Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

botnet submitted

Published: 2006-08-31
Last Updated: 2006-08-31 21:47:24 UTC
by Swa Frantzen (Version: 4)
0 comment(s)
Please note: this was submitted as an NT worm/botnet, it however does not seem to be affecting NT only.

We received copies of malware found by Geo on an NT system that are being discussed in public forums, it appears to be (variants of) known botnets. Here's what Norman and virustotal.com had to say about them [sanitized]:

[updated: Thorsten pointed out 2 files were the same (they are indeed), yet the differing results from the sandbox set us on the wrong foot. Fixed.]

eraseme & csrsc:

Norman:

[ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
   * Anti debug/emulation code present.
   * **Locates window "NULL [class mIRC]" on desktop.
   * File length:        86016 bytes.
   * MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c.                               

[ Changes to filesystem ]
   * Creates file C:\WINDOWS\csrsc.exe.
   * Deletes file c:\sample.exe.

[ Changes to registry ]
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Creates key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".
   * Modifies value "UpdatesDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "AntiVirusDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "FirewallDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "AntiVirusOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "FirewallOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
   * Sets value "AUOptions"="^A" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
   * Creates key "HKLM\System\CurrentControlSet\Services\wscsvc".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\wscsvc".
   * Creates key "HKLM\System\CurrentControlSet\Services\TlntSvr".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\TlntSvr".
   * Creates key "HKLM\System\CurrentControlSet\Services\RemoteRegistry".
   * Creates key "HKLM\System\CurrentControlSet\Services\Messenger".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\Messenger".
   * Sets value "restrictanonymous"="^A" in key"HKLM\System\CurrentControlSet\Control\Lsa".
   * Creates key"HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Creates key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Sets value "AutoShareWks"="" in
key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Sets value "AutoShareServer"="" in
key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Creates key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
   * Sets value "DoNotAllowXPSP2"="^A" in
key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
   * Creates key "HKLM\Software\Microsoft\OLE".
   * Sets value "EnableDCOM"="N" in key "HKLM\Software\Microsoft\OLE".
   * Sets value "Record"="??^N" in
key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".

[ Network services ]
   * Looks for an Internet connection.
   * Connects to "[DELETED]" on port 1863 (TCP).
   * Sends data stream (30 bytes) to remote address "[DELETED]" port 1863.
   * Connects to IRC Server.
   * IRC: Uses nickname [XP||N|677795].
   * IRC: Uses username XP88038.
   * Opens URL: http://[DELETED]/prxjdg.cgi.
   * Opens URL: http://[DELETED]/x/maxwell/cgi-bin/prxjdg.cgi.
   * Opens URL: http://[DELETED]/mute/c/prxjdg.cgi.
   * Opens URL: http://[DELETED/tomocrus/cgi-bin/check/prxjdg.cgi.
   * Opens URL: http://[DELETED]/cgi-bin/proxy.cgi.
   * Opens URL: http://pDELETED]/little_w/prxjdg.cgi.
   * IRC: Sets the usermode for user [XP||N|677795] to .
   * IRC: Joins channel #NGEN with password [DELETED].

[ Process/window information ]
   * Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"".
   * Attempts to access service "npx".
   * Creates a mutex LOLFOB.
   * Attempts to access service "Tlntsvr".
   * Attempts to access service "RemoteRegistry".
   * Attempts to access service "Messenger".
   * Attempts to access service "SharedAccess".
   * Attempts to access service "wscsvc".

[ Signature Scanning ]
   * C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection.


Virustotal:
 AntiVir 6.35.1.11     08.31.2006 Worm/Sdbot.86016.43
Authentium 4.93.8 08.30.2006 no virus found
Avast 4.7.844.0 08.31.2006 no virus found
AVG 386 08.30.2006 IRC/BackDoor.SdBot2.HLZ
BitDefender 7.2 08.31.2006 GenPack: Generic.Sdbot.4F0C4C47
CAT-QuickHeal 8.00 08.30.2006 no virus found
ClamAV devel-20060426 08.31.2006 no virus found
DrWeb 4.33 08.31.2006 Win32.HLLW.MyBot
eTrust-InoculateIT 23.72.111 08.31.2006 no virus found
eTrust-Vet 30.3.3052 08.31.2006 no virus found
Ewido 4.0 08.31.2006 Backdoor.SdBot.anp
Fortinet2.77.0.0    08.31.2006 W32/SDBot.AKI!worm
F-Prot 3.16f 08.30.2006 no virus found
F-Prot4 4.2.1.29 08.31.2006 no virus found
Ikarus 0.2.65.0 08.31.2006 no virus found
Kaspersky 4.0.2.24 08.31.2006 Backdoor.Win32.SdBot.anp
McAfee 4841 08.30.2006 no virus found
Microsoft 1.1560 08.31.2006 no virus found
NOD32 v21.1733 08.31.2006 a variant of IRC/SdBot
Norman 5.90.23 08.31.2006 W32/Malware
Panda 9.0.0.4 08.30.2006 no virus found
Sophos 4.09.0 08.31.2006 no virus found
Symantec 8.0 08.31.2006 W32.Spybot.Worm
TheHacker 5.9.8.202 08.31.2006 no virus found
UNA 1.83 08.31.2006 no virus found
VBA32 3.11.1 08.30.2006 Win32.HLLW.MyBot
VirusBuster 4.3.7:9 08.30.2006 no virus found

i.exe:

Virustotal:
 AntiVir 6.35.1.11     08.31.2006 Worm/Spybot.1093632
Authentium 4.93.8 08.30.2006 no virus found
Avast 4.7.844.0 08.31.2006 no virus found
AVG 386 08.30.2006 IRC/BackDoor.SdBot2.HLY
BitDefender 7.2 08.31.2006 Win32.Worm.Tilebot.GM
CAT-QuickHeal 8.00 08.30.2006 no virus found
ClamAV devel-20060426 08.31.2006 no virus found
DrWeb 4.33 08.31.2006 Win32.HLLW.MyBot
eTrust-InoculateIT 23.72.111 08.31.2006 Win32/SDBOT.AQJ!Worm
eTrust-Vet 30.3.3052  08.31.2006 Win32/Petribot.XM
Ewido 4.0 08.31.2006 Backdoor.SdBot.aqj
Fortinet 2.77.0.0 08.31.2006 W32/Tilebot.AQJ!worm
F-Prot 3.16f 08.30.2006 no virus found
F-Prot4 4.2.1.29 08.31.2006 no virus found
Ikarus 0.2.65.0 08.31.2006 Backdoor.Win32.SdBot.aqi
Kaspersky 4.0.2.24 08.31.2006 Backdoor.Win32.SdBot.aqj
McAfee 4841 08.30.2006 W32/Spybot.worm.gen.p
Microsoft 1.1560 08.31.2006 Backdoor:Win32/Rbot!02A6
NOD32 v21.1733 08.31.2006 IRC/SdBot
Norman 5.90.23       08.31.2006 W32/Spybot.AXGM
Panda 9.0.0.4 08.30.2006 W32/Sdbot.IAZ.worm
Sophos 4.09.0 08.31.2006 W32/Tilebot-GM
Symantec 8.0 08.31.2006 W32.Spybot.AKNO
TheHacker 5.9.8.202 08.31.2006 no virus found
UNA 1.83 08.31.2006 Backdoor.SdBot.8
VBA32 3.11.1 08.30.2006 Win32.HLLW.MyBot
VirusBuster 4.3.7:9 08.30.2006 no virus found

Reading up on what the antivirus community has written about these they seem to attack  through so many vectors that it's likely they affect poorly patched systems.

Some observations

  • Joerg wrote in to agree with us that it's a bit sad to see how badly detected these slight variants on the theme are in real life. Of course the malware crafters make it so that they evade the signatures they are interested in. But still it's sad to see that less than half of the products represented on Virustotal detect a sample that's running amok on the net.
  • Take a look at the [Changes to registry] section above and see the keys any such malware changes. Next imagine how a clean-up program is going to guess what you had in those keys before. Right: you'll end up with sub-optimal settings no matter what.
  • Since this cause -unrightfully so- somewhat of a stir in the "still using NT"-community:
    • let's face it: upgrade or isolate or ... get hit eventually.
    • balance the cost of upgrading vs. the cost of premium support + the cost of an outbreak * the change of an outbreak
  • It's not just targeting NT!

Many thanks to fellow handler Joel for the help.

--
Swa Frantzen -- Section66.com

Keywords: botnet malware NT
0 comment(s)
Diary Archives