North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
My Worm is Bigger Than Yours
To give others further information on this sdbot.worm (continuing from my previous post http://www.merit.edu/mailinglist/mailarchives/old_archive/msg01241.html) here are the main characteristics I've found on almost all variants I've come across. Obviously it seems to be a polymorphic form of worm meaning its characteristics are changing. Before I begin though I would hope no one would think its off topic since there may be one variant of this worm flooding your network with randomly generated MAC addresses, not good on those switches. Also I wouldn't think it's off topic since most of you are likely already seeing, or will be seeing more traffic generated on ports 445, 80, and 82. There seems to be one main executable, but I haven't found out which one this is. The names I've come across so far for most of the executables are somewhat synomous with standard Windows programs. Microsoft program Worm's program serv.exe serv32.exe services.exe services32.exe lsass.exe lsass32.exe The following is a list of the names of the executables I've come across which meet the criteria of this annoyance. Setver32.exe Regsrv32.exe Wmmon32.exe Mswinc.exe Mswincv.exe Mswinc32.exe Systemiom.exe Bling.exe Rzqodp.exe ftpd.exe Other programs have garbled names e.g., wetyr.exe, oiure.exe These programs typically tend to reside in: C:\temp C:\tmp c:\Windows c:\Windows\tmp c:\Windows\system32 c:\Windows\system32\config\systemprofile Along with the usual MSIE cache folder. The programs have been appearing in Windows' registry as follows: HKLM\SOFTWARE\MICROSOFT\OLE HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES HKLM\SYSTEM\CONTROLSET001\CONTROL\LSA Easiest thing to sort of do is ctrl-f for the names and you will usually seem them bundled, but if you have to remove it, you want to search for each individually since some mix things up. Name Data Setver32.exe Windows Secure Regserv32.exe Reg Service Mswinc.exe Remote Procedure Calls Mswinc32.exe Remote Procedure Calls Systemiom.exe System Updater Others have no Data associated with them. Now the I haven't managed to zero in on which is sending our random MAC addresses yet but eventually I will try maybe an antivirus company can do so before me. So let me explain a few quick oddities I've seen so far . Get a complain student is not connected, go to dorm, repunch his port, no dice, open the closet no dice. What was happening with his machine was his connection would come up, then go down the second it came up, then come right back up the second it went down. Same happened with a colleague Bizarre, bizarre. Another student "I can't get my Interweb" . Same thing repunch her, repatch her machine with the latest "Microsoft Fixitall Service Pack 7354738245" still no dice. Run through reinstalling drivers, swapping Ethernet cards, nothing. Redid some tweaks and she gets connected. Second she did get connected. "IP ADDRESS CONFLICT WITH FOO MAC" Only thing was after searching the network no MAC addresses with the number it was posting existed. This particular issue with the MAC "spoofing" if you want to call it that, I prefer random MAC generation, was being flooded out through ports 80, and 82. So what will happen if some worm has the characteristics built in to generate MAC's when it tries to send out your router's or servers MAC address? You do the math. (NOTE: Still looking into this port 80 82 issue so could be a false alarm but nevertheless I've come across some odd things this past week which I'd never seen.) Most of the worms that open the port 445 connections, tend to open up hundreds if not thousands of requests more than likely to infected machines. After the first few occurrences I came across, I would see a machine pop open a few hundred connections after seconds of their machine obtaining an address. The first thing I would notice via netstats would be some form of IRC connection going out, so the possibilities would be either a DdoS slave, or it's sending information somewhere. Bling is supposedly set to send "ALL_THINGS_RELATED_TO_LOGINS" as well as Paypal information to some server, if it is sending information I can't find where it would be storing it. Keep in mind the prior code I was able to find regarding this annoyance where it modified antivirus software to either kill it, or to avoid detection, as well as kill your ability to use regedit, taskmgr, and other tools. There is the possibility it is storing something somewhere, I haven't come across it yet. Finally (I think) the ftpd.exe which always seems to piggyback with the others, this little piggie more than likely may be the one turning the infected machine to a TFTP server whereby other infected machines ensure they stay infected. This seems to create a file called bla.txt This text file lists the following: Open 10.192.41.87 13501 User blah Pass blah Binary Get bot.exe Quit Bot.exe I'm gonna assume is probably an ircbot of sorts, unfortunately I cannot find this program anywhere, but the infected machine does connect to irc, it does open a TFTP server, and will attempt to connect to hundreds if not thousands of ports via 445. Most machines may have gotten infected via file sharing, Limewire, Kazaa, KazaaLite, BitTorrent, etc., along with probably viewing some porn related page since I've also come across dialer.exe's here and there. Sorry for the long mail, and apologies if it seems offtopic to some but remember, someone down the line is paying for this traffic. Let's hope it doesn't becomes an epidemic like Microsoft itself. At least you'd of been forewarned of some of the characteristics you're likely to see. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "How can we account for our present situation unless we believe that men high in this government are concerting to deliver us to disaster?" Joseph McCarthy "America's Retreat from Victory"