W32.Korgo Worm

[melly]

Originally posted by: Hoober

Originally posted by: Gobadgrs

Originally posted by: Shelly21
Sumbitch! The Korgo worm infected my laptop yesterday and I have the $#%^ing patch!!! Now I have to make sure my home network is not infected when I get home much much later. 🙁

The worm is using random ports to infect others so unless you have no ports open on your firewall, you're not safe.

Howd it get to your laptop? How do you know it was infected?

From SARC:

W32.Korgo.E is a minor variant of W32.Korgo.D. This worm propagates by exploiting the LSASS vulnerability on TCP port 445 (as described in Microsoft Security Bulletin MS04-011). It also opens backdoors on TCP ports 113 and 3067

So maybe you have a port open, Shelly? You shouldn't have gotten infected if you're patched and you have all your ports closed.

ding ding ding

 

[SagaLore]

Originally posted by: Shelly21
I don't know how that got passed the firewall, you'd think never since just last week, I had to wait four days for the "bastards" at DMZ to open a hole from XXXX to a print server that I built.

I'm running Shavlik's scanner on 4 servers that they told me were infected. I'm kinda baffled since they are new patched 2K servers that we just put into production. And they're running Trend!

Oops! 😱

 

[Shelly21]

W32.Korgo.H is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108), described in Microsoft Security Bulletin MS04-011. It uses TCP port 445 to do this.

W32.Korgo.H listens on TCP ports 113, 3067, and a random port (256-8191).

Edit: Shavlik's HFNetChkPro have issues deploying patches if the workstation itself have MS04-011 patch. very interesting.

 

[ElFenix]

Originally posted by: Shelly21
W32.Korgo.H is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108), described in Microsoft Security Bulletin MS04-011. It uses TCP port 445 to do this.

W32.Korgo.H listens on TCP ports 113, 3067, and a random port (256-8191).

pwned!

 

[Hoober]

Originally posted by: Shelly21
W32.Korgo.H is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108), described in Microsoft Security Bulletin MS04-011. It uses TCP port 445 to do this.

W32.Korgo.H listens on TCP ports 113, 3067, and a random port (256-8191).

Gotta love the random port business.

 

[SagaLore]

Originally posted by: Shelly21
Sumbitch! The Korgo worm infected my laptop yesterday and I have the $#%^ing patch!!! Now I have to make sure my home network is not infected when I get home much much later. 🙁

The worm is using random ports to infect others so unless you have no ports open on your firewall, you're not safe.

Do you have the rollback feature turned on in XP?

The patch bulletin shows they updated it on May 4th, perhaps the initial patch was not as effective as they lead on.

 

[SagaLore]

Install and use the MS Baseline Security Analyzer to confirm that your patches are installed and working.

 

[SagaLore]

Originally posted by: m2kewl
whew, good thing we patchlinked all wks and servers for that MS update

😀

You're using Authentium (Command)'s PatchLink software? How's that working out for you?

 

[Shelly21]

Originally posted by: SagaLore

Originally posted by: Shelly21
Sumbitch! The Korgo worm infected my laptop yesterday and I have the $#%^ing patch!!! Now I have to make sure my home network is not infected when I get home much much later. 🙁

The worm is using random ports to infect others so unless you have no ports open on your firewall, you're not safe.

Do you have the rollback feature turned on in XP?

The patch bulletin shows they updated it on May 4th, perhaps the initial patch was not as effective as they lead on.

Interesting that you mentioned that, on the bridge line last night, the desktop team had to redeploy the patches again due to the checkpoint feature. My busy night is pretty much over, I'm just working on requests from people to "unwrap" ports on the switch. About 300+ to go.

 

[SagaLore]

Originally posted by: melly

Originally posted by: Hoober

Originally posted by: Gobadgrs

Originally posted by: Shelly21
Sumbitch! The Korgo worm infected my laptop yesterday and I have the $#%^ing patch!!! Now I have to make sure my home network is not infected when I get home much much later. 🙁

The worm is using random ports to infect others so unless you have no ports open on your firewall, you're not safe.

Howd it get to your laptop? How do you know it was infected?

From SARC:

W32.Korgo.E is a minor variant of W32.Korgo.D. This worm propagates by exploiting the LSASS vulnerability on TCP port 445 (as described in Microsoft Security Bulletin MS04-011). It also opens backdoors on TCP ports 113 and 3067

So maybe you have a port open, Shelly? You shouldn't have gotten infected if you're patched and you have all your ports closed.

ding ding ding

Nah, they're only listening ports to allow an attacker to gain entry into the machine or a keylog after the machine is infected. You can close all the ports but 445, and if LSASS is still vulnerable the machine can get infected.

Although it's coming up as Korgo.H, perhaps it's another variant that has added a multi-approach method of infection to circumvent the lsass patch. Then it just takes one machine to bring it into the network and deploy it via another vulnerability.

 

[lMlHuxley]

nothin here yet

 

[Ausm]

So far so good here made sure the definitions were auto updated on the server.



Sysadmin

 

[SagaLore]

Originally posted by: Shelly21

Originally posted by: SagaLore

Originally posted by: Shelly21
Sumbitch! The Korgo worm infected my laptop yesterday and I have the $#%^ing patch!!! Now I have to make sure my home network is not infected when I get home much much later. 🙁

The worm is using random ports to infect others so unless you have no ports open on your firewall, you're not safe.

Do you have the rollback feature turned on in XP?

The patch bulletin shows they updated it on May 4th, perhaps the initial patch was not as effective as they lead on.

Interesting that you mentioned that, on the bridge line last night, the desktop team had to redeploy the patches again due to the checkpoint feature. My busy night is pretty much over, I'm just working on requests from people to "unwrap" ports on the switch. About 300+ to go.

There you go, that's why the infection happened.

To answer someone's question how it got past the firewall - one word - laptop.

 

[Shelly21]

By the way, alarming news from one of our resident hacker, he noted that the Korgo worm is sending keystrokes info to Undernet. Very bad new for a bank.


search google for "korgo undernet" yields info on that. I don't think Korgo.H would do it, but who knows what other variants are out there.

 

[ElFenix]

Originally posted by: SagaLore

To answer someone's question how it got past the firewall - one word - laptop.

yup, laptops going to other locations and then coming back on the network are a security nightmare.

 

[SagaLore]

Originally posted by: Shelly21
By the way, alarming news from one of our resident hacker, he noted that the Korgo worm is sending keystrokes info to Undernet. Very bad new for a bank.


search google for "korgo undernet" yields info on that. I don't think Korgo.H would do it, but who knows what other variants are out there.

Most of the new variants are now doing it. It sends information back to IRC servers for example:

gaspode.zanet.org.za
lia.zanet.net
irc.tsk.ru
london.uk.eu.undernet.org
washington.dc.us.undernet.org
los-angeles.ca.us.undernet.org
brussels.be.eu.undernet.org
caen.fr.eu.undernet.org
flanders.be.eu.undernet.org
graz.at.eu.undernet.org
moscow-advocat.ru
gaz-prom.ru

It sends back IP information that Korgo collects - the keystrokes could very well be the author(s) communicating to the host after the infection and running a keylogger.

It would be best if you not mention the name of the bank.

 

[Chadder007]

IB someone on dial up got it into your network.

 

[yukichigai]

I'm putting my money on high-level employee f%$#ed up a driver install and was forced to use XPs restore feature, going back to a pre-patched restore point.

It happens, and very rarely does anybody get blamed because it was a high-level employee. If any one of the managers who conscripted you into fixing the workstations seems particularly nervous this could explain it. 😉

 

[SagaLore]

Originally posted by: ElFenix

Originally posted by: SagaLore

To answer someone's question how it got past the firewall - one word - laptop.

yup, laptops going to other locations and then coming back on the network are a security nightmare.

That's why we're using personal firewall software on all our laptops. I have firewall profiles that put the laptops into an "All Open, except for..." when on our network, then "All Closed, except for..." when outside of our network - plus both profiles have active IDS signatures. That way the firewall doesn't interfere with normal company network operations but is well protected at other locations so they don't bring something back with them. It also has application learning turned on so if we find a program/file we don't like we can deny it access, for example if they installed Kazaa.

 

[ViRGE]

Originally posted by: Shelly21
W32.Korgo.H is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108), described in Microsoft Security Bulletin MS04-011. It uses TCP port 445 to do this.

W32.Korgo.H listens on TCP ports 113, 3067, and a random port (256-8191).

Edit: Shavlik's HFNetChkPro have issues deploying patches if the workstation itself have MS04-011 patch. very interesting.

You need to note however, that the random port business is only for what ports the worm listens for commands on once the machine is infected. Korgo's vector of attack is still only TCP port 445.