Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-08-17 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Possible MSIE Zero-Day; Analysis of Zotob versions; Why are we still Green;

Published: 2005-08-17
Last Updated: 2005-08-18 09:41:13 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Possible MSIE Zero-Day



FRsirt posted a possible zero-day exploit against Microsoft Internet Explorer (MSIE) 6. According to the notes posted with the exploit, it should open a remote shell by exploiting Msdds.dll.

In order to be vulnerable 'msdds.dll' has to be installed on your system. By
default this is not installed on Windows XP or 2000. However If you install Visual Studio .Net, msdds.dll will be installed. Some of the .Net SDKs may include the component as well, but we where not able to verify this (please let us know if you see msdds.dll without Visual Studio .Net).

Antivirus scanners are able to detect this exploit as "Iframebof Exploit" (Kaspersky) or "JS.Bofra.A" (Bitdefender). The may trigger on the shell code, which is bound to change if shell code with different functionality is used.


Analysis of Zotob Versions.





As promised earlier, here is my analyze as of 11:30 am CDT. Hopefully I have included enough information to help those that have been infected with figuring out exactly which version you are infected with.



Good Afternoon Internet Users


Yes the fun Does continue. The little fellows that wrecked havoc on CNN, ABC, NY Times and other "rumored" victims are still continuing. Symantec has identified two more versions of Zotob so were are now up to version G.


Thought I would try to compile some info and see if we can determine the actual differences between these. It may help some of you to determine just exactly what version of these rascals you are dealing with. So here goes my perhaps feeble attempt at trying to make heads or tails out of this mess.


After having killed a couple of trees printing out the Symantec reports on each of these so that I could review off line (I donぴけねそ comprehend very well if I donぴけねそ hold the document in my hands while I read), here is what I have come up with.


CAUTION: We do observe a large variety of Bots taking advantage of MS05-039. Not all of them are characterized as Zotob, and some may escape AV detection all together. Do not assume that you are "safe" if you don't find Zotob, but if you are vulnerable to the PNP exploit. Some of the other bots match generic SDBot or RBot signatures.

Zotob.A



Executable size: 22,528 bytes

Executable Name: botzor.exe

Ports: TCP � 445,8080,33333



Aliases: Zotob.A [F-Secure], W32/Zotob.worm [McAfee], W32/Zotob-A [Sophos], WORM_ZOTOB.A [Trend]


Other details � Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.


Zotob.B




Executable size: 27,648 bytes

Executable Name: csm.exe

Ports: TCP � 445,8080,33333



Aliases: Zotob.B [F-Secure],W32/Zotob.worm.b [McAfee],W32/Zotob-B[Sophos],
WORM_ZOTOB.B [Trend Micro]


Other details � Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.


Zotob.C




Executable size: 41,984 bytes

Executable Name: per.exe

Ports: TCP � 445,8080,33333



Other details � Mass-mailing worm uses a predefined list of recipient names appending the domain names that it gathers from an infected computer. Contains its own SMTP engine to email to the addresses that it finds. Opens FTP server on port 33333, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.


Zotob.D




Executable size: 51,326 bytes

Executable name: windrg32.exe

Ports: TCP � 6667,1117,445



Other details � Opens FTP server on port 11173, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.


Zotob.E




Executable size: 10,366 bytes

Executable Name: wintbp.exe

Ports: TCP � 8594,8080,445, UDP - 69

Aliases: WORM_RBOT.CBQ [Trend Micro]


Other details � Opens TFTP server on port UDP 69, Connects to IRC server at 72.20.27.115 on TCP port 8080 to listen for update instructions, adds itself to the run in the registry.


Zotob.F




Executable size: 10,878 bytes

Executable name: wintbpx.exe
Ports: TCP 445


Other details � Opens multiple TCP ports. Connects to IRC server at 72.20.41.139 to listen for update instructions, adds itself to the run in the registry, creates a file named %Temp%\[NUMBER] which if successful contains TFTP scripts to download additional files.


Zotob.G




Executable size: 73,728 bytes

Executable name: windrg32.exe

Ports: TCP 445,6667,1171

Aliases: W32.Drudebot.A

Other details � Attempts to connect IRC servers on port 6667, Opens a TFTP server on port 1171, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry, creates a file named %Temp%\[NUMBER] which if successful contains TFTP scripts to download additional files. Modifies the hosts file to prevent updating of antivirus and security programs from updating.


This is the information that I have as of this Diary update. We will keep you posted if anything changes.




Update: Symantec has now updated it's removal tool to include removal for all of the current versions of the Zotob virus. You can find it on Symantec's web site at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.removal.tool.html


Why our Infocon is green


(Jim Clausing for Deb who is in a meeting) We've gotten some e-mail asking why, with all the apparent outbreaks of worms, our Infocon remains at green. The answer is pretty simple. We first suggested in the diary that these exploits would probably turn into worms (and warned users/administrators to patch now) on Friday. We raised Infocon to yellow Saturday morning (UTC) because we thought it likely that the worms would show up over the weekend. We were right. They first showed up Sunday morning. Frankly, the Infocon was raised when there was still a chance to do something about the situation. We lowered it back to green Tuesday morning (UTC) when the scanning effectively became part of the normal background noise on the internet. Our stance has always been we raise Infocon to get the attention of the community and we leave it there the shortest time possible. Unfortunately, there have been some high profile cases of organizations that didn't or couldn't patch in a timely fashion so it suddenly became a big story in the mainstream media yesterday. While this is regrettable, as one of the other handlers stated in e-mail, "Close the barn door, that horse ran out last week."




Deb Hale


Handler on Duty
Keywords:
0 comment(s)
Diary Archives