botnet submitted (NEW)

Published: 2006-08-31,
Last Updated: 2006-08-31 15:11:08 UTC by Swa Frantzen (Version: 2(click to highlight changes))

Please note: this was submitted as an NT worm/botnet, it however does not seem to be affecting NT only.

We received copies of malware found by Geo on an NT system that are being discussed in public forums, it appears to be (variants of) known botnets. Here's what Norman and virustotal.com had to say about them [sanitized]:

eraseme:

[ General information ]
   * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
   * Anti debug/emulation code present.
   * **Locates window "NULL [class mIRC]" on desktop.
   * File length:        86016 bytes.
   * MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c.
[ Changes to filesystem ]
   * Creates file C:\WINDOWS\csrsc.exe.
   * Deletes file c:\sample.exe.
[ Changes to registry ]
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Creates key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".
[ Network services ]
   * Looks for an Internet connection.
   * Connects to "[deleted]" on port 1863 (TCP).
   * Sends data stream (30 bytes) to remote address "[deleted]", port 1863.
   * Connects to IRC Server.
[ Process/window information ]
   * Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"".
   * Attempts to access service "npx".
   * Creates a mutex LOLFOB.
[ Signature Scanning ]
   * C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection.         

Virustotal:

 AntiVir 6.35.1.11     08.31.2006 Worm/Sdbot.86016.43
 Authentium 4.93.8     08.30.2006 no virus found
 Avast 4.7.844.0       08.31.2006 no virus found
 AVG 386               08.30.2006 IRC/BackDoor.SdBot2.HLZ
 BitDefender 7.2       08.31.2006 GenPack: Generic.Sdbot.4F0C4C47
 CAT-QuickHeal 8.00    08.30.2006 no virus found 
 ClamAV devel-20060426 08.31.2006 no virus found
 DrWeb 4.33            08.31.2006 Win32.HLLW.MyBot
 eTrust-InoculateIT 23.72.111 08.31.2006 no virus found
 eTrust-Vet3 0.3.3052  08.31.2006 no virus found
 Ewido 4.0             08.31.2006 Backdoor.SdBot.anp
 Fortinet 2.77.0.0     08.31.2006 W32/SDBot.AKI!worm
 F-Prot 3.16f          08.30.2006 no virus found
 F-Prot4 4.2.1.29      08.31.2006 no virus found
 Ikarus 0.2.65.0       08.31.2006 no virus found
 Kaspersky 4.0.2.24    08.31.2006 Backdoor.Win32.SdBot.anp
 McAfee 4841           08.30.2006 no virus found
 Microsoft 1.1560      08.31.2006 no virus found
 NOD32 v21.1733        08.31.2006 a variant of IRC/SdBot
 Norman 5.90.23        08.31.2006 W32/Malware
 Panda 9.0.0.4         08.30.2006 no virus found
 Sophos 4.09.0         08.31.2006 no virus found
 Symantec 8.0          08.31.2006 W32.Spybot.Worm
 ...  

csrsc:

Norman:
[ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
   * Anti debug/emulation code present.
   * **Locates window "NULL [class mIRC]" on desktop.
   * File length:        86016 bytes.
   * MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c.                               

[ Changes to filesystem ]
   * Creates file C:\WINDOWS\csrsc.exe.
   * Deletes file c:\sample.exe.

[ Changes to registry ]
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Creates key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".
   * Modifies value "UpdatesDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "AntiVirusDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "FirewallDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "AntiVirusOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "FirewallOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
   * Sets value "AUOptions"="^A" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
   * Creates key "HKLM\System\CurrentControlSet\Services\wscsvc".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\wscsvc".
   * Creates key "HKLM\System\CurrentControlSet\Services\TlntSvr".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\TlntSvr".
   * Creates key "HKLM\System\CurrentControlSet\Services\RemoteRegistry".
   * Creates key "HKLM\System\CurrentControlSet\Services\Messenger".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\Messenger".
   * Sets value "restrictanonymous"="^A" in key"HKLM\System\CurrentControlSet\Control\Lsa".
   * Creates key"HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Creates key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Creates key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
   * Sets value "DoNotAllowXPSP2"="^A" in key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
   * Creates key "HKLM\Software\Microsoft\OLE".
   * Sets value "EnableDCOM"="N" in key "HKLM\Software\Microsoft\OLE".
   * Sets value "Record"="??^N" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".

[ Network services ]
   * Looks for an Internet connection.
   * Connects to "[DELETED]" on port 1863 (TCP).
   * Sends data stream (30 bytes) to remote address "[DELETED]" port 1863.
   * Connects to IRC Server.
   * IRC: Uses nickname [XP||N|677795].
   * IRC: Uses username XP88038.
   * Opens URL: http://[DELETED]/prxjdg.cgi.
   * Opens URL: http://[DELETED]/x/maxwell/cgi-bin/prxjdg.cgi.
   * Opens URL: http://[DELETED]/mute/c/prxjdg.cgi.
   * Opens URL: http://[DELETED/tomocrus/cgi-bin/check/prxjdg.cgi.
   * Opens URL: http://[DELETED]/cgi-bin/proxy.cgi.
   * Opens URL: http://pDELETED]/little_w/prxjdg.cgi.
   * IRC: Sets the usermode for user [XP||N|677795] to .
   * IRC: Joins channel #NGEN with password [DELETED].

[ Process/window information ]
   * Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"".
   * Attempts to access service "npx".
   * Creates a mutex LOLFOB.
   * Attempts to access service "Tlntsvr".
   * Attempts to access service "RemoteRegistry".
   * Attempts to access service "Messenger".
   * Attempts to access service "SharedAccess".
   * Attempts to access service "wscsvc".

[ Signature Scanning ]
   * C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection.

Virustotal:

 Authentium 4.93.8     08.30.2006 no virus found
 Avast 4.7.844.0       08.31.2006 no virus found
 AVG 386               08.30.2006 IRC/BackDoor.SdBot2.HLZ
 BitDefender 7.2       08.31.2006 GenPack: Generic.Sdbot.4F0C4C47
 CAT-QuickHeal 8.00    08.30.2006 no virus found
 ClamAV devel-20060426 08.31.2006 no virus found
 DrWeb 4.33            08.31.2006 Win32.HLLW.MyBot
 eTrust-InoculateIT 23.72.111 08.31.2006 no virus found
 eTrust-Vet 30.3.3052  08.31.2006 no virus found
 Ewido 4.0             08.31.2006 Backdoor.SdBot.anp
 Fortinet2.77.0.0      08.31.2006 W32/SDBot.AKI!worm
 F-Prot 3.16f          08.30.2006 no virus found
 F-Prot4 4.2.1.29      08.31.2006 no virus found
 Ikarus 0.2.65.0       08.31.2006 no virus found
 Kaspersky 4.0.2.24    08.31.2006 Backdoor.Win32.SdBot.anp
 McAfee 4841           08.30.2006 no virus found
 Microsoft 1.1560      08.31.2006 no virus found
 NOD32 v21.1733        08.31.2006 a variant of IRC/SdBot
 Norman 5.90.23        08.31.2006 W32/Malware
 Panda 9.0.0.4         08.30.2006 no virus found
 Sophos 4.09.0         08.31.2006 no virus found
 Symantec 8.0          08.31.2006 W32.Spybot.Worm
 TheHacker 5.9.8.202   08.31.2006 no virus found
 UNA 1.83              08.31.2006 no virus found
 VBA32 3.11.1          08.30.2006 Win32.HLLW.MyBot
 VirusBuster 4.3.7:9   08.30.2006 no virus found 

i.exe:

Virustotal:

 AntiVir 6.35.1.11     08.31.2006 Worm/Spybot.1093632
 Authentium 4.93.8     08.30.2006 no virus found
 Avast 4.7.844.0       08.31.2006 no virus found
 AVG 386               08.30.2006 IRC/BackDoor.SdBot2.HLY
 BitDefender 7.2       08.31.2006 Win32.Worm.Tilebot.GM
 CAT-QuickHeal 8.00    08.30.2006 no virus found
 ClamAV devel-20060426 08.31.2006 no virus found
 DrWeb 4.33            08.31.2006 Win32.HLLW.MyBot
 eTrust-InoculateIT 23.72.111 08.31.2006 Win32/SDBOT.AQJ!Worm
 eTrust-Vet 30.3.3052  08.31.2006 Win32/Petribot.XM
 Ewido 4.0             08.31.2006 Backdoor.SdBot.aqj
 Fortinet 2.77.0.0     08.31.2006 W32/Tilebot.AQJ!worm
 F-Prot 3.16f          08.30.2006 no virus found
 F-Prot4 4.2.1.29      08.31.2006 no virus found
 Ikarus 0.2.65.0       08.31.2006 Backdoor.Win32.SdBot.aqi
 Kaspersky 4.0.2.24    08.31.2006 Backdoor.Win32.SdBot.aqj
 McAfee 4841           08.30.2006 W32/Spybot.worm.gen.p
 Microsoft 1.1560      08.31.2006 Backdoor:Win32/Rbot!02A6
 NOD32 v21.1733        08.31.2006 IRC/SdBot
 Norman 5.90.23        08.31.2006 W32/Spybot.AXGM
 Panda 9.0.0.4         08.30.2006 W32/Sdbot.IAZ.worm
 Sophos 4.09.0         08.31.2006 W32/Tilebot-GM
 Symantec 8.0          08.31.2006 W32.Spybot.AKNO
 TheHacker 5.9.8.202   08.31.2006 no virus found
 UNA 1.83              08.31.2006 Backdoor.SdBot.8
 VBA32 3.11.1          08.30.2006 Win32.HLLW.MyBot
 VirusBuster 4.3.7:9   08.30.2006 no virus found 

Reading up on what the antivirus community has written about these they seem to attack  through so many vectors that it's likely they affect poorly patched systems (and NT or any other legacy windows version would make a prime target).

--
Swa Frantzen -- Section66.com

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Mass-mailers are dead! Long live mass-mailers!

Currently, exploits are the flavor of the month as far as malicious code authors are concerned. However, in recent days we have seen a few variants of a new mass-mailing worm called W32.Stration@mm successfully spreading on a moderate scale over the Internet. For some time now we have observed fewer and fewer new instances of mass-mailing worms, so it has now become a bit of a novelty to see that somebody is still willing to invest time and effort into creating a worm that uses this method as the primary means of propagation.

Mass-mailing worms have been around for a long time and people have, by and large, learnt to defend themselves more effectively against them. In the fight back, many administrators now block certain attachments on the gateway; some may apply email filtering such as Symantec Brightmail, provide user education, and use various other methods to help curtail the spread of mass-mailing worms. During the period from 2003 to 2005, it was not uncommon to see new variants of mass-mailing worms such as Netsky, Beagle and Mydoom appear nearly on a daily basis. The last truly effective mass-mailing worm we have seen was W32.Mydoom.AX@mm, which burst onto the scene back in February of 2005; in this case it managed to reach a category rating of 3. Since then, no other mass-mailing worm has achieved anywhere near the same level of success in propagation.

Despite all of the advances in technology and controls over the years, one of the soft spot in the defenses against mass-mailing threats is still the user. Most mass-mailing worms employ some form of social engineering to trick recipients into opening and running the attachments. As sure as the sun will rise everyday, there will always be new, inexperienced users to take the bait. For this reason we can expect that the mass-mailing technique will continue to be used in the arsenal of the threat authors and will remain effective, but not spectacularly so; W32.Stration.C@mm is a case in point. For those of you affected by W32.Stration.C@mm, you'll be glad to know that a full system scan using the latest definitions will clean the threat from your computer, malicious files and registry keys included.

Symantec Security Response Weblog: Mass-mailers are dead! Long live mass-mailers!.

Wednesday, August 30, 2006

Jump Around	Posted by MikaT @ 10:13 GMT

This week we've encountered a cross-platform worm that's capable (at least theoretically) of spreading from a PC to a mobile device and back. To be more specific, the "Mobler" worm moves between Symbian and Windows platforms. Although it's quite nasty on the Windows side, it doesn't cause much harm on the Symbian device. It just copies itself to the memory card and tries to trick the user into infecting his PC.

Technically there isn't any automatic spreading mechanism for Mobler to copy itself from one platform to another. It just creates a Symbian installation package that inserts a Windows executable on the mobile device's memory card. This executable is visible as a system folder in Windows Explorer - so it's possible for the user to accidentally open it and infect their PC while browsing the memory card's files.

Mobler poses no immediate risk to mobile device users in its present form. However, it's possible that virus writers might use it as a basis for more malicious malware. But then again, that could be said of previous cross-platform viruses and thus far a heavy hitter has failed to materialise.

For more information, see the descriptions for Mobler and Cardtrap.AK.

F-Secure : News from the Lab - August of 2006.

Sendmail DoS Vulnerability (NEW)

Published: 2006-08-29,
Last Updated: 2006-08-29 19:30:40 UTC by Scott Fendley (Version: 1)

For some of the Unix types out there, this may be old news by now.  However, we do have a couple of reports in the mailbag about the Sendmail Denial of Service issue. 

On August 9, 2006, Sendmail.org released version 8.13.8 which addressed a few bugs that were discovered in 8.13.7, and fixed a few other bugs.  One particular bug fixes an issue where sendmail would crash due to referencing a variable that had be freed.  This flaw can be exploited by crafting a message which very long header lines. I did not see much media attention to this when it was released (in fact I personally missed the note that it had updated). However in the past 24 hours a number of organizations have now posted information about it.  Oh well, looks like I wasn't the only one that missed it at the time.

As this appears to just be a DoS issue, it is our recommendation that if you are using Sendmail based products, please upgrade to 8.13.8 available at Sendmail.org, or contact your vendor for appropriate updates.  Also, make sure you are on the appropriate announcement list for any software vendors that you use.  Sometimes little security issues can get past even the best of us if we don't visit the local CVS repository, or website on a daily/weekly basis.

I am looking around for appropriate Snort Rules that might detect for this


For More Information:
http://secunia.com/advisories/21637/
http://www.openbsd.org/errata.html (August 25 sendmail patch)
http://www.frsirt.com/english/advisories/2006/3393


---
Scott Fendley
ISC Handler On Duty

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Google unveils 'Apps for Your Domain'

Adds online calendar, IM and web authoring tools
Clement James, vnunet.com 29 Aug 2006

Back in February, internet giant Google started making noises about a version of Gmail which website administrators could roll out for their own domain.

Over the past few days it has emerged that Google has been adding new functionality to the project, this week releasing Google Apps for Your Domain.

The new software suite, which is available free, includes customizable versions of Gmail, Google Talk and Google Calendar along with tools to brand them for a particular organization.

The service also includes Google Page Creator for designing and publishing a website.

"There is no hardware or software required, and you can customize the user interfaces with your branding and colour scheme so they look and feel like your own," Google said.

The company added that it is still working on the service: "If you are from a larger business or university with more advanced needs for communications and sharing, please get in touch regarding premium versions of the service due out later this year."

Google unveils 'Apps for Your Domain' - vnunet.com.

I just got news that my Sister just delivered her second child this morning! 

His name is Brandon and he is 21 inches long and weighed 8lbs.  Both Brandon and his mother are doing fine, and it has already been confirmed that Brandon has a good set of lungs on him. ;-)

I wish could have been there, but we will be visiting at Christmas so I can spoil him then!

- http://www.microsoft.com/technet/security/advisory/923762.mspx

* MS06-042 reissue (NEW)

Published: 2006-08-24,
Last Updated: 2006-08-24 17:23:04 UTC by Jim Clausing (Version: 1)

The anxiously awaited reissue of the patch from bulletin MS06-042 is now live.  Time to re-apply the patch on Internet Explorer 6 Service Pack 1 for Windows XP Service Pack 1 (all versions) and Windows 2000 (all versions)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

- http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx

- http://www.microsoft.com/technet/security/advisory/923762.mspx

More MS06-042 woes (NEW)

Published: 2006-08-22,
Last Updated: 2006-08-22 21:22:31 UTC by Johannes Ullrich (Version: 1)

The hotfix for MS06-042, which was supposed to be released today, has been delayed. Worse: It turns out that MS06-042 introduced a new security problem. The crashes everyone is having so much fun with are just the tip of the iceberg. The issue can also be used to execute arbitrary code.

At this point, we recommend:

• Keep MS06-042 applied if you can. It fixes more bugs than it creates.
• If you are having problems with internal web sites that can no longer be used: Restrict MSIE to be used internally only.
• Use Firefox/Opera or other browsers for now.
• "SandboxIE" can be used to protect your system from damage caused via MSIE.
• If you establish a "No MSIE" policy, you can use the snort rule below to detect accidental policy violations.

Snort Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(content: "|0D 0A|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0";)

Links:
http://isc.sans.org/diary.php?storyid=1611 (updated patch matrix)
http://research.eeye.com/html/alerts/AL20060822.html (EEye Alert regarding the code execution)
http://www.microsoft.com/technet/security/advisory/923762.mspx
http://blogs.technet.com/msrc/archive/2006/08/16/447023.aspx (latest MSRC blog article regarding this issue, dated Aug. 16th).
Sandboxie
 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

FAQ on PowerPoint 0-day

Published: 2006-08-20,
Last Updated: 2006-08-20 21:14:31 UTC by Marcus Sachs (Version: 1)

 

As was reported yesterday, there seems to be a new issue with PowerPoint.  Reader Juha-Matti has put together a comprehensive FAQ about the situation.  He is soliciting comments via his FAQ page, see the links at the bottom.  More details coming as this develops.

Marcus H. Sachs
Director, SANS Internet Storm Center

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Trojan dropper in Power Point - a new issue?

Published: 2006-08-19,
Last Updated: 2006-08-19 22:39:43 UTC by Brian Granier (Version: 1)

As pointed out by one of our readers, Juha-Matti, Trendmicro has recently released information about some Trojan droppers in Microsoft Power Point. The two links are TROJ_MDROPPER.BH and TROJ_SMALL.CMZ.

These articles a little light in detail with respect to the inner mechanics of the vulnerability, but they sound very similar to issues reported last July as you can see in our previous diary. It is possible that these issues are related to MS06-048 and is just a variant of the attack described by Microsoft here. The question remains whether this is truly a new vulnerability, if Microsoft failed to fix the root cause with MS06-048 or if MS06-048 addresses these issues. Trendmicro's claim is there is no current patch for this issue.

--
T. Brian Granier

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Analysis of Mocbot Goals (NEW)

Published: 2006-08-15,
Last Updated: 2006-08-15 20:06:26 UTC by Kyle Haugsness (Version: 1)

The folks are LURHQ have done some excellent analysis of the latter stages of Mocbot.  Exactly what is the final goal of this bot?  Find out here: http://www.lurhq.com/mocbot-spam.html

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.