Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

stealthy mystery ntoskrnl.exe windows 2012


  • Please log in to reply
5 replies to this topic

#1 billmcanhelp

billmcanhelp

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 09 November 2016 - 06:31 PM

Hi everyone

 

I am working at a site that was compromised. I have instituted a draconian firewall rule-set. I built a totally new environment and thought that things were getting better. One of the new servers however seems to have some sort of custom malware on it. it is a exchange server and what seems to be affected is the ntoskrnl.exe file.  I copied one from another machine and overwrote the original but the machine still exhibits the same behavior. Thus, I do not believe that it is the file itself, something hooking to it is likely the culprit. 

 

'it will start communication from a what appears to be a random port to a outside address on a specific high port for a minute then since it is blocked terminate. 

 

it will then repeat in what looks like a random number of hours to a new ip at a different port for one minute.

 

sometimes its 2 hours sometimes it is as long as 18 or 19 hours seems to be random as well.

 

observations

 the process starts with 2 or three instances the offending exe is ntosknl.exe I ran a netstat -on to the the pid and the matching destination port  it came back to system. 

 

each instance seems to add 1 to the source port 

as many as 9 instances and as few as 1 attempt to connect to the destination ip and  port within the same minute.

the application then waits a random number of hours and attempts to another ip and port combination.

 

most of the ip addresses appear to be geo-local to the server however 141.212.122.160 is one of the ip address and known to be part of the botnet.

 

I have the ability to do a packet capture but have not done so, i don't think it will help me remove whatever is doing it

 

I have run just about everything i can think of against the machine I have also checked schedules to see if a task is doing it I don't recognize anything out of order 

 

no connection to the same ip address is made from any other service or machine in the network, I have been logging all communication in both directions. 

 

The log is being generated at the firewall so there may be missing packets there may be more data than what i have captured.

 

I would have chalked it up to plain bad traffic but it has a pattern that is randomly distinguishable 

 

here is an example of traffic for  2 days 

2016-11-08 3:28 2116 tcp 74.82.47.2 61476 2016-11-08 3:28 2117 tcp 74.82.47.2 61476 2016-11-08 3:28 2118 tcp 74.82.47.2 61476 2016-11-08 4:16 21280 tcp 32.214.203.11 39054 2016-11-08 4:16 21281 tcp 32.214.203.11 39054 2016-11-08 4:16 21282 tcp 32.214.203.11 39054 2016-11-08 4:16 21283 tcp 32.214.203.11 39054 2016-11-08 4:16 21284 tcp 32.214.203.11 39054 2016-11-08 8:40 9475 tcp 73.17.120.166 58295 2016-11-08 8:40 9476 tcp 73.17.120.166 58295 2016-11-08 8:40 9477 tcp 73.17.120.166 58295 2016-11-08 8:40 9478 tcp 73.17.120.166 58295 2016-11-08 8:40 9479 tcp 73.17.120.166 58295 2016-11-08 9:47 3720 tcp 174.199.32.194 8742 2016-11-08 9:47 3721 tcp 174.199.32.194 8742 2016-11-08 9:47 3722 tcp 174.199.32.194 8742 2016-11-08 9:47 3723 tcp 174.199.32.194 8742 2016-11-08 9:47 3724 tcp 174.199.32.194 8742 2016-11-08 9:47 3726 tcp 174.199.32.194 9630 2016-11-08 9:47 3725 tcp 174.199.32.194 9630 2016-11-08 9:47 3727 tcp 174.199.32.194 9630 2016-11-08 9:47 3728 tcp 174.199.32.194 9630 2016-11-08 9:47 3729 tcp 174.199.32.194 9630 2016-11-08 9:48 3730 tcp 174.199.32.194 8742 2016-11-08 10:05 12885 tcp 73.17.120.166 58665 2016-11-08 10:05 12886 tcp 73.17.120.166 58665 2016-11-08 10:05 12887 tcp 73.17.120.166 58665 2016-11-08 10:05 12888 tcp 73.17.120.166 58665 2016-11-08 10:05 12890 tcp 73.17.120.166 58665 2016-11-08 10:05 12891 tcp 73.17.120.166 58665 2016-11-08 10:47 13295 tcp 73.17.120.166 58856 2016-11-08 10:47 13296 tcp 73.17.120.166 58856 2016-11-08 10:47 13297 tcp 73.17.120.166 58856 2016-11-08 10:48 13298 tcp 73.17.120.166 58856 2016-11-08 10:49 13299 tcp 73.17.120.166 58856 2016-11-08 10:49 13300 tcp 73.17.120.166 58842 2016-11-08 10:49 13301 tcp 73.17.120.166 58856 2016-11-08 10:49 13302 tcp 73.17.120.166 58846 2016-11-08 10:49 13303 tcp 73.17.120.166 58846 2016-11-08 10:49 13304 tcp 73.17.120.166 58846 2016-11-08 10:49 13305 tcp 73.17.120.166 58846 2016-11-08 10:49 13306 tcp 73.17.120.166 58846 2016-11-08 10:49 13308 tcp 73.17.120.166 58846 2016-11-08 10:49 13307 tcp 73.17.120.166 58846 2016-11-08 13:31 10709 tcp 107.77.225.114 13186 2016-11-08 13:31 10710 tcp 107.77.225.114 13186 2016-11-08 13:31 10711 tcp 107.77.225.114 13186 2016-11-08 13:31 10712 tcp 107.77.225.114 13186 2016-11-08 13:31 10714 tcp 107.77.225.114 13186 2016-11-08 13:31 10713 tcp 107.77.225.114 13186 2016-11-08 23:07 8925 tcp 74.82.47.33 54020 2016-11-08 23:07 8926 tcp 74.82.47.33 54020 2016-11-08 23:07 8927 tcp 74.82.47.33 54020 2016-11-08 23:19 225 tcp 74.82.47.5 14010 2016-11-08 23:19 226 tcp 74.82.47.5 14010 2016-11-08 23:19 227 tcp 74.82.47.5 14010 2016-11-09 10:24 8607 tcp 50.202.57.90 50185 2016-11-09 10:24 8606 tcp 50.202.57.90 61217 2016-11-09 10:24 8605 tcp 50.202.57.90 50184 2016-11-09 10:25 670 tcp 74.95.123.13 52176 2016-11-09 10:25 671 tcp 74.95.123.13 52176 2016-11-09 10:25 8610 tcp 50.202.57.90 54887 2016-11-09 10:25 672 tcp 74.95.123.13 52176 2016-11-09 10:25 673 tcp 74.95.123.13 52176 2016-11-09 10:25 674 tcp 74.95.123.13 52176 2016-11-09 10:25 675 tcp 74.95.123.13 52176 2016-11-09 10:25 676 tcp 74.95.123.13 52176 2016-11-09 10:26 2436 tcp 107.77.224.13 39036 2016-11-09 10:26 2437 tcp 107.77.224.13 39036 2016-11-09 10:26 2438 tcp 107.77.224.13 39036 2016-11-09 10:26 2439 tcp 107.77.224.13 39036 2016-11-09 10:26 2440 tcp 107.77.224.13 39036 2016-11-09 10:26 2441 tcp 107.77.224.13 39036 2016-11-09 10:30 31630 tcp 52.33.159.82 42803 2016-11-09 10:30 31631 tcp 52.33.159.82 42803 2016-11-09 10:30 31632 tcp 52.33.159.82 42803 2016-11-09 10:30 31633 tcp 52.33.159.82 42803 2016-11-09 10:30 31634 tcp 52.33.159.82 42803 2016-11-09 10:30 31635 tcp 52.33.159.82 42803 2016-11-09 10:30 31636 tcp 52.33.159.82 42803 2016-11-09 16:13 18539 tcp 50.202.57.90 51655 2016-11-09 16:13 18540 tcp 50.202.57.90 51655 2016-11-09 16:13 18541 tcp 50.202.57.90 51655 2016-11-09 16:13 18542 tcp 50.202.57.90 51655 2016-11-09 16:13 18543 tcp 50.202.57.90 51655 2016-11-09 16:13 18544 tcp 50.202.57.90 54953 2016-11-09 16:13 18545 tcp 50.202.57.90 54953 2016-11-09 16:13 18547 tcp 50.202.57.90 51655 2016-11-09 16:13 18546 tcp 50.202.57.90 54953 2016-11-09 16:13 18548 tcp 50.202.57.90 54953 2016-11-09 16:13 18549 tcp 50.202.57.90 51655 2016-11-09 16:13 18550 tcp 50.202.57.90 54953 2016-11-09 16:13 18551 tcp 50.202.57.90 54975 2016-11-09 16:15 18552 tcp 50.202.57.90 51741

 

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:08:49 PM

Posted 09 November 2016 - 10:57 PM

I am going to have this moved to the Am I Infected forum for help from the malware team.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#3 billmcanhelp

billmcanhelp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 09 November 2016 - 10:59 PM

I am going to have this moved to the Am I Infected forum for help from the malware team.

thanks



#4 billmcanhelp

billmcanhelp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 14 November 2016 - 01:35 PM

here is a capture of the rejected packet 

 

No.     Time           Source                Destination           Protocol Length Info
 423773 50403.137740   192.168.1.9           168.61.54.255         TCP      66     6052→5671 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
 
Frame 423773: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: 00:ec:29:f0:17:5b, Dst: d0:67:e5:03:9a:24
    Destination: d0:67:e5:03:9a:24
        Address: d0:67:e5:03:9a:24
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source:  00:ec:29:f0:17:5b
        Address:  00:ec:29:f0:17:5b
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.9, Dst: 168.61.54.255
Transmission Control Protocol, Src Port: 6052, Dst Port: 5671, Seq: 0, Len: 0
    Source Port: 6052
    Destination Port: 5671
    [Stream index: 212]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    Acknowledgment number: 0
    Header Length: 32 bytes
    Flags: 0x0c2 (SYN, ECN, CWR)
    Window size value: 8192
    [Calculated window size: 8192]
    Checksum: 0x296d [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
        Maximum segment size: 1460 bytes
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Window scale: 8 (multiply by 256)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        TCP SACK Permitted Option: True
 
data 
d0 67 e5 30 9a 24 00 0c 29 f0 17 4b 08 00 45 02 00 34 01 c8 40 00 80 06 ...........
 
 
anyone have any idea?
i just want to kill what ever is doing it i dont know where to look


#5 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:08:49 PM

Posted 20 November 2016 - 05:45 PM

 I received some advice from a member of the Malware team, and the traffic does appear to be legitimate. From your log in the first post "the destination address is Microsoft, the source IP is your network and it is originating from ntoskrnl.exe". The IP address 141.212.122.160 belongs to the University of Michigan. It is possible there is an issue with your firewall, what kind of firewall are you using? 


Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#6 billmcanhelp

billmcanhelp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 21 November 2016 - 09:56 AM

 I received some advice from a member of the Malware team, and the traffic does appear to be legitimate. From your log in the first post "the destination address is Microsoft, the source IP is your network and it is originating from ntoskrnl.exe". The IP address 141.212.122.160 belongs to the University of Michigan. It is possible there is an issue with your firewall, what kind of firewall are you using? 

The firewall is pfsence and the data is being generated by syslog logging from rule pass /fail  The exchange server is running in vmware on another computer. I put in a tap between the firewall and  the vmware box and ran Wireshark. it confirmed the traffic  came from the exchange virtual image. I also have limited the exchange computer outbound 25, 80 and 443 all others blocked. I dont trust the lan and considering putting a wireshark instance inside of the vm to see if perhaps its a rpc hack coming from the lan.

 

I can share the ip list if it helps you there are many connection attempts each unique 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users