Windows AD lockouts? *WORM - agobot.oj*

[spidey07]

so the server team is having trouble...anybody else see anything like this? In error logs they've shown me it looks like some sort of brute force attack/virus.

just checking the boards...

MODS - if this is in the wrong place feel free to move. Just figured I'd get more hits in OT

process is svchosts.exe...it is performing dictionary attack and randomly scanning IPs for known MS vulnerabilities.

TrendMicro DID NOT find it or detect it.

new worm I think.

-edit- maybe, maybe not....possibly agobot or sdbot

causing all sorts of problems...locking out all the accounts.

more sniffer info...
tries TCP ports:
2745
135
1025
445
3127
6129
139

using what seems to be a combination of the following DST addresses:
Random
First octect of host machine, random 2, 3, 4 octet
First two octect of host machine, random 3, 4 octet

Also appears to retrieve list of AD usernames and perform dictionary attack.
ugghhh....trend didn't pick it up. I'm guessing its new.

-----edit------
binary sent to trend for analysis.

wonder if this is just an agobot variant that is downloaded via infected web pages via the MS critical updates just released?

----edit 2----
Trend confirmed first sighting of new worm agobot.oj (trends name) from the .exe....beta patterns being released.

----edit 3---
every single account is locked out all 15,000, this thing grabs a userlist and tries to brute force it.

 

[Jzero]

That's pretty much what it sounds like. Sniff the traffic to see where all the authentication requests are coming from.

 

[tranceport]

Yup sniff sniff

 

[KLin]

that's gonna suck if it is a virus and it hits our network


EDIT: can you post a small sample of what the event log is saying?

 

[spidey07]

found it from core and IDS...

process is svchosts.exe...it is performing dictionary attack and randomly scanning IPs for known MS vulnerabilities.

TrendMicro DID NOT find it or detect it.

new worm I think.

-edit- maybe, maybe not....possibly agobot or sdbot

causing all sorts of problems...locking out all the accounts.

more sniffer info...
tries TCP ports:
2745
135
1025
445
3127
6129
139

using what seems to be a combination of the following DST addresses:
Random
First octect of host machine, random 2, 3, 4 octet
First two octect of host machine, random 3, 4 octet

Also appears to retrieve list of AD usernames and perform dictionary attack.
ugghhh....trend didn't pick it up. I'm guessing its new.

Any help here? I've had server guys report to Trend.

 

[slag]

is it coming from inside the company?

It must be because I can't see how you would allow netbios to talk to the internet on ports 137, 138, or 139. That would be rediculous and a gigantic security risk.

 

[Phoenix86]

It's likely coming from the inside, it has his AD listing.

Time to go hang a user for: checking web mail, installing a new 'toolbar', or bringing in 'important data' from home.

 

[spidey07]

Originally posted by: Phoenix86
It's likely coming from the inside, it has his AD listing.

Time to go hang a user for: checking web mail, installing a new 'toolbar', or bringing in 'important data' from home.

it is coming from the inside...1000s of computers are locked out and generating a ton of traffic.

ugghhh.

 

[kt]

Any news on what's causing all this traffic?

 

[spidey07]

Originally posted by: kt
Any news on what's causing all this traffic?

some kind of worm...haven't figured out exactly what it is.

Trend with current engine/pattern is not detecting it

 

[m2kewl]

damn that's interesting...nothing on CERT to indicate this either.

you running trend officescan and scanmail/gateway?

 

[Jzero]

It doesn't have to be worm, it could just be a compromised box. Do you have users with laptops? Do you allow VPN connections?

 

[kt]

Originally posted by: spidey07

Originally posted by: kt
Any news on what's causing all this traffic?

some kind of worm...haven't figured out exactly what it is.

Trend with current engine/pattern is not detecting it

Yikes. We are using Trend as well. I am on the late shift and definitely don't want to deal with something like this.

Hate to be in your position right now, but please share if and when you guys figure out what it is and preventative solution.

 

[spidey07]

Originally posted by: Jzero
It doesn't have to be worm, it could just be a compromised box. Do you have users with laptops? Do you allow VPN connections?

crap over 1000 actively scanning/replicating hosts internally.

Resembles agobot in its activity.

 

[slycat]

if theres nothing to go on, here's what i'd do after informing bigwigs about it:

1)isolate servers into different segment first.

verify they are clean and free from attacks at that point.

reset all locked accts etc, repair etc.

2)summarily segment users/computers, until something fishy shows up.

u figure, ur gonna have to be doing the above ...doing it now will reduce damage and overall havoc.
let the user systems go crazy, at least your servers are isolated and good till u eradicated the problem.
one thing i like to do is have all servers on separate switches than users so ONe simple unplug isolates them.

 

[Hoober]

Found this through a google. Dunno if it's the cause, though.

 

[spidey07]

Originally posted by: slycat
if theres nothing to go on, here's what i'd do after informing bigwigs about it:

1)isolate servers into different segment first.

verify they are clean and free from attacks at that point.

reset all locked accts etc, repair etc.

2)summarily segment users/computers, until something fishy shows up.

u figure, ur gonna have to be doing the above ...doing it now will reduce damage and overall havoc.
let the user systems go crazy, at least your servers are isolated and good till u eradicated the problem.

this is a 15000 node network...not so easily done.

 

[Hoober]

Here's something from trend regarding svchost.exe and dictionary attacks.

 

[slycat]

Originally posted by: spidey07

Originally posted by: slycat
if theres nothing to go on, here's what i'd do after informing bigwigs about it:

1)isolate servers into different segment first.

verify they are clean and free from attacks at that point.

reset all locked accts etc, repair etc.

2)summarily segment users/computers, until something fishy shows up.

u figure, ur gonna have to be doing the above ...doing it now will reduce damage and overall havoc.
let the user systems go crazy, at least your servers are isolated and good till u eradicated the problem.

this is a 15000 node network...not so easily done.

big it may be but proactive is better in my book. of course it depends on your seniority. i assum u have already escalated it.

 

[slycat]

Originally posted by: Hoober
Here's something from trend regarding svchost.exe and dictionary attacks.

discovered 2003. i can't believe OP is not covered for this.

 

[Hoober]

Originally posted by: slycat

Originally posted by: Hoober
Here's something from trend regarding svchost.exe and dictionary attacks.

discovered 2003. i can't believe OP is not covered for this.

Stranger things have happened.

 

[Hoober]

Maybe a new variation on Agobot?

 

[PingSpike]

Originally posted by: slag
is it coming from inside the company?

It must be because I can't see how you would allow netbios to talk to the internet on ports 137, 138, or 139. That would be rediculous and a gigantic security risk.

I thought netbios wasn't even routable?

 

[spidey07]

Originally posted by: Hoober
Maybe a new variation on Agobot?

that's what I'm thinking. the port numbers and behavior are too similar.

 

[spidey07]

Originally posted by: PingSpike

Originally posted by: slag
is it coming from inside the company?

It must be because I can't see how you would allow netbios to talk to the internet on ports 137, 138, or 139. That would be rediculous and a gigantic security risk.

I thought netbios wasn't even routable?

netbios can run over TCP...137, 138, 139.

:beer:

But our internet routers and security systems are pretty hardened...it came from the inside.