SUMMARY
UPDATE: As of September 6, 2002, reports of malicious activity that follow the particular pattern that is outlined in this article have lessened significantly. The Microsoft Product Support Services Security Team has modified this Microsoft Knowledge Base article to reflect this information and to refine suggestions for detection and repair criteria.
Microsoft has investigated an increase in malicious activity that tries to load code on Microsoft Windows 2000-based servers. This activity is typically associated with a program that has been identified as Backdoor.IRC.Flood.
By analyzing computers that have been compromised, Microsoft has determined that these attacks do not appear to exploit any new product-related security vulnerabilities and do not appear to be viral or worm-like in nature. Instead, the attacks seek to take advantage of situations where standard precautions have not been taken as detailed in the "Prevention" section of this article. The activity appears to be associated with a coordinated series of individual attempts to compromise Windows 2000-based servers. As a result, successful compromises leave a distinctive pattern. This article lists files and programs that would provide evidence of a successful compromise according to this pattern so that you can take appropriate action to:
-
Detect compromised computers.
-
Repair and recover compromised computers.
MORE INFORMATION
Impact of Attack
Compromise of server
Symptoms
Compromised systems show one or more of the following symptoms:
-
Antivirus software may indicate that it has detected Trojans, such as Backdoor.IRC.Flood and its variants. Most antivirus vendors' current products (that are using up-to-date signature files) will detect these Trojans.
-
If the compromised system is a domain controller, the security policy is modified. Some of the possible effects of a modified security policy are:
-
Guest accounts that were previously disabled are re-enabled.
-
New unauthorized accounts, possibly with administrative privileges.
-
Security permissions are changed on servers or in Active Directory.
-
Users cannot log on to the domain from the workstations.
-
Users cannot open Active Directory snap-ins in Microsoft Management Console (MMC).
-
Error logs display multiple, failed logon attempts from legitimate users who were locked out.
Technical Details
If the computer has been compromised, antivirus software may detect malicious code such as Backdoor.IRC.Flood and its variants. For more information, contact your antivirus vendor.
In the cases that Microsoft has analyzed, the compromised servers were found to have the following files and programs. The presence of these files indicates that the system has been compromised. If these files or programs are found on your computer, and if they were not installed by you or with your knowledge, run a complete virus scan with an up-to-date virus scanning program.
NOTE: Paths to the files are not listed because they may vary.
-
Gg.bat: Gg.bat tries to connect to other servers as "administrator," "admin," or "root." Gg.bat then looks for the Flashfxp and the Ws_ftp programs on the server and then copies several files (including Ocxdll.exe) to the server. Gg.bat then uses the Psexec program to execute commands on the remote server.
-
Seced.bat: Seced.bat changes the security policy.
-
Nt32.ini
-
Ocxdll.exe
-
Gates.txt
In other cases, legitimate programs have been installed by the attackers to aid in the compromise. If these programs are found on your systems, and if you did not install them, it may indicate a compromise, and you should investigate further.
A final set of files that are associated with these attacks are a pair of legitimate system files that are routinely installed on systems, but trojanized versions of which are installed as part of the attack. Most antivirus vendors' products, when they are used in conjunction with the current virus signatures, will detect the trojanized versions of these files if they are present.
Attack Vectors
Analysis to date indicates that the attackers appear to have gained entry to the systems by using weak or blank administrator passwords. Microsoft has no evidence to suggest that any heretofore unknown security vulnerabilities have been used in the attacks.
Prevention
Microsoft recommends that customers protect their servers against this and other attacks by making sure that they follow standard security best practices, such as:
-
Eliminating blank or weak administrator passwords.
-
Disabling the guest account.
-
Running current antivirus software with up-to-date virus signature definitions.
-
Using firewalls to protect internal servers, including domain controllers.
-
Staying up to date on all security patches.
For guidance on best practices to prescriptively configure Microsoft Windows 2000-based servers, see the Security Operations Guide for Windows 2000 Server. To see this guide, visit the following Microsoft Web site:
For more information about how to keep Windows 2000 Server patched and secure, visit the following Microsoft Web site:
Alternatively, you can use the Microsoft Security Baseline Analyzer. For more information about the Microsoft Security Baseline Analyzer, visit the following Microsoft Web site:
Detection
To date, the only systems reported to have been affected by this attack have been systems that are running Microsoft Windows 2000 Server. Microsoft recommends that customers scan their Windows 2000 Server-based environments to determine if the files that are listed in the "Technical Details" section of this article exist. Because some of the files may have been legitimately installed, customers should investigate them to determine their usage and intent.
Recovery
For help with recovery, contact Microsoft Product Support Services by using your preferred method. For more information about methods to contact Microsoft Product Support Services, visit the following Microsoft Web site:
