TFTPnnnn files; indicator of entry method?



cquirke (MVP Windows shell/user)
07-09-2005, 11:49 PM
I've been seeing quite a lot of bots lately; Rbot and SDbot, often the
two names being applied to the same bugs by different tools.

Often there are TFTPnnnn files present, where nnnn is four consecutive
digits. Do these indicate a method of entry, and is it the malware
process or the (exploited?) OS that generates the TFTP name? I
presume TFTP = Trivial File Transfer Protocol (if anything) and recall
this being used as a climbing rope by pure network worms to pull thier
content up and into the target PC.

Typicallty these PCs are under-patched and poorly firewalled, which
means it could be RPC/DCOM or LSASS being exploited, but there are
other methods possible, e.g. ASN.1

It would be useful to know if these TFTP names correlated to a
particular risk that needed to be fixed, much as Lovesan indicates
RPC, Sasser indicates LSASS, Opaserv indicates F&PS etc.

Also, I've been having variable mileage with F-Prot for DOS, SysClean
and Stinger, when it comes to these bots. What's the best free
detection and fixing tool for SDbot and Rbot, perferably that can run
from Bart's PE? So far I've yet to see F-Secure's F-Bot and F-SDbot
catch anything after F-Prot for DOS, SysClean and Stinger have been.



>------------------------ ---- --- -- - - - -
Forget http://cquirke.blogspot.com and check out a
better one at http://topicdrift.blogspot.com instead!
>------------------------ ---- --- -- - - - -

David H. Lipman
07-09-2005, 11:49 PM
From: "cquirke (MVP Windows shell/user)" <cquirkenews@nospam.mvps.org>

| I've been seeing quite a lot of bots lately; Rbot and SDbot, often the
| two names being applied to the same bugs by different tools.
|
| Often there are TFTPnnnn files present, where nnnn is four consecutive
| digits. Do these indicate a method of entry, and is it the malware
| process or the (exploited?) OS that generates the TFTP name? I
| presume TFTP = Trivial File Transfer Protocol (if anything) and recall
| this being used as a climbing rope by pure network worms to pull thier
| content up and into the target PC.
|
| Typicallty these PCs are under-patched and poorly firewalled, which
| means it could be RPC/DCOM or LSASS being exploited, but there are
| other methods possible, e.g. ASN.1
|
| It would be useful to know if these TFTP names correlated to a
| particular risk that needed to be fixed, much as Lovesan indicates
| RPC, Sasser indicates LSASS, Opaserv indicates F&PS etc.
|
| Also, I've been having variable mileage with F-Prot for DOS, SysClean
| and Stinger, when it comes to these bots. What's the best free
| detection and fixing tool for SDbot and Rbot, perferably that can run
| from Bart's PE? So far I've yet to see F-Secure's F-Bot and F-SDbot
| catch anything after F-Prot for DOS, SysClean and Stinger have been.
|
>> ------------------------ ---- --- -- - - - -
| Forget http://cquirke.blogspot.com and check out a
| better one at http://topicdrift.blogspot.com instead!
>> ------------------------ ---- --- -- - - - -

Chris:

How about the McAfee CLS ? It does work with NTFS4DOS and NTFS and has a very good catch
rate. Expecially in consideration of SDBot RBot detection.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Simon Zerafa
07-09-2005, 11:49 PM
Hi,

McAfee is not that good at detecting all varients of SDBot.

I sent a copy of a varient to them last week which they had not previously
detected, which I isolated manually.

Kespersky did pick it up, many others didn't.

Mcafee, AVG and others how have a sample so they should be up to date.

However this begs the question as to how many other varients are being
missed?

Kind Regards

Simon


TFTPnnnn files; indicator of entry method?