MoMusings

As promised I have finally managed to find a few minutes to modify and post my much promised article on Zotob!

This article is a rewrite of one I wrote for the Virus Bulletin magazine and it was published in the October 2005 edition. The modified version posted here is authorised by Virus Bulletin

The published [Virus Bulletin] version will be made available here: http://arachnid.homeip.net/papers/ from the begining of November. This has also been authorised by Virus Bulletin.

It All Started…
Monday the 15th of August passed fairly quietly until around 4PM [GMT] something started to spread quickly on the Internet which caused many companies Windows 2000 systems to reboot themselves automatically. Once that had completed it was quickly followed by the unexplained slowdown of internal networks, were these things related? You bet they were! We were once more under attack by a new fast spreading network worm.

Patch or Zotob? The Choice is Yours!
On the 9th August, Microsoft released security advisory MS05-039 which revealed a vulnerability in the Plug-and-Play component of Windows 2000 which was rated as critical. Microsoft also released a fix to patch the loophole. The race was now on, how long until a worm appeared to take advantage of the flaw or more than 70 percent of the vulnerable systems were patched - which would reach the finish post first? Place your bets now

A mere five days after the Microsoft Security Bulletin, a worm called Zotob appeared that exploited the loophole. This meant that all those systems which were not yet patched, or were not protected by other methods [such as personal firewalls, IDS, IPS or AV with buffer overflow protection] were now vulnerable to coming down with a case of the digital pox known as Zotob.

Zotob’s Entrails
According to the F-Secure Lab Weblog, Zotob was captured and an initial analysis was made of it at around 12:00 [GMT] on the 14th of August [a Sunday]. This confirmed that the rumours of a worm targeting systems not patched by MS05-039 were true; a new worm using this exploit was indeed ‘in-the-wild’, albeit in small numbers at that time.


The initial analysis mentions that the worm may be using the ‘houseofdabus’ exploit code and when a system becomes infected it scans the network for other systems via port 445/tcp, at a rate of 300 threads per infected system. Each thread will attempt to connect to a random IP address, made up from the first two octets of the current systems IP address and randomising the last two octets. E.g. if the system infected has an IP address of 10.10.10.1 then it will attempt to scan random IP addresses in the range 10.10.0.0 to 10.10.255.255.

Any system that reports that the port is open will be sent a copy of the exploit code, whether it has been patched or not, or is vulnerable or not. Zotob isn’t fussy, and is certainly hedging its bets. In theory a *NIX box running Samba listening on 445 would also be sent the exploit code, even though it can’t be exploited or infected by Zotob. If it fails to exploit the target system or if port 445 is not open, it generates another IP address to target.

If the system is not yet patched and is a Windows 2000 system, then the exploit code should run and cause a buffer overflow unless the system is protected in other ways. If the exploit code runs successfully then this will create a shell (CMD.EXE) which listens of port 8888/tcp. The scanning [infected] computer, will then try and send an FTP script to the newly listening shell on the victim computer. This script is written to the victim’s hard disk as ‘%SYSTEM%\2pac.txt’ which tells the newly exploited victim to download a copy of the worm binary from the same infected attacking system that sent it the exploit code in the first place.

The attackers FTP server runs on port 33333 and this purely acts as a pickup point for the worm’s binary, which is called ‘haha.exe’.

This downloaded file when run creates a copy of itself in the %SYSTEM% directory [e.g. C:\WINNT\SYSTEM32 or C:\WINDOWS\SYSTEM32] as a file called ‘botzor.exe’. Once done it creates a mutex of ‘B-O-T-Z-O-R’ to ensure that only one copy of itself is running on the newly infected system. Guess where the name Zotob came from? Hint: Look at the Mutex used.

Zotob now adds itself to the system registry to ensure that it gets loaded each time the system starts, and also adds a key which disables the shared access service [Internet Connection Sharing and Internet Connection Firewall].

The newly infected system now connects to an IRC server on port 8080, effectively signing in for service as part of a botnet. In the case of Zotob.A, the IRC server in question is ‘diabl0.turkcoders.net’. Later variants use other IRC servers.

Zotob also adds a list of common anti-virus and security related sites to the hosts file on the newly infected system. This is to try and stop the owner getting to the sites for updates or information. All entries are redirected to 127.0.0.1 [the local loopback address to the system].

Here’s a list of some of the entries:

avp.com, ca.com, ebay.com, f-secure.com, kaspersky.com, mcafee.com, microsoft.com, moneybookers.com, my-etrust.com, nai.com, networkassociates.com, pandasoftware.com, paypal.com, sophos.com, symantec.com, trendmicro.com, viruslist.com, virustotal.com, www.amazon.com, www.avp.com, www.ca.com, www.ebay.com, www.f-secure.com, www.grisoft.com, www.kaspersky.com, www.mcafee.com, www.microsoft.com, www.moneybookers.com, www.my-etrust.com, www.nai.com, www.networkassociates.com, www.pandasoftware.com, www.paypal.com, www.sophos.com, www.symantec.com, www.trendmicro.com, www.virustotal.com…

If you were infected and tried to visit one of the listed sites, the request would fail. So, you would not be able to get information or even update your anti-virus. Even Windows update would fail.

Coder and Death Threats
Zotob also writes other strings, one of them quite chilling, into the hosts file of the newly infected system, these strings are:

“Bozor2005 Made By …Greetz to good friend Coder. Based on HellBot3″

And

“MSG to avs: The first who detects this worm will be the first killed in the next 24 hours!”

Just in case there was any doubt, the mention of HellBot3 in the first string clearly shows that Zotob was based on Mytob and not any other worm code.

Arrested Development
Several weeks and many Zotob variants and copycats later, and breaking news arrives stating:

“Moroccan authorities, working with the FBI, arrested Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker ‘Diabl0′ Arrested in Turkey was Atilla Ekici, aka ‘Coder’, age 21. Both individuals will be subject to local prosecutions, the FBI said.”

The news article goes on to state:

“According to a report on an Arabic new site, Essebar and Ekici allegedly used the information they stole from infected computers to facilitate a bankcard forgery scam”.

Just in case you didn’t already believe that the malware authors have generally moved to a ‘for-profit’ model then this is yet more proof of the shift. Likewise that those that hire them are seasoned criminals, many of them now moving into cyber-space and welcoming the malware authors with open arms and fat wallets.

Further breaking news came on August 30th stating:

“The FBI today confirmed that Turkish law enforcement officials are investigating 16 more suspects in connection with the Zotob worm and its variants”.

So, we may yet see more arrests in relation to Zotob.

Infect Me Baby One More Time…
It has been suggested that well over 100 large companies were badly hit by Zotob. These include CNN, who seemed to be openly covering their own massive outbreak; very much an insider’s view of the problem. They seemed to think that the problem was world-wide and only cut back on their coverage when it transpired that it wasn’t a case of “TEOTWAWKI*” after all!

The New York Times and ABC News were also reported as suffering from a widespread infection of Zotob. One report also suggests that systems the U.S. Department of Homeland Security uses to screen airline passengers entering the United States was thought to have been temporarily disabled by the worm.
Other large multinationals allegedly infected included: UPS, General Electric, Caterpillar, the Canadian Imperial Bank of Commerce and BMO Nesbitt Burns.

Time Line**

• August the 9th 2005: Microsoft releases six security patches as part of the scheduled black Tuesday patch release. These were, MS05-038-43). Four of the six released are rated as critical. Initial exploit code is written and released for two of the vulnerabilities; MS05-038 and MS05-041.
• August the 11th 2005: Exploit code is written and released to take advantage of the vulnerability patched in MS05-039, This is the PnP [Plug and Play] vulnerability
• August the 12th 2005: Snort signatures are released to detect the exploits and code for another MS05-039 exploit is written and released.
• August 14th 2005: A new worm based on Mytob code and containing exploit code as its attack vector is released and discovered by F-Secure, who imaginatively name it Zotob. The exploit code used in Zotob is from the ‘houseofdabus’ hacking group. Interestingly exploit code from the same group was used in the Sasser worm.
• August 15th 2005: The source code for the widespread IRCbot family is updated to take advantage of the MS05-039 exploit. New variants of Zotob start to appear. Microsoft releases guidance and an encyclopaedia entry on Zotob. Snort signatures for detecting the binary and well as the IRC traffic are written and released. Most anti-virus products can now detect Zotob.A.
• August 17th 2005: There are now seven variations of Zotob, one Rbot, one SDbot, one CodBot, three IRCbots and two Bozori variants using the PnP vulnerability. The Bozori and IRCbots are deleting other bots. Bot-wars have now begun!

Now there are at least fifteen variants of the Zotob worm, as well as several other worms which use this exploit as just one way of getting them onto target systems.

*The End Of The World As We Know It
**These are excerpts from a full timeline which can be found here: http://singe.rucus.net/blog/archives/510-MS05-039-and-the-Zotob-summary.html