page-060

Chapter 1 / Empty Cup Mind

forensic analysis of this executable on a test machine proved otherwise (we'll

discuss forensics and anti-forensics later on in the book). In our case, qttask.

exe was a modified FTP server that, among other things, provided a remote

shell. The banner displayed by the FTP server announced that the attack was

the work of "Team WzM." I have no idea what WzM stands for, perhaps

"Wort zum Montag," The attack originated on an IRC port from the IP ad¬

dress 195.157.35.1, a network managed by Di rcon. net, which is headquar¬

tered in London.

Once the FTP server was installed, the batch file launched the server. The

qttask.exe executable ran as a service named LdmSvc (the display name was

"Logical Disk Management Service"). In addition to allowing the rootkit to

survive a reboot, running as a service was also an attempt to escape detection.

A harried system administrator might glance at the list of running services

and (particularly on a dedicated file server) decide that the Logical Disk Man¬

agement Service was just some special "value-added" Original Equipment

Manufacturer (OEM) program.

The attackers made removal difficult for us by configuring several key ser¬

vices, like Remote Procedure Call (RPC) and the Event Logging service, to

be dependent upon the LdmSvc service. They did this by editing service entries

in the registry (see HKLM\SYSTEM\CurrentControlSet\Services). Some of the

service registry keys possess a REG_MLILTI_SZ value named DependOnServi ce that

fulfills this purpose. Any attempt to stop LdmSvc would be stymied because the

OS would protest (i.e., display a pop-up window), reporting to the user that

core services would also cease to function. We ended up having manually to

edit the registry, to remove the dependency entries, delete the LdmSvc sub-key,

and then reboot the machine to start with a clean slate.

On a compromised machine, we'd sometimes see entries that looked like:

C:\>reg query HKLM\SYSTEM\CurreintControlSet\Servi ces\RpcSs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesVRpcSs

DisplayName REGSZ ?o1eres.d11,-5010

Group REGSZ COM Infrastructure

ImagePath REG_EXPAND_SZ svchost.exe -k rpcss

Description REG_SZ @o1eres.dll,-5011

ObjectName REG_SZ NT AUTHORITY\NetworkService

ErrorControl REG_DWORD 0x1

Start REG_DWORD 0x2

Type REG_DWORD 0x20

DependOnServi ce REG_MLILTI_SZ DconiLaunch\LdmSvc

servicesidType REG_DWORD 0x1

30 I Part I