MoMusings

I recently mentioned, almost in passing, a new malware family known as Mytob. Well since that posting the author(s) of Mytob have been even more active in creating new variants. So much so that we are now at variant FC [127th variant]*, which was found earlier today. This is really a follow-up article to the one about bots and botnets I posted yesterday.

What is Mytob?
Mytob first appeared on the 26th of February 2005, and boy did it cause some confusion in the anti-virus world. Some vendors said it was just another Mydoom variant and other said it wasn’t. This naming war went on for a week or so, finally they all decided that it should not be classified as ‘just-another-mydoom’. With little fanfare it was christened with the new family name of ‘Mytob’; ‘My’ from Mydoom, and ‘Tob’, which is the word ‘Bot’ reversed, which sums it up quite nicely.

The reason a new name was finally used rather than Mydoom was that although Mytob has been created from the Mydoom source code, it has had a number of changes made to it, as well as a number of additional tricks added to increase its ability to spread.
One of the new tricks which were added was an exploit to enable it to spread using the LSASS vulnerability [ala Sasser].

How does it spread?
There are two specific vectors that it uses to spread, these are:

E-mail
When Mytob propagates via email, it starts by gathering new victim email addresses from files with the following file name extensions:

.adb, .asp, .dbx, .htm, .php, .pl, .sht, .tbb, .wab

when it has harvested all the e-mail addresses it can find it the constructs an e-mail, using a spoofed from address and send it out to the intended victim using its own SMTP engine. No it doesn’t depend on Outlook, Outlook Express, Notes, Mapi or any other mail product to enable it to spread.

LSASS
Unlike Mydoom, Mytob can also spread directly from system to system by identifying systems that can be infected by exploiting the Lsass vulnerability on Windows systems. This vulnerability was patched in 2004 [MS04-011], so there is NO excuses for getting infected by Mytob via this method.

Backdoor [Bot capabilities]
Mytob also functions as a bot. It connects to an Internet Relay Chat (IRC) server and joins a specific channel. Once signed in for duty it listens for commands coming from a remote malicious user. It executes these commands locally on an affected system, providing the remote user virtual control over the system.

New techniques:
Recently a number of new techniques and technologies have been incorporated into the latest variants of Mytob. I will cover each briefly below, including links to sources you can visit to get more details on that specific function/feature:

The BU variant added another exploit to its box of tricks, in this case it was the DCOM RPC [MS03-039]

The CI variant also generates IP addresses and spreads by attempting to drop a copy of itself in the target addresses’ default shares. If the shares are inaccessible, it uses a hardcoded list of user names and passwords [A Dictionary attack] to try and gain access to the system.

The EK variant also downloads other components from set webservers.

The latest variant [FC] has even more tricks up its sleeve. It modifies the ‘HOSTS’ file; to stop an infected user getting to certain sites, such as AV vendors, etc. It also attempt to terminate any running [or installed] security software, such as AV, personal firewalls [including the XP firewall], anti-spyware tools and even Windows Update. Finally, it also appears to block the use of the registry editing tools; REGEDIT.EXE and REGEDT32.EXE and other useful diagnostic tools such as REGMON, TASKMON, SYSEDIT and lots of other tools too.

This quote is taken from McAfee page on Mytob: “Newer variants include the FURootkit** , contain an Instant Messenger worm component “, so you see that development is still ongoing.

It seems that the source code for Mytob is either well distributed on the internet or that there is one or more teams of programmers constantly adding new functionality to it, as it seems to be rather unlikely that a single author could produce so many variants in such a short time.

* The actual number depends on which vendor you use.
** For more information on rootkits, see my posting dated 12th April 2005 entitled ‘Rootkits Revealed’.
The graphic is from the TREND page on the FC variant found today.