Tuesday, October 10, 2006

Where did those come from...?

Earlier today I found some files that weren't suppose to be in my homefolder.
drsmarload1135a.exe
LOADADV455.EXE
It would seem that these are win32 malware. Well LOADADV455 is a trojan and drsmartload1135 is an exploit. How they got into my ubuntu homefolder I don't know, but they are classified as win32 viruses with a "bad" rating on http://www.prevx.com. Not much else to go on. F-Secure had nothing on these, but they are classified as newly discovered on prevx. Anyway, since they are for win32, I figured it wasn't a problem. Kind of fun actually, watching them crawl and squirm, then smashing them with rm. So I deleted then, thinking breefly of turning them over to f-secure, but it seemed to be too much work. After that my mouse started behave strangely, still do actually, so I started looking over my system, looking for processes that I didn't recognize. While raiding the netlogs, which I am completly inept of, I am still n00bie in linux, well there was something strange going on. So I scanned the computer for more viruses with ClamAV. Nothing. Finallly I decided in a brief moment of panic to install firestarter (firewall for linux). Here I found a active session with a foreign adress ( 205.51.162.163 ) After a few futile attempts to block him out from the commandline I gave in. Blocked all internet traffic, restarted the computer, in order to be completely sure he wasn't still there.

First I made sure he wouldn't get in again, filtered the firewall the hardcore way, means basicly everthing but port 80. Then I started digging. Going to http://www.samspade.org and tried the ip on all the registrys I could find. Imagine my surprise when www.arin.net gave me this:

OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
NetRange: 205.0.0.0 - 205.55.255.255
CIDR: 205.0.0.0/11 205.32.0.0/12 205.48.0.0/13
NetName: NICS86-88
NetHandle: NET-205-0-0-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Allocation
Comment:
RegDate:
Updated: 2006-10-03
OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: 1-800-365-3642
OrgTechEmail: HOSTMASTER@nic.mil

Well you imagine I got a bit nervous, half expecting CIA to burst through my door. (Not very likely though, since they were on another continent)
After checking out google it turned out that they were a Defense Supply Center in Columbus ( DSCC for short ).

So, to summarize. Either the american Department of Defense were investigating me, (highly unlikely, since ubuntu I only use opensource software) or some little douchebag was spoofing their adress to access the trojan in my homefolder.

Safe to say, I won't go out without a firewall again, not even on Linux...

No comments: