UltraVNC

[zx6er93]

can someone explain this notification I received from Norton 360 a few days after installing UltraVNC 1.0.9.5:

Risk Name: VNC Large Error Response BO
Attacking computer: 192.168.1.6,5900
Destination: 121.8.103.14, 3789

Why would UltraVNC server try to connect to 121.8.103.14 on port 3789?

[Rudi De Vos]

This signature detects an attempt to exploit a buffer overflow vulnerability in UltraVNC.
This exploid existed in 1.0.2. (vncViewer.exe)
see:
http://www.symantec.com/business/securi ... asid=22901

121.8.103.14 Guangzhou Guangdong China, known atacker using a portscan.

The exploid was on the viewer... not the server.

[B]

So should Norton stop applying that signature to 1.0.9.x, or should UVNC be changed so that string is no longer there, or should zx6er93 simply ignore the warning?

Should the OP report a false positive to Norton/Symantec?

[zx6er93]

Right now I just have Ultravnc working internally, I'd like to eventually open it up so I can connect to my computer via the internet. In order for me to do that I know I need to remove the signature from Norton 360 otherwise I won't be able to get through to my box. However wouldn't that make me vulnerable to this attack then?

[Rudi De Vos]

This exploid was closed in 2006, by an update from v101 to 102.
From uvnc point i don't see a risk.

But what i find realy strange is the chineese ip address.

Attacking computer: 192.168.1.6,5900
Destination: 121.8.103.14, 3789

It actual tell your PC is attacking 121.8.103.14, this looks strange.
Are you sure your pc is isolated from the net? Are you forwaring port
3789 ?

Not to be paranoid, but something strange is going.
Possible i just mis interpret the symatec message, but if your pc try to make an external (outgoing) connection, something intruct vnc to do this.

You could try to run tcpview to see what programs make network connections
http://technet.microsoft.com/en-us/sysi ... s/bb897437

Also verify if the signature of the winvnc.exe is still valid and signed by
uvnc bvba.

[B]

Maybe it's similar to some suspected malware / trojan activity we saw at

tip:could not connect to ......


In the end I wasn't sure whether that wasn't just random inbound port scans...

[zx6er93]

It's definitely outbound - which is why I thought it was the vnc server (vnc viewer wasn't running at the time). I looked at TCP view - didn't see anything odd with that. I checked my norton log, it's only happened that one time - here is the exact message:

"Network traffice from OWNER-PC matches the signature of a known attack. The attack was resulted from /DEVICE/HARDDISKVOLUME3/PROGRAM FILES/ULTRAVNC/WINVNC.EXE"

What's odd is that disk volume 3 is actually a readyboost memory card. I ran norton against winvnc.exe - it didn't find any issues with it.

I'm not doing port forwarding on that port, and GRC's shields up says I'm protected inbound.

[Rudi De Vos]

Network traffice from OWNER-PC matches the signature of a known attack

, it's not a exe signature but a real network packet....

And even when the packet is a false positive, it should never try to connect to a chineese ip address...

It's almost like something tried a winvnc -connect 121.8.103.14:3789.

Any logging in the eventviewer or mslogon.log.

[B]

Why is it odd that it was from the ReadyBoost cache? Running VNC would get cached like anything else I think.

Does the time stamp match a time you were present at the machine? Does anyone else have access to the machine? Any chance you were testing VNC at that time and/or ran somebody's script at that time?

If not, then you'd have to suspect malware...

[zx6er93]

I was on the machine when it occurred, and I wasn't testing VNC...

I only could find the one occurence in the norton log, didn't see anything odd anyplace else. I rescanned my entire computer - norton didn't find anything wrong with it.

I would think if it was malware it would attempt to try to connect more than once... I'm not sure. For the time being I've shutdown ultra vnc until I can come up with some reason as to why this happened - it really has me concerned.

[B]

Definitely run some additional scanners -- Symantec/Norton sucks and always has. Others aren't much better though.

There are free one-time use scanner/disinfectors available from MalwareBytes, KAV (Virus Removal Tool), TrendMicro (HouseCall), Panda (ActiveScan), and others. And there are free AV suites from Microsoft, AVG, Avast, and others.

I've had the most success lately with KAV.

And of course be cautious that if you are infected with something, your attempts to download these scanners may be hijacked. Try using another machine, booting into Safe Mode, booting off CD, etc....

[zx6er93]

I tried using housecall from trendmicro last night and that also revealed I had no virus / malware. The only port on my router that was opened was 5900 (which because of this I have shut down). Is it possible that somehow they could have tried to initiate an outgoing call through that port? I'll try KAV tonight to see if it picks up anything. Since I've shutdown port 5900 I haven't see any additional attacks.

[B]

Well yes, but it's worse than that. If the Norton report is accurate (and I wouldn't count on it being accurate) the the open port 5900 (presumably you were forwarding it from the router to the local IP address of your PC) would mean that (a) someone could have gotten into your machine while you were running the UltraVNC server listening on that port, and completely controlled your machine via normal VNC mechanisms. They would have then had the same control over your machine that you would have. They may, or may not have, installed any number of things, stolen any amount of data, etc. One of the things they might have done is start another VNC session out, which would have been the example shown in the Norton log. So if true, this would mean your entire machine was compromised and probably still is (since they may have installed multiple trojans).

You could check your VNC logs, your router logs (if they go back far enough) and other things to try to determine if your machine was taken over at some point, but you can never really know for sure if they were very careful.

I'm assuming here that you had set up UltraVNC as a listening server and forwarded the port 5900 to the local IP address from the router. But until now I thought you had NOT yet enabled any access in or out from your LAN though?

If in doubt, back up all your data, wipe the machine, and reinstall everything from original disks / clean downloads.

[zx6er93]

No viruses / malware have been found with 3 different scans so I don't think I'm infected - but who knows, I will at some point reinstall my system to be safe.

My original settings when this occurred was:

PORT 5900 opened on the router, no other ports opened
norton firewall was supposed to block it (though I'm not sure if it did)
ultravnc .ini file had only ip 192.168.1.x allowed

in the router logs I see people were connecting to 5900, so even if norton didn't block it, ultravnc should have.

the only thing that I see as an issue is that my computer was trying to connect to that ip, but norton blocked that attempt

I just don't understand how they were able to get through 5900 to try to initiate something to go out of that port... is that an ultravnc issue or is that just because that port was opened. If it was because the port was opened, is there anything I can do to prevent this from occurring again? I know can open a different port instead of 5900, but that's more obscurity than security. Any suggestions?

[B]

When you say the port was "open on the router", were you <b>forwarding it</b> to the local IP address of a PC on your home network, or not?

No one exploits a PORT per se -- they exploit applications listening on that port. The idea would be that someone could have gained remote control of your system if your system was listening for VNC connections on that port. Outbound has nothing to do with it. THey would have been able to make all kinds of outbound connections if they had full control of your machine via VNC.

But as Rudi said, this is (a) an old, solved vulnerability and (b) it seems initiated from your PC. At this point I'm thinking it's just a weird false positive from Norton, but who knows?

Rudi, since it's a viewer vulnerability, how does it make any sense that Norton said ""Network traffice from OWNER-PC matches the signature of a known attack. The attack was resulted from /DEVICE/HARDDISKVOLUME3/PROGRAM FILES/ULTRAVNC/WINVNC.EXE" ?

A reverse connection attempt?

[zx6er93]

That's correct, I was forwarding the port to the local ip address of my pc.

[Rudi De Vos]

The exploit was a viewer exploit...

At the moment you connected to a winvnc.exe, some data from the server to the viewer was send, this caused a buffer overflow. With this
buffer overflow some code was executed on the viewer pc.

Anyway, from v 102, all buffers have overflow protection, so even when they send it it will not work.

But the problem i have is that norton tell
connect from winvnc.exe port 5900 to 121.8.103.14:3789

Actual this doesn't make sense, if winvnc would connect to 121.8.103.14:3789 , then you would have winvnc.exe port 49098 connect to 121.8.103.14:3789 and not winvnc.exe 5900