MoMusings

Is A Dead Worm!

Every so often some bright spark, says “Hey I’ve got a great idea, let’s create a good worm to do….”

Cut to a cyberspace equivalent of Luke Skywalker trying to save his father, Anakin aka Darth Vader. Complete with asthmatic breathing sound-effects…

“let us turn the dark side of the force [malware] to the light and save its very soul….”

Truth is there is no need to use malware techniques to create a useful tool, although some are still arguing that malware techniques can be used for good.

A history lesson

Back in the early days of computing….

Researchers John Shoch and John Hupp at Xerox Palo Alto Research Center (PARC) effectively invented the ‘worm’ in 1982, some six years before the great ‘Internet worm’ of 1988, aka the ‘Morris worm’.

The work on worms and similar self-propelled code was part of their early research into local area networks (LANs).

Other researchers were looking at wide-area networks (WANs), these included BBN and UC Berkeley. Much of this work set the standards for what was to become many of the widespread Internet Protocols used today.

PARC’s hardware and firmware design was the basis for the modern Ethernet, though most of their networking software and higher level protocols failed.

During Shoch and Hupp’s research, they ran into problems with their Network Operating System, which used worm features to spread and maintain itself.

The worm was basically a multi-segment worm, each machine on the network carried a segment of the worm and these segments could communicate with each other. If a segment was lost (say, because its machine died, hung or crashed or suffered from a network failure), the other segments would search for an idle machine and load a new copy so as to replace the lost segment. However things didn’t work as planned and problems occurred and they couldn’t gain control of the systems due to the prevalence of the NOS worm…

…To resolve this they had to resort to creating another worm that would kill the NOS faster than the NOS could download and restart itself on each individual machine.

More Recent Times…

Many viruses and worms have included routines to remove other certain malware when they infect a new system that has already been infected by other malware.

Netsky, MyDoom and Bagle worm variants of which we’ve seen far to many, contained routines to remove their competitors creations, kind of like one Cuckoo ousting the other Cuckoos (or Cuckoo eggs) from their shared nest.

Remember the Blaster worm, yes? Do you remember the so-called anti-Blaster worm that was allegedly written and released?

Known as Welchia or Nachi [depending on which AV vendor naming schema you use]….Guess what this so-called good worm caused even more problems than the thing is was supposed to fix/kill!

There are lots of other examples, but the above give you a flavour of the problems these so-called good worms [or other malware] cause in the real world.

Papers/Articles discussing ‘Good Malware’

http://www.linklings.net/MOSES/papers/ipsi-236.pdf
http://www.intrusec.com/goodworm081903.ppt
http://csrc.nist.gov/nissc/2000/proceedings/papers/601slide.pdf

Papers/Articles against so-called ‘Good Malware’

http://www.pcworld.com/news/article/0,aid,112090,00.asp
http://www.wormblog.com/2004/11/the_myth_of_the.html
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip
http://www.cknow.com/vtutor/vtgood.htm

Thoughts, Opinions and Rants on this subject are most welcome…

The morning started off with a bang, was it an Atak or were we all MyDoomed again?

Sitting in my mailbox malware folder what do I find but a new piece of malware. So I start to prod it and poke it, scan it, decode it, unzip the attached zip and get a CRC error, very odd!

Thirteen scanners later, and only one detects anything nasty in the file….stranger and stranger.

So is it a corrupted sample or something new?

All will be revealed below:

Here’s an example e-mail:

< -- start of example e-mail -- >

Return-path:
Received: from xxxx.xx (210.xxx.xxx.xx) by arachnid.homeip.net (Mercury/32
v4.01a) with ESMTP ID MG005D88;
3 Dec 2004 11:51:33 -0000
From: xxxxx@xxxxxx.xx
To: martin@xxxxxx.com
Subject: It’s begin here!
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_3317″
X-Priority: 1
X-MSMail-Priority: High
X-Text-Classification: malware
X-Recipient:
Status: RO
X-Status: R
X-KMail-EncryptionState: N
X-KMail-SignatureState: N
X-KMail-MDN-Sent:

This is a multi-part message in MIME format.

——=_3317
Content-Type: text/plain;
charset=”Windows-1252″
Content-Transfer-Encoding: 7bit

Hello mssupport

Your request has been accepted.
Your account info:

>> Email:
>> Password: 1c82

Visit our website to get more info at: http://www.microsoft.com

NOTE: All your account information has been attached as file and ready to be
printed.

——=_3317
Content-Type: application/octet-stream;
name=”oowqw.zip”
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=”oowqw.zip”

< -- MIME encoded worm body snipped for safety -->
< -- end of example e-mail -->

Here’s the other body text I’ve seen:

< -- start of example e-mail -->
Hello mmay

Your request has been accepted.
Your account info:

>> Email:
>> Password: 2555

Visit our website to get more info at: http://www.dnaco.net

NOTE: All your account information has been attached as file and ready to be
printed.
< -- end of example e-mail -->

Attachment name so far seen:
xqibqko.zip
aykn.zip
oowqw.zip

Zip files sizes vary, but so far are between 12,153 to 12,343 bytes

The samples binary when extracted from its .ZIP container seems to be
static (however all extracts report CRC errors in the samples I have so far,
this could be a red herring, or error on the part of the malware author?),
details below:

MD5: b594fc33348c631b69471afa7d2f24c3
FileSize: 12,037 bytes

Samples have been sent to the vendors.

This data has come back from Norman, results of testing it in their sandbox
(which seems to clearly show that it works):

00:03 | q:\aykn..exe - infected with unknown worm - W32/EMailWorm

[ General information ]
* File length: 12037 bytes.
* Total emulation cycles required: 13651752.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\a1g.exe.
* Creates file C:\WINDOWS\TEMP\tmp0919.tmp.
* Deletes file C:\WINDOWS\TEMP\tmp0919.tmp.
* Creates file C:\WINDOWS\TEMP\tmp0909.tmp.
* Creates file C:\WINDOWS\TEMP\tmp0918.tmp.
* Deletes file C:\WINDOWS\TEMP\tmp0909.tmp.

[ Changes to system settings ]
* Modifies profile key “load”=”C:\WINDOWS\SYSTEM\a1g.exe” in section
[windows] of file win.ini.

[ Network services ]
* Looks for an Internet connection.
* Connects to “CONFIGURED_DNS” on port 53 (UDP).
* Connects to “mailin-02.mx.manpower.no” on port 25 (TCP).
* **Connects SMTP server.

[ Network ]
* **Uses IPHLPAPI services.

[ Spreading through EMail ]
* To :
.
* From : ritasvee@online.no.
* Subject: It’s begin here!.
* Mass-mailer; spreads through SMTP.

[ Process/window information ]
* Creates a mutex mtxSSS.

Update:

McAfee has released a description and specific detection of this as
W32/Atak.d@MM Description can be found here

Kaspersky have added detection of this as Email-Worm.Win32.MyDoom.ad

Panda have just informed me that they are also calling is Atak.d

SOPHOS has now joined the Atak.d camp and F-Secure have also confirmed it is a member of the Atak family and Symantec have just informed me that they are classifying it as W32/Atak.B@mm, so Kaspersky I think a name-change is in order, don’t you?

The bad ‘CRC’ error which I noted in my original analysis is actually a ploy used by this worm to try and stop common decompression tools from opening it, thus stopping it from being scanned…..interesting trick!

About 13:00 today I was sent a new (repacked) version of Netsky.Z.

Well, I thought that this wouldn’t cause any problem to the AV vendors; wrong!

A bit of analysis, scanning and other sundry peeking and pokeing at it, proved this assumption to be wrong. Oh well!

So, what do we know so far:

At the time of testing with my thirteen scanners, only three on them detect it these are:
Kaspersky (Netsky.AA), McAfee (Netsky.Z) and SOPHOS (Netsky-AE).

What is different about this new repackaged version?

Not a lot to be brutally honest, it has been packed using ASPack which has, so it seems allowed it to bypass a number of Anti-Virus products.

The modified samples binary when extrated from its .ZIP container seems to be static, details below:

MD5: 9a3d8df1758feaf08f055a53a49dbeb1
FileSize: 31,491 bytes

Below are the two zip filenames,sizes and MD5 hash values for those I have seen so far:

Informations.zip
FileSize: 31,895 bytes
MD5: bd6220510eabc22463f58240200ca9c9

Part-2.zip
FileSize:: 31,883 bytes
MD5: ea909d805982e86894e0adc57ccbb048

Samples have been sent to the vendors.

This repacked version is larger than the original by around 4KB, as far as I know at this time it otherwise is exactly the same as the original Z variant (which was found on the 21st of April 2004), so see the vendors descriptions for more details, links below:

http://vil.nai.com/vil/content/v_121076.htm
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=58746&VName=WORM_NETSKY.Z
http://www.sophos.com/virusinfo/analyses/w32netskyae.html

As I finish writing this, most vendors have at least ‘beta’ updates available to detect this trivial modification to a known variant of the prolific Netsky family of mass-mailing worms.

Sheesh, it only took Microsoft a month to extract their digit from their proverbial and actually patch the exploit that the Bofra (nee Mydoom) family of mass-mailing worms used to get onto systems via infected websites.

Microsoft should be very embarrassed about this, and the Firefox/Mozilla camp are reaping the benefit of Microsoft’s slow response to fixing this ‘critical’ hole in its browser.

The new patch is known as MS04-40 and has been tested and seems to work, although there have been a few postings to full-disclosure to say that it doesn’t always work. To maximise the chance of it ‘taking’ you should ensure that:

1. You have IE6 SP1 installed.
2. You apply MS04-40.
3. You reboot your system.

The full list of recent security bulletins/patches can be found here.

The simplest way is to use the Windows Update site or service to ensure that you are fully patched.

The IFRAME exploit that Bofra used was discovered on the 2nd of November. More details on this can be found here.

As mentioned in a previous article this is not the first time that Microsoft have left their customers un-patched, however it is now the longest time for an exploited vulnerability in their products (so far, unless you know different)…..30 days! Malware can infect a sizable portion of systems on the internet in under 30 minutes….come on Microsoft, get your act together, or lose your customers….your credibility with regard to security went AWOL* long ago.

Fallout from Bofra:

According to a number of sources ad-servers used by many well-known companies and news services were hacked and were used to infect vulnerable systems that connected to them, or on the websites where their ads were served to.

More details on this can be found here:

http://channels.lockergnome.com/web/archives/20041122_ad_server_hack_spreads_worm.phtml
http://www.theregister.co.uk/2004/11/22/falk_bofra_statement/

*AWOL = Absent WithOut Leave