Detected by Michael Johnson at about 21-June-2004 3:00 PM.

Infection occurred on 18-JUNE-2004 at 11:58 PM based on rhs.exe file creation date.  System (WinXP Pro SP1) was fully patched with all critical updates before 3 PM 18-JUNE-2004.  Infection vector is unknown.  The system was setup behind a Linksys NAT firewall and was not put on the PNHS network until fully patched.

 

To protect user privacy, I have changed all references to the machine name to XXXXXX.  The machine has also moved to a different subnet on our network.

 

1. This hack is being called CAHack because of the distinguishing characteristic of having the installer for Cain and Abel in the %windir%\system32\mui\0009\prog\ folder.
2. Services Installed (short names shown):
1. SLAVE

                                                               i.      %windir%\Slave.exe

                                                             ii.      RemoteAnything

                                                            iii.      Installed 06/19/04 00:02:31

2. LSASST

                                                               i.      %windir%\system32\mui\0009\prog\rhs.exe

                                                             ii.      SERV-U FTP server

3. DNTUS26

                                                               i.      %windir%\system32\dntus26.exe

                                                             ii.      DameWare NT Utilities 2.6

3. Registry Entries
1. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lsasst]
2. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lsasst]
3. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Slave]
4. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Slave]
5. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

                                                               i.      "vf9"="C:\\WINDOWS\\System32\\vf9485.exe"

6. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DNTUS26]
7. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DNTUS26]
3. Other Files Noted on System
1. Several other utilities were in %windir%\system32\mui\0009\prog\.
2. C:\ra_slave.log (see sample attached next page.)
4. Cleanup
1. An automated cleanup tool has been created and placed at http://people.pharmacy.purdue.edu/~mikej/.  A short URL is also provided at http://tinyurl.com/yqn7u.  Please do not set up any other short URL services for this site.

                                                               i.      Executables (perform the same actions).  Files are WinZip Self Extracting Archives.

1.      http://people.pharmacy.purdue.edu/~mikej/cahack/cacleanup.exe (no pauses, one confirmation prompt.)

2.      http://people.pharmacy.purdue.edu/~mikej/cahack/cacleanup-p.exe (pauses so you can observe the cleanup process.

2. Cleanup.reg

Windows Registry Editor Version 5.00

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lsasst]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lsasst]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Slave]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Slave]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vf9"=-

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DNTUS26]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DNTUS26]

3. Cleanup.bat

Echo CACleanup tool by Michael A. Johnson, mikej@purdue.edu

echo Stopping services... (Part 1 of 3)

net stop lsasst

net stop slave

net stop dntus26

echo The services should have stopped.

Echo deleting files and folders... (Part 2 of 3)

deltree /y %windir%\system32\mui\0009\prog

deltree /y %windir%\slave.exe

deltree /y %windir%\system32\slave.exe

deltree /y %windir%\system32\dntus26.exe

deltree /y %windir%\system32\vf9485.exe

Echo The files should be deleted.

Echo Cleaning registry (Part 3 of 3)

regedit /s cleanup.reg

echo The registry should now be clean.

echo Cain and Abel cleanup occurred at the creation date of this text file.>>c:\cacleanup.txt

dir c:\cacleanup.txt>>c:\cacleanup.txt

6. Prevention:
1. Recommend blocking the following machines at the Purdue border.  I have seen the same machines in other signatures of similar hacks.

                                                               i.      mail.obione.net (In France.  Website advertises IRC servers with Eggdrop, etc. if Bablefish translated the website correctly.  http://tinyurl.com/2t8am)

                                                             ii.      81.56.172.243 lns-p19-8-81-56-172-243.adsl.proxad.net

                                                            iii.      128.82.5.60 dhcp-037.cs.odu.edu

2. Block all outgoing direct-to-mx e-mail.
6. Notice: 
1. This information is copyrighted by Michael A. Johnson/Purdue University.  Please link to the website as mentioned in section 5 rather than duplicating this information.  This allows me to update the information as necessary rather than having outdated copies floating around.

 

C:\ra_slave.log:

 

[06/19/04 00:02:31] ---- RunServer

[06/19/04 00:02:31] Main:NT

[06/19/04 00:02:31] Main:Install

[06/19/04 00:02:31] Installed

[06/19/04 00:02:31] 

[06/19/04 00:02:31] 

[06/19/04 00:02:31] --[Run]--

[06/19/04 00:02:31] XP Workstation build 2600 Service Pack 1

[06/19/04 00:02:31] Admin: y

[06/19/04 00:02:31] 4.11.12

[06/19/04 00:02:31] Path: C:\WINDOWS\Slave.exe

[06/19/04 00:02:31] COMCTL32 v5.82 Win2K

 

[06/19/04 00:02:31] 128.210.116.192

[06/19/04 00:02:31] 00-0E-A6-24-8F-F4

[06/19/04 00:02:31] ---- RunServer

[06/19/04 00:02:31] Main:NT

[06/19/04 00:02:32] Start

[06/19/04 00:02:32] RC:Daemon

[06/19/04 00:02:32] FB:Daemon

[06/19/04 00:02:32] CH:Daemon

[06/19/04 00:02:32] 00-0E-A6-24-8F-F4,,128.210.116.192,XXXXXX,4000,vjd,09:10:16,XP Workstation build 2600 Service Pack 1,AMD Athlon(TM) XP 3000+,734MB/1024MB,C: 28.19GB/37.27GB; E: 23.97GB/37.27GB; F: 74.46GB/74.53GB,ON 00:00:00,-

[06/19/04 00:02:36] MailServer:mail.obione.net

 

[06/19/04 00:02:39] EmailSent

[06/19/04 00:18:32] *FBConn:81.56.172.243

 

[06/19/04 00:18:32] [Ver] Master|5.1.30|Slave|4.11.12 G|

[06/19/04 00:18:32] *RCConn:81.56.172.243

[06/19/04 00:18:51] *RCConn:81.56.172.243

 

[06/19/04 00:18:51] [Ver] Master|5.1.30|Slave|4.11.12 G|

[06/19/04 00:18:51] *RCConn:81.56.172.243

[06/19/04 00:18:53] MsgLoop

[06/19/04 00:19:11] [ExitClientLoop] CPU: ScrCap:35 298 ticks (ave:8) / Scan:37 282 ticks (ave:7)

[06/19/04 00:22:33] *FBConn:81.56.172.243

 

[06/19/04 00:22:33] [Ver] Master|5.1.30|Slave|4.11.12 G|

[06/19/04 00:22:33] *RCConn:81.56.172.243

[06/19/04 03:58:57] *RCConn:128.82.5.60

 

[06/19/04 03:58:58] *RCConn:128.82.5.60

 

[06/21/04 11:17:45] EndSession

[06/21/04 11:17:45] User: vjd => System

[06/21/04 11:17:45] QuitMsgLoop

[06/21/04 11:17:45] RC!Accept

[06/21/04 11:17:45] RC:QuitDaemon

[06/21/04 11:17:45] CH:QuitDaemon

[06/21/04 11:17:45] FB!Accept

[06/21/04 11:17:45] FB:QuitDaemon

[06/21/04 11:20:31] 

[06/21/04 11:20:31] 

[06/21/04 11:20:31] --[Run]--

[06/21/04 11:20:31] XP Workstation build 2600 Service Pack 1

[06/21/04 11:20:31] Admin: y

[06/21/04 11:20:31] 4.11.12

[06/21/04 11:20:31] Path: C:\WINDOWS\Slave.exe

[06/21/04 11:20:31] COMCTL32 v5.82 Win2K

 

[06/21/04 11:20:31] 128.210.116.192

[06/21/04 11:20:31] 00-0E-A6-24-8F-F4

[06/21/04 11:20:31] ---- RunServer

[06/21/04 11:20:31] Main:NT

[06/21/04 11:20:31] RC:Daemon

[06/21/04 11:20:31] Start

[06/21/04 11:20:31] FB:Daemon

[06/21/04 11:20:31] CH:Daemon

[06/21/04 11:20:31] 00-0E-A6-24-8F-F4,,128.210.116.192,XXXXXX,4000,Not Logged,00:00:31,XP Workstation build 2600 Service Pack 1,AMD Athlon(TM) XP 3000+,849MB/1024MB,C: 14.29GB/37.27GB; E: 24.00GB/37.27GB; F: 74.46GB/74.53GB,ON 00:00:00,-

[06/21/04 11:20:36] MailServer:mail.obione.net

 

[06/21/04 11:20:39] EmailSent

[06/21/04 11:45:06] EndSession

[06/21/04 11:45:06] User: Not Logged => System

[06/21/04 11:45:06] QuitMsgLoop

[06/21/04 11:46:20] 

[06/21/04 11:46:20] 

[06/21/04 11:46:20] --[Run]--

[06/21/04 11:46:20] XP Workstation build 2600 Service Pack 1

[06/21/04 11:46:20] Admin: y

[06/21/04 11:46:20] 4.11.12

[06/21/04 11:46:20] Path: C:\WINDOWS\Slave.exe

[06/21/04 11:46:20] COMCTL32 v5.82 Win2K

 

[06/21/04 11:46:20] 128.210.116.192

[06/21/04 11:46:20] 00-0E-A6-24-8F-F4

[06/21/04 11:46:20] ---- RunServer

[06/21/04 11:46:20] Main:NT

[06/21/04 11:46:20] Start

[06/21/04 11:46:20] RC:Daemon

[06/21/04 11:46:20] FB:Daemon

[06/21/04 11:46:20] CH:Daemon

[06/21/04 11:46:20] 00-0E-A6-24-8F-F4,,128.210.116.192,XXXXXX,4000,Not Logged,00:00:29,XP Workstation build 2600 Service Pack 1,AMD Athlon(TM) XP 3000+,844MB/1024MB,C: 13.62GB/37.27GB; E: 24.00GB/37.27GB; F: 74.40GB/74.53GB,ON 00:00:00,-

[06/21/04 11:46:25] MailServer:mail.obione.net

 

[06/21/04 11:54:05] EndSession

[06/21/04 11:54:05] User: Not Logged => System

[06/21/04 11:54:05] QuitMsgLoop

[06/21/04 12:24:46] 

[06/21/04 12:24:46] 

[06/21/04 12:24:46] --[Run]--

[06/21/04 12:24:46] XP Workstation build 2600 Service Pack 1

[06/21/04 12:24:46] Admin: y

[06/21/04 12:24:46] 4.11.12

[06/21/04 12:24:46] Path: C:\WINDOWS\Slave.exe

[06/21/04 12:24:46] COMCTL32 v5.82 Win2K

 

[06/21/04 12:24:46] 128.210.116.192

[06/21/04 12:24:46] 00-0E-A6-24-8F-F4

[06/21/04 12:24:46] ---- RunServer

[06/21/04 12:24:46] Main:NT

[06/21/04 12:24:46] Start

[06/21/04 12:24:46] RC:Daemon

[06/21/04 12:24:46] FB:Daemon

[06/21/04 12:24:46] CH:Daemon

[06/21/04 12:24:46] 00-0E-A6-24-8F-F4,,128.210.116.192,XXXXXX,4000,Not Logged,00:00:27,XP Workstation build 2600 Service Pack 1,AMD Athlon(TM) XP 3000+,844MB/1024MB,C: 13.32GB/37.27GB; E: 24.00GB/37.27GB; F: 74.40GB/74.53GB,ON 00:00:00,-

[06/21/04 12:24:51] MailServer:mail.obione.net

 

[06/21/04 12:24:55] EmailSent

[06/21/04 12:54:13] *RCConn:80.161.255.46

 

[06/21/04 12:58:27] *RCConn:80.56.118.138

 

[06/21/04 12:58:27] [Ver] Master|3.7.5|Slave|4.11.12 G|

[06/21/04 12:58:27] *RCConn:80.56.118.138

[06/21/04 12:58:27] Master [80.56.118.138], bad password

[06/21/04 12:58:38] *RCConn:80.56.118.138

 

[06/21/04 12:58:39] [Ver] Master|3.7.5|Slave|4.11.12 G|

[06/21/04 12:58:39] *RCConn:80.56.118.138

[06/21/04 12:58:39] Master [80.56.118.138], bad password

[06/21/04 12:58:46] *RCConn:80.56.118.138

 

[06/21/04 12:58:47] [Ver] Master|3.7.5|Slave|4.11.12 G|

[06/21/04 12:58:47] *RCConn:80.56.118.138

[06/21/04 12:58:47] Master [80.56.118.138], bad password

[06/21/04 13:54:04] EndSession

[06/21/04 13:54:04] User: Not Logged => System

[06/21/04 13:54:04] QuitMsgLoop

[06/21/04 13:55:33] 

[06/21/04 13:55:33] 

[06/21/04 13:55:33] --[Run]--

[06/21/04 13:55:33] XP Workstation build 2600 Service Pack 1

[06/21/04 13:55:33] Admin: y

[06/21/04 13:55:33] 4.11.12

[06/21/04 13:55:33] Path: C:\WINDOWS\Slave.exe

[06/21/04 13:55:33] COMCTL32 v5.82 Win2K

 

[06/21/04 13:55:33] 128.210.116.192

[06/21/04 13:55:33] 00-0E-A6-24-8F-F4

[06/21/04 13:55:33] ---- RunServer

[06/21/04 13:55:33] Main:NT

[06/21/04 13:55:33] Start

[06/21/04 13:55:33] RC:Daemon

[06/21/04 13:55:33] FB:Daemon

[06/21/04 13:55:33] CH:Daemon

[06/21/04 13:55:33] 00-0E-A6-24-8F-F4,,128.210.116.192,XXXXXX,4000,Not Logged,00:00:41,XP Workstation build 2600 Service Pack 1,AMD Athlon(TM) XP 3000+,837MB/1024MB,C: 12.64GB/37.27GB; E: 24.00GB/37.27GB; F: 74.41GB/74.53GB,ON 00:00:00,-

[06/21/04 13:55:38] MailServer:mail.obione.net

 

[06/21/04 13:55:42] EmailSent

[06/21/04 14:29:32] EndSession

[06/21/04 14:29:32] User: Not Logged => System

[06/21/04 14:29:32] QuitMsgLoop

[06/21/04 15:32:07] 

[06/21/04 15:32:07] 

[06/21/04 15:32:07] --[Run]--

[06/21/04 15:32:07] XP Workstation build 2600 Service Pack 1

[06/21/04 15:32:07] Admin: y

[06/21/04 15:32:07] 4.11.12

[06/21/04 15:32:07] Path: C:\WINDOWS\Slave.exe

[06/21/04 15:32:07] COMCTL32 v5.82 Win2K

 

[06/21/04 15:32:08] 127.0.0.1

[06/21/04 15:32:08] 00-0E-A6-24-8F-F4

[06/21/04 15:32:08] ---- RunServer

[06/21/04 15:32:08] Main:NT

[06/21/04 15:32:08] Start

[06/21/04 15:32:08] CH:Daemon

[06/21/04 15:32:08] FB:Daemon

[06/21/04 15:32:08] RC:Daemon

[06/21/04 15:32:08] 00-0E-A6-24-8F-F4,,127.0.0.1,XXXXXX,4000,Not Logged,00:00:35,XP Workstation build 2600 Service Pack 1,AMD Athlon(TM) XP 3000+,842MB/1024MB,C: 49.76GB/74.53GB; E: 24.00GB/37.27GB,OFF,-

[06/21/04 15:33:18] !SendEmail:MX