Although these pages were made for XP, they are appropriate for 2000 as well.

This goes for the the "Administrator" account as well. We recommend setting up the "Administrator" account with a password known to a few trusted memebers, and then not using it except in emergencies. Set up another account for yourself with administrative privaleges, and use it. The "Administrator" account in Windows XP Home is not accessible in normal mode, but it is accessible from safe mode. For this reason, we recommend entering safe mode (Press F8 key during startup) and putting in a password. Even a simple password is better than no password at all, but don't make it so simple that it can be guessed. Here are a few NOT to use.

0, 000000, 00000000, 007, 1, 110, 111, 111111, 11111111, 12, 121212, 123, 123123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 1234qwer, 123abc, 123asd, 123qwe, 2002, 2003, 2600, 54321, 654321, 88888888, Admin, Internet, Login, Password, a, aaa, abc, abc123, abcd, admin, admin123, administrator, alpha, asdf, computer, database, enable, foobar, god, godblessyou, home, ihavenopass, login, love, mypass, mypass123, mypc, mypc123, oracle, owner, pass, passwd, password, pat, patrick, pc, pw, pw123, pwd, qwer, root, secret, server, sex, super, sybase, temp, temp123, test, test123, win, xp, xxx, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, yxcv, zxcv

There are so many different Trojans that it is difficult to give anything but a generic answer to that question. You could look at the services running and try to determine which ones are neccessary, but with the newest operating systems theres are so many services that it would be difficult for the average user. With "agent" or "spyware" programs, that is your only choice, but Back Door Trojans all require a listening port for the hacker to gain access. With XP, there are also a lot of these, but there are some general guidelines that can be used.

To view the port numbers open on your computer, go to a "Command Prompt" (Programs/Accessories), and enter:

   netstat -an

Unfortunately, once a hacker has gained unrestricted access to your computer, you have no certain way of knowing exactly what they have done to your computer. The only surefire way of cleansing your system is to wipe out the disk and start from scratch. Reloading the operating system over top of the present one does not necessarily remove the unwanted files. At best, they remain there dormant until they can be reactivated. At worst, they are reactivated (as in the case of a service) as the operating system is reloaded.