Re: New worm?
From: Gadi Evron (ge_at_linuxbox.org)
Date: 03/27/04
- Previous message: spender_at_grsecurity.net: "systrace silently patches full local bypass vulnerability on Linux"
- In reply to: Karousel: "New worm?"
- Next in thread: http-equiv_at_excite.com: "re: New worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 28 Mar 2004 00:01:28 +0200 To: bugtraq@securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
| I think it's a new worm spreading on undernet. The worm PRIVMSG user
| with an ip address and port like this (ip and port never change) :
| [07:53] <C96347981> http://69.157.174.169:2233/
Although it might appear that way, this is not a worm.
[See below as to what *is* downloaded from that page, as it *IS* a form
of a Trojan horse (dropper).]
That is what we call spam bots. Drones which are part of smaller or
bigger drone armies work that way.
Some infect a user by using another Trojan horse already installed on
their system, or by some vulnerability. Both by port scanning. Then
there are the kind which infects users through web pages, either by
false pretense (social engineering) or by using some IE vulnerability to
remotely install the Trojan horse.
There are as many ways as there are Trojan horses, but they are not too
innovative.
Some spam themselves using, much like in this example, IRC.
These drones you describe, as far as we can tell send a message (/MSG)
to non +i (invisible) users on an IRC network, spamming them with that
URL. They harvest the nicknames they spam by using the /WHO command.
On that URL you will most likely find either a Trojan horse which will
infect a user's system, or some other spam goal.
Drone armies are mostly used for two major goals these days:
1. DDoS attacks (kiddie/groups fights, blackmail, whatever).
2. Bouncing off their IP addresses, much like with proxies.
In any case - power.
Then there are the rest of the uses you can make of a pwned machine,
times hundreds of thousands.
| Each user wich sent me this address seems to had the (almost) same pattern
| for nick and fullname: 1 letter followed by number. Some fullname are
| followed by 11 numbers, others by 12 numbers. None of them was on any
| channels at all.
These are not aware users. These are drones. I.e. zombies or bots.
People make little of Trojan horses.
Many AV products do not see it as important or bother with them unless
they fall into their hands by chance, as they are "just Trojans". If
they do bother with them, some of them might only add simple CRC
signatures for detection.
CRC signatures are useless as _many_ Trojan horses (which I wouldn't
really like to call polymorphic) would use a well-known trick of dumping
some pseudo-random bull at the EOF, for example. Effectively rending the
hash or checksum useless.
Then there is the issue of some AV companies considering Trojan horses
to be "garbage" which isn't really what an AV product should detect.
Such drone armies number from a few dozens to tens and hundreds of
thousands of drones.
There are those (you mentioned the Undernet IRC network - prysm, who I
mention below, is one of the major "fighters" there) who fight these
drone armies. Finding every new echo channel (=where the drones announce
themselves to the controllers/runners) and attempting to kill them.
New drones always show up, and in many occasions - from the same IP's as
the infected users were never aware of the situation to install or
update their AV product of choice - if that product even detects the
said Trojan horse which was used to "0wn" them.
New IP's are always there to join them, regardless.
As I have mentioned before a few years ago there was a paper which
showed how a machine, which wasn't advertised, would get port-scanned
within 36 hours of it showing up online.
Those of us on broadband (mostly DSL/Cable IP ranges) know how that is
long not true, as we get port scanned for open Trojan ports and proxies
(not to mention vulnerable machines) up to 16 times a minute.
That fact would help explain the existence of such huge drone armies.
| C14130657 is Guest18231@Toronto-HSE-ppp3970074.sympatico.ca * E63731312752
| S66185921 is ~M93079924@pcp01044550pcs.villgs01.fl.comcast.net *
| O12647092342
| C96347981 is ~O98407918@host217-44-126-36.range217-44.btcentralplus.com *
| Y710488319397
| M84234958 is Guest92377@AOrleans-103-1-33-71.w81-250.abo.wanadoo.fr *
| O58235883713
| Z29553055 is Guest58875@nwc102-194.nwconx.net * E815603852272
| O23413228 is Guest32361@062249161030.customer.alfanett.no * F729082226753
| I65330976 is ~E89040321@adsl-216-103-54-205.dsl.lsan03.pacbell.net *
| C527516603470
You can see, as you noted yourself, the consistency of the nicknames and
hosts. I am not familiar with these particular drones, as although in my
teen years I started this crazy occupation of hunting drone armies I am
not longer really involved with it now. Prysm however is the one who
gives her life and soul to these online issues and who now leads the
fight, among others.
I'll ask her if she recognizes the drones, but we already know what
installs them as I specify below.
| The isp (sympatico.ca) has been notified on march 27 at 10:00 am and this
| computer is still up.
Good luck getting them to help you. It is quite possible that despite
what I wrote above (which is a regular modus operandi we see daily) that
IP address serves no purpose but to notify the controllers of the pwned
machine so that they can harvest IP addresses and check back in later. I
didn't look into it, but it could be either.
[I did not change the above paragraph as I believe I raise an
interesting point, but discussing the URL in question with Daniel Otis
Vigil (author of "The Cleaner" - www.moosoft.com - see below for other
products such as "The Cleaner" - it appears that the CHM on the URL you
mention is known as the vbs.psyme downloader which downloads the Apher
downloader.. which in turn downloads IRC.Fylex (mIRC Scripts)]
Now you might ask - mIRC script? So these *ARE* users after all?
It is quite possible these are pwned users after all (which in my
opinion are not that different from your regular drone), although some
Trojan horses nowadays actually run mIRC in an hidden window, so that
the user is completely un-aware of being on IRC.
Last week the media started making noise about a Trojan horse called
Phatbot. which according to them infected 300K users.
You can find more information on lurhq, by Joe Stewart:
http://www.lurhq.com/phatbot.html.
Truth is, Phatbot (at that time Phatbot.A) is just yet another Agobot.
Latest Agobot I saw was Agobot.IU which came out 2 days ago. I am pretty
sure I missed a couple since then as these come out daily.
Agobots in turn are very similar/evolved from/are the same as/ hundreds
of SDbots - an open source Trojan horse.
Only half of the SDbots which I have tested in the past months are
detected by most AV products.
Although these Trojans "spread" and are infecting hundreds of thousands
they are not worms. Their spread is slower, and although it appears like
they are motivated in recent years by much the same as worms - criminal
activity and spammers, rather than just bored kids and coders like in
the past - they are not mass mailers and are usually introduced to a
system by a kiddie (whether by an automated scan && infect process or
manually) him or herself, rather than by a mass-spreading automatic
mechanism of a worm.
Definitions vary, but Phatbot was nothing new when the media started
making noise about it. I do not know if the numbers associated with it
are correct but there ARE drone armies. Companies ARE being blackmailed.
As Paul Schmehl said.. real life "protection" by gangs would at least
protect you from other gangs.
On the net there is no guarantee that you won't still be attacked,
whether by the same "gang" of kiddies or by yet some other "gang"
looking to make some cash.
The maximum any group of kiddies can do is launch an online war, if they
will even bother, at whatever other group they want (if the attacking
group is even identified), causing nothing more than bandwidth
consumption. Than again kiddies never need too much of a reason to DDoS.
To make this long email short - drone armies are real. They are mostly
being ignored except by a few individuals, like prysm, who fight to
destroy them on the IRC chat networks, to some success, against truly
over-whelming odds against.
There is no real reason to start people going about any new "worm" here.
These are just your average every-day Trojan horses who spam.
I am sorry if this email message sounded like a rant, but the facts
should be known to pretty much everybody who looks for them, by now.
One final issue might be, how should users defend themselves against
Trojan horses when a large majority of them are _not_ detected by AV
products?
There are two main options:
1. Personal Firewalls.
If they can't connect to you to infect you, or the Trojan horse
installed on your system can't dial-home or be controlled
remotely - you are safer than you would be without such a
program.
2. The less known factor of Anti Trojan companies.
Anti Trojan (AT) companies are small, and rather successful.
They manage to stay in business after quite a few years because
they stay on top of these threats and eliminate them where AV
products fail, or simply do not care. Some of these products are "The
Cleaner", "BOclean" and "Trojan Remover".
Many of these products are updated as often as AV's are, and
they keep in touch with IRC people such as prysm in order to
deal with threats such as you described above, wrongly, as a new
worm.
I hope this helped you. :)
I am sorry if the above sounded like a rant, but it was my goal to
explain the situation of what you encountered by chance, as in-depth as
possible. We barely scratched the surface.
Gadi Evron.
-- Email: ge@linuxbox.org. Backup: ge@warp.mx.dk. Phone: +972-50-428610 (Cell). PGP key for attachments: http://vapid.reprhensible.net/~ge/Gadi_Evron.asc ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06 GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAZfmZqH6NtwbH1FARApfRAJwIhCEZXcRMoZbnjPkX2i44gOruswCcDAi2 d0BwLcL3Fw/WaeRbitwWPm8= =6274 -----END PGP SIGNATURE-----
- Previous message: spender_at_grsecurity.net: "systrace silently patches full local bypass vulnerability on Linux"
- In reply to: Karousel: "New worm?"
- Next in thread: http-equiv_at_excite.com: "re: New worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
