LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-30-2004, 09:46 AM   #1
hutuworm
Member
 
Registered: Aug 2004
Posts: 130

Rep: Reputation: 15
New Trojan named DSB?


Hi, All,

I've found a new trojan (?) named DSB recently. It occured last week, since I found there are many entries in my Apache access_log that only reach my web site's / and the user-agent field was filled "DSB 1.1.1h". Last weekend, there were more "DSB 1.2.0h" than "DSB 1.1.1h", it seems it's updating itself, now there're all "DSB 1.2.0h", the updating seems finished. The source IPs are mostly from Italy, and the number of entries is increasing fast, seems it's spreading fast over the Internet.

Fortunately I found these valuable entries in my access_log:
-----------------------------------
218.**.198.87 - - [30/Aug/2004:06:20:01 -0600] "GET / HTTP/1.1" 200 40842 "-" "DSB 1.2.0h"
218.**.198.87 - - [30/Aug/2004:06:20:02 -0600] "GET /www.safe-download.biz/access.php?a=15631CD7-
09004OEM007148160365&w=20&d=20040830213551&o=4.10.67766446.1.%20A%20&i=5.00.2614.3500&n=&v=1.2.0h
&e=&c=&b=&m=n&t=104&f=DSB&HTTP/1.1" 404 216 "-" "DSB 1.2.0h"
218.**.198.87 - - [30/Aug/2004:06:20:03 -0600] "GET /www.safe-download.biz/update.php?a=15631CD7-
09004OEM007148160365&w=20&v=1.2.0h&&f=DSB&HTTP/1.1" 404 216 "-" "DSB 1.2.0h"
218.**.198.87 - - [30/Aug/2004:06:20:03 -0600] "GET /www.safe-download.biz/kill.php?a=15631CD7-
09004OEM007148160365&w=20&f=DSB& HTTP/1.1" 404 214 "-" "DSB 1.2.0h"
-------------------------------
The first entry is a typical entry, 99.99% of the malicious accessing like this, and the next three lines seems odd. Is "access.php" a statistics page? Is "update.php" a online updating page? ( DSB 1.1.1h --> DSB 1.2.0h ) Is "kill.php" a suicide page?

Anyone has experiences with it?
 
Old 08-31-2004, 01:41 AM   #2
hutuworm
Member
 
Registered: Aug 2004
Posts: 130

Original Poster
Rep: Reputation: 15
It's updating to 1.2.1h
 
Old 08-31-2004, 01:46 AM   #3
hutuworm
Member
 
Registered: Aug 2004
Posts: 130

Original Poster
Rep: Reputation: 15
Is it a trojan originally from Vietnam?

Domain Name: SAFE-DOWNLOAD.BIZ
Domain ID: D5822451-BIZ
Sponsoring Registrar: ENOM, INC.
Domain Status: ok
Registrant ID: PWAQPAGPCAFE68C1
Registrant Name: P.A Vietnam Ltd
Registrant Organization: P.A Vietnam Ltd - $9.99/Domain/Yearly
Registrant Address1: 65 Su Van Hanh (Ext),District 10, HCMC
Registrant Address2: House 8, Quang Trung Software City, District 12, HCMC
Registrant City: Ho Chi Minh
Registrant Postal Code: 70000
Registrant Country: Vietnam
Registrant Country Code: VN
Registrant Email: domain@pavietnam.com
Administrative Contact ID: PWAQPAGPCAFE68C1
Administrative Contact Name: P.A Vietnam Ltd
Administrative Contact Organization: P.A Vietnam Ltd - $9.99/Domain/Yearly
Administrative Contact Address1: 65 Su Van Hanh (Ext),District 10, HCMC
Administrative Contact Address2: House 8, Quang Trung Software City, District 12, HCMC
Administrative Contact City: Ho Chi Minh
Administrative Contact Postal Code: 70000
Administrative Contact Country: Vietnam
Administrative Contact Country Code: VN
Administrative Contact Email: domain@pavietnam.com
Billing Contact ID: PWAQPAGPCAFE68C1
Billing Contact Name: P.A Vietnam Ltd
Billing Contact Organization: P.A Vietnam Ltd - $9.99/Domain/Yearly
Billing Contact Address1: 65 Su Van Hanh (Ext),District 10, HCMC
Billing Contact Address2: House 8, Quang Trung Software City, District 12, HCMC
Billing Contact City: Ho Chi Minh
Billing Contact Postal Code: 70000
Billing Contact Country: Vietnam
Billing Contact Country Code: VN
Billing Contact Email: domain@pavietnam.com
Technical Contact ID: PWAQPAGPCAFE68C1
Technical Contact Name: P.A Vietnam Ltd
Technical Contact Organization: P.A Vietnam Ltd - $9.99/Domain/Yearly
Technical Contact Address1: 65 Su Van Hanh (Ext),District 10, HCMC
Technical Contact Address2: House 8, Quang Trung Software City, District 12, HCMC
Technical Contact City: Ho Chi Minh
Technical Contact Postal Code: 70000
Technical Contact Country: Vietnam
Technical Contact Country Code: VN
Technical Contact Email: domain@pavietnam.com
Name Server: DNS5.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS1.NAME-SERVICES.COM
Created by Registrar: ENOM, INC.
Last Updated by Registrar: ENOM, INC.
Domain Registration Date: Fri Dec 05 06:06:19 GMT+00:00 2003
Domain Expiration Date: Sat Dec 04 23:59:59 GMT+00:00 2004
Domain Last Updated Date: Tue Jan 13 14:30:19 GMT+00:00 2004

>>>> Whois database was last updated on: Tue Aug 31 06:43:58 GMT 2004 <<<<
 
Old 08-31-2004, 07:32 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
I don't see nothing classifying this as a trojan. If you want to see the payload try running tcpdump (this *will* put the interface in promiscuous mode by default). Since dumps grow fast it would be best you add a BPF filter to only look for traffic from a specific range you're seeing lotsa traffic from: tcpdump -w /tmp/dsb.dmp 'tcp and src net 218.123' would get you traffic from the 218.123.0.0./16.
 
Old 08-31-2004, 07:49 PM   #5
hutuworm
Member
 
Registered: Aug 2004
Posts: 130

Original Poster
Rep: Reputation: 15
I think it's a trojan, let me show you some logs:
--------------------------------------------------------------------------------

200.100.81.32 - - [31/Aug/2004:17:43:20 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.0h"
201.4.31.124 - - [31/Aug/2004:17:43:22 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h"
64.76.33.53 - - [31/Aug/2004:17:43:25 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h"
81.211.210.88 - - [31/Aug/2004:17:43:27 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h"
62.10.6.2 - - [31/Aug/2004:17:43:32 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h"
200.175.183.251 - - [31/Aug/2004:17:43:46 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h"
151.197.30.145 - - [31/Aug/2004:17:43:51 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h"
151.28.154.56 - - [31/Aug/2004:17:43:54 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h"
80.183.94.129 - - [31/Aug/2004:17:43:57 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h"
200.64.207.159 - - [31/Aug/2004:17:43:57 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h"
195.209.227.165 - - [31/Aug/2004:17:44:08 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h"

----------------------------------------------------------------------------------

It's spreading over the Internet so fast, and you may found that it's updating through the www.liveupdate.biz from
version "DSB 1.2.0h" to "DSB 1.2.1h":

---------------------------------------------------------------------------------------------
195.209.227.165 - - [31/Aug/2004:17:44:11 -0700] "GET /www.liveupdate.biz/access.php?a=4C68B996-55683OEM001391741056&w=16&d=20040901044340&o=5.1.2600.2.Service%20Pack%201&i=6.0.2800.1106&n=p595382 2&v=1.2.1h&e=nadin_x@list.ru&c=\xd0\xee\xf1\xf1\xe8\xff&b=44&m=y&t=8&f=DSB& HTTP/1.1" 404 216 "-" "DSB 1.2.1h"
195.209.227.165 - - [31/Aug/2004:17:44:12 -0700] "GET /www.liveupdate.biz/configuration.php?x=Off0001 HTTP/1.1" 404 223 "-" "DSB 1.2.1h"
195.209.227.165 - - [31/Aug/2004:17:44:12 -0700] "GET /www.liveupdate.biz/update.php?a=4C68B996-55683OEM001391741056&w=16&v=1.2.1h&&f=DSB& HTTP/1.1" 404 216 "-" "DSB 1.2.1h"
195.209.227.165 - - [31/Aug/2004:17:44:13 -0700] "GET /www.liveupdate.biz/kill.php?a=4C68B996-55683OEM001391741056&w=16&f=DSB& HTTP/1.1" 404 214 "-" "DSB 1.2.1h"
---------------------------------------------------------------------------------------------
 
Old 08-31-2004, 07:53 PM   #6
hutuworm
Member
 
Registered: Aug 2004
Posts: 130

Original Poster
Rep: Reputation: 15
www.liveupdate.biz 200.16.144.174

inetnum: 200.16.144/22
status: reassigned
owner: S&M International S.A.
ownerid: AR-SISA3-LACNIC
address: Av Roque Saenz Pe#a 971 4 Piso
address: Buenos Aires, BA 1035
country: AR
owner-c: MC90-ARIN
inetrev: 200.16.144/22
nserver: NS1.SMINTER.COM.AR
nsstat: 20040829 AA
nslastaa: 20040829
nserver: NS2.SMINTER.COM.AR
nsstat: 20040829 AA
nslastaa: 20040829
created: 19980421
changed: 19980421
inetnum-up: 200.16.128/17
source: ARIN-LACNIC-TRANSITION

nic-hdl: MC90-ARIN
person: Marcelo Cassino
e-mail: marcelo@MECON.AR
address: Mexico 664 1st 4
address: Buenos Aires, Buenos Aires 1927
country: AR
phone: (541) 349 8040
source: ARIN-LACNIC-TRANSITION
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
D-LINK DSB-C310 Webcam HellSpawn Linux - Hardware 2 06-26-2005 06:11 PM
named -u named at startup zzero Linux - Newbie 4 03-16-2004 12:08 AM
cannot find named.conf and /var/named kaushikma Red Hat 1 02-07-2004 12:49 PM
Virtual Host type, named or IP via SSL? Named VH is not possible? piratebiter Linux - Security 3 08-20-2003 05:27 PM
DSB-650 Install help anti_seen Linux - Software 1 08-03-2001 09:32 AM


All times are GMT -5. The time now is 02:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration