Massive Attack Against Mailenable Mail Software

bitstop thanks the patience of our webhosted clients who were affected by a mysterious flaw in their websites, whereby all visitors are made to enter their authentication. It took our team a long time to track it down. From what we have so far. The vulnerability is traced to Mailenable software. This allows a virus to propagate into the servers and install rootkits and backdoors into the affected servers. The indicators of the attack are files named rdriv.sys and config.exe sometimes with a.exe and several sdbot variants. This is serious, and we will strive our best to get the websites back up.

We are still working on this issue as of this writing. More details will follow.

Here is a link on how to remove it: http://www.trendmicro-middleeast.com/consumer/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=2&VName=TROJ_ROOTKIT.E

 

Print | posted on Tuesday, February 27, 2007 8:46 PM

Feedback

# re: Massive Attack Against Mailenable Mail Software

Left by ian at 2/27/2007 4:07 PM
Gravatar i see config.exe in an irc channel. it's recorded in the honeypot. sniff the irc server where the bot joins and ill do the rest. :)

# re: Massive Attack Against Mailenable Mail Software

Left by wilson at 2/27/2007 4:20 PM
Gravatar Thanks Ian.

We also see the rdriv.sys being reinstalled after we wipe it. Other files are sdbot worm variants, getsys.exe, gethost, gethash, a.exe, bot.exe,bw.exe,

It also installs nasty services masquerading under legitimate sounding services like:

Microsoft POP3 Post
Mailenable SMTP relay
WINs.exe

the trick is to under the manufacturer in msconfig, and you will see that the masqueraded services all have unknown manufacturers!

Very difficult to clean. If we know the ports and other vectors of infiltration that would be a big help. As we can shield our systems from further attacks.

# re: Massive Attack Against Mailenable Mail Software

Left by ian at 2/27/2007 4:28 PM
Gravatar block port 6667-7000 thats port of irc services or just use netstat to see open ports then block it.

# re: Massive Attack Against Mailenable Mail Software

Left by ian at 2/27/2007 4:52 PM
Gravatar it is a reptile bot. i have the source code of it. it has a built-in rootkit and it run as services. cannot be seen in mstask manager and msconfig. the attacker can setup the bot at any port as long as it wont conflict the server where the bot joins for commands. maybe it's exploiting imap 8.x.

# re: Massive Attack Against Mailenable Mail Software

Left by ian at 2/27/2007 5:43 PM
Gravatar i mean imail 8.x

# re: Massive Attack Against Mailenable Mail Software

Left by google排名 at 5/13/2007 5:27 AM
Gravatar Good ! thank the author.

Your comment:





 
Please add 7 and 8 and type the answer here:

Copyright © Bitstop Network Services, Inc

Design by Bartosz Brzezinski

Design by Phil Haack Based On A Design By Bartosz Brzezinski