North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Disabling QAZ (was Re: Port 139 scans)

  • From: Mike Lewinski
  • Date: Fri Sep 29 16:05:04 2000

> It might be a good idea to implement filtering on the borders for TCP SYN
> from 0/0 to 0/0 port 7597.  That way, at least it can't be used once it's
> installed.
> Anyone else have any thoughts on damage control here?

Ok, guess it's time to get on nanog-post....

You can disable the clients, at least until next reboot. This won't work
with telnet, you have to use netcat:

$ nc qaz_infected_ip 7597

"exit" will close the connection but not the QAZ server, while "quit" does
appear to shut it down. You can also "run x". Once QAZ has been shutdown,
it's also possible to connect to the share and manually delete the infected
notepad.exe, although I haven't yet figured out if there's a way to unshare
someone's drives remotely via command line (if I did this, I wouldn't be
able to get back in to clean the infection).

I've also been playing with that chinese MTA. I've been trying to capture
the actual contents of the e-mail that gets sent. Not sure if they've been
recently imparted with a clue, but it seems like the SMTP transactions
aren't completing now. Something is definitely funny over there... two days
ago I could do the following by hand, just like strings on QAZ suggests that
it does:

mail from:nongmin_cn
250 Ok
rcpt to:nongmin_cn
250 Ok
354 End data with <CR><LF>.<CR><LF>

250 Ok: queued as 9D8021C25A939

Today it disconnects upon receving the "rcpt to:nongmin_cn" line (no 5xx
error, just disconnects). I just have a funny feeling about this, it's a
very weird MTA that accepts broken syntax (not that that is so uncommon),
and it will terminate connections very quickly if it doesn't get data right
away. My feeling is that the attackers are probably just watching the SMTP
logs to glean IPs from, and that they don't care if the virus gets to send
the e-mail or not. I believe that this SMTP isn't actually responsible for
_any_ legitimate mail, a check on MX records for shows that it's
not listed there. Perhaps the attackers have modified the MTA itself now to
hide their tracks, making it look like that address has been disabled (the
virus doesn't know this, and will keep trying to send at every reboot, btw).


P.S. The QAZ server only allows one connection at a time. If you think
someone is infected but not answering on that port, it may be in use....