Worms, Part 3
Sunday, April 22, 2007
So...looks like Mr. Rinbot has decided to release a new version of the beastie through computers already infected with the recent Rinbot.BC variant. Symantec is supposedly detecting this one as Rinbot.BF, though the variant mentioned in the write-up is NOT the same as the recent nasty, which runs from a file named "norantivirus.exe" in the Windows\System32 directory.
File name: norantivirus.exe
| File size: 252416 bytes |
| MD5: e0fd62d3d4c0258547690524563d8419 |
| SHA1: a63f017a3ab3405465ba90ba5377f30674aedbd3 |
| packers: EXECryptor |
| AhnLab-V3 | 2007.4.21.0 | 04.20.2007 | no virus found |
| AntiVir | 7.3.1.53 | 04.22.2007 | BDS/VanBot.CN |
| Authentium | 4.93.8 | 04.20.2007 | no virus found |
| Avast | 4.7.981.0 | 04.21.2007 | no virus found |
| AVG | 7.5.0.464 | 04.22.2007 | Win32/CryptExe |
| BitDefender | 7.2 | 04.22.2007 | no virus found |
| CAT-QuickHeal | 9.00 | 04.21.2007 | Backdoor.VanBot.cn |
| ClamAV | devel-20070416 | 04.23.2007 | no virus found |
| DrWeb | 4.33 | 04.22.2007 | BackDoor.IRC.Sdbot.1323 |
| eSafe | 7.0.15.0 | 04.22.2007 | Win32.VanBot.cn |
| eTrust-Vet | 30.7.3585 | 04.21.2007 | Win32/Nirbot.AZ |
| Ewido | 4.0 | 04.22.2007 | Backdoor.VanBot.cn |
| FileAdvisor | 1 | 04.23.2007 | no virus found |
| Fortinet | 2.85.0.0 | 04.23.2007 | W32/VanBot.BX!worm |
| F-Prot | 4.3.2.48 | 04.20.2007 | no virus found |
| F-Secure | 6.70.13030.0 | 04.23.2007 | Backdoor.Win32.VanBot.cn |
| Ikarus | T3.1.1.5 | 04.23.2007 | Backdoor.Win32.VanBot.cn |
| Kaspersky | 4.0.2.24 | 04.23.2007 | Backdoor.Win32.VanBot.cn |
| McAfee | 5014 | 04.20.2007 | W32/Nirbot.worm.gen |
| Microsoft | 1.2405 | 04.23.2007 | no virus found |
| NOD32v2 | 2210 | 04.22.2007 | no virus found |
| Norman | 5.80.02 | 04.21.2007 | W32/Malware.PXQ |
| Panda | 9.0.0.4 | 04.22.2007 | no virus found |
| Prevx1 | V2 | 04.23.2007 | Malware.Trojan.Backdoor.Gen |
| Sophos | 4.16.0 | 04.20.2007 | W32/ExDns-Fam |
| Sunbelt | 2.2.907.0 | 04.19.2007 | no virus found |
| Symantec | 10 | 04.23.2007 | W32.Rinbot.BF |
| TheHacker | 6.1.6.095 | 04.15.2007 | no virus found |
| VBA32 | 3.11.4 | 04.21.2007 | no virus found |
| VirusBuster | 4.3.7:9 | 04.22.2007 | no virus found |
| Webwasher-Gateway | 6.0.1 | 04.23.2007 | Trojan.VanBot.CN |
In addition, it was found active on a system running a vulnerable version of Symantec Client Security, but with NEW definitions loaded -- it was not detected upon a manual scan, either. Strange. Many of the vulnerable systems have already been exploited, cleaned, and patched with the BC run, though, so this one may have a harder time of things. Until there's a new 0-day to target, and there remains one dormant backdoored system on the network...
If nothing else, this is a reminder that a backdoor on a system is not just a risk for the user -- it's a backdoor into an entire network, and, conceivably, any and every computer on it.
- David
posted by David @ 7:23 PM,
,
Worm Update #2
Tuesday, April 17, 2007
Symantec has added a new designation for the Rinbot described earlier, W32.Rinbot.BC. They also say that, "Virus definitions dated April 16, 2007 or earlier may detect this threat as W32.Rinbot.A", which is utter crap -- as of the outbreak yesterday, their signatures didn't detect it as anything. After some newer releases arrived in the afternoon, suddenly it was recognized as Rinbot.A, and only now as the new variant.
The bottom line? Signature-based scanners are losing their effectiveness, and fast.
- David
posted by David @ 11:30 AM,
,
Worms Update
Monday, April 16, 2007
Looks like I got my however many bits of fame, as this Bot is actively exploiting the Windows DNS Server RPC Vulnerability, and my submission got a mention over at the SANS ISC Handler's Diary:
http://isc.sans.org/diary.html?storyid=2643
You saw it here first, folks. ;) The benefits of doing this stuff on the front lines...
- David
Labels: worm
posted by David @ 3:23 PM,
,
When Worms Attack...
We're experiencing what can only be described as a Red-Alert day on the University network. We are seeing:
1) A Friday outbreak of the Peacomm / Nuwar / Storm Worm, which was contained and cleaned with some groans but not too much trouble.
2) A new outbreak of RinBot / DelBot, exploiting the Remote Buffer Overrun in outdated versions of Symantec AV. Though Symantec is responding to submissions with a link to Rinbot.A, this NEW variant (and believe me, it is a new variant) is not currently flagged by Symantec, and the associated files have little to no detection on VirusTotal / Jotti. In fact, the main Bot EXE is currently detected by NO ONE on Jotti, even using heuristics.
Files associated with the new RinBot outbreak:
mdnex.exe / U.exe
MD5: C1A6A22B2415BA608FB894B4E036E19C
199,680 bytes
| AntiVir | Found HEUR/Crypted |
| ArcaVir | Found nothing |
| Avast | Found nothing |
| AVG Antivirus | Found Win32/CryptExe |
| BitDefender | Found nothing |
| ClamAV | Found nothing |
| Dr.Web | Found BackDoor.IRC.Sdbot.1299 |
| F-Prot Antivirus | Found nothing |
| F-Secure Anti-Virus | Found nothing |
| Fortinet | Found nothing |
| Kaspersky Anti-Virus | Found nothing |
| NOD32 | Found nothing |
| Norman Virus Control | Found nothing |
| Panda Antivirus | Found nothing |
| Rising Antivirus | Found nothing |
| VirusBuster | Found nothing |
| VBA32 | Found nothing |
radi.exe
MD5: 06A57B1BB9DEFC0405B5E475F03FE99A
1,035 bytes / 4,096 on disk
| AntiVir | Found nothing |
| ArcaVir | Found nothing |
| Avast | Found nothing |
| AVG Antivirus | Found nothing |
| BitDefender | Found nothing |
| ClamAV | Found nothing |
| Dr.Web | Found nothing |
| F-Prot Antivirus | Found nothing |
| F-Secure Anti-Virus | Found nothing |
| Fortinet | Found nothing |
| Kaspersky Anti-Virus | Found nothing |
| NOD32 | Found nothing |
| Norman Virus Control | Found nothing |
| Panda Antivirus | Found nothing |
| Rising Antivirus | Found nothing |
| VirusBuster | Found nothing |
| VBA32 | Found nothing |
This is nasty, folks...RinBot is nothing to sneeze at. Anyone in a government / academic setting who runs Symantec Client Security or Corporate Edition, check you versions!
- David
Labels: worm
posted by David @ 11:30 AM,
,
Worms making the Rounds
Friday, April 13, 2007
Well, looks like the latest spamming of the Storm Worm / Nuwar / Peacomm worm managed to trick quite a few folks -- our University has been experiencing a minor outbreak among computer users who just can't remember that unsolicited EXE's, even in password-protected ZIP files, are a bad, bad thing...
Add to that another computer I'm working-on that was hit with a fresh copy of Delbot / Rinbot today, and we're having fun in IT...I can't imagine what a day like today would be like, should someone release something with as much staying power as Storm Worm (and old favorites like Bagle and Mydoom before it) and, say, a 0-Day 'sploit. Swell.
(To be honest, I get excited in a nerdy sort of way during worm outbreaks. I'm hard-coded to go into Network Security, I swear...)
- David
Labels: worm
posted by David @ 11:58 AM,
,
ANI Patch Problems?
Wednesday, April 04, 2007
SANS ISC has a brief notice about some problems with the now-famous ANI patch. One, with Realtek drivers, is confirmed and has its own patch provided by Microsoft. Anyone with other problems is urged to call Microsoft Product Support Services at 1-866-PCSAFETY (which opens at 6am Pacific time).
I installed the patch on my XP lappy yesterday without a hitch. Updating my Vista Enterprise system this morning, however, managed to disassociate my account from its Users directory, creating a TEMP directory at each logon instead. Needless to say, that's a problem. Thankfully, a quick System Restore fixed it. The folks at the ISC said that they haven't received any other complaints with the same issue. Anyone?
- David
Labels: patch, update issues
posted by David @ 4:34 AM,
,
Silly Spammer...
Tuesday, April 03, 2007
Looks like someone needs to work on their l33t h4x0r skills...I received a spam e-mail to a class listserve with a link to a PNG file hosted at ImageShack. Assuming it to be malicious (as it probably is/was), I WGET'ed it, CURLed it, and did my best to try and get it, even Sandboxing my browser and just visiting the link with NoScript denying globally (yes, I was that frustrated). Then I looked at the link:
hxxp://[REMOVED]imageshack.us/my.php?image=w7xp5.png
The guy didn't send the web address -- he spammed the link from his own logged-in session on the site. Meaning, sans cookie or hidden fields in the site's HTML, there's no session data, nothing to point to his file uniquely, and just a redirect to the main page. Oops.
(And I was all excited to dissect some malware, too...)
- David
Labels: sheer stupidity, spam
posted by David @ 11:39 AM,
,
Microsoft Releases Out-of-Cycle Patch
KB 925902 was just released to patch the previously-mentioned ANI exploit. Kudos to M$ for releasing this patch out-of-cycle before the crackers got a chance to exploit it further.
- David
UPDATE: As expected, the InfoCon is back to GREEN.
Labels: exploit, microsoft, patch
posted by David @ 11:31 AM,
,
InfoCon: YELLOW
Monday, April 02, 2007
The SANS ISC InfoCon (if you aren't familiar with it, think of it as a "Terror Alert Status" for the web...oh, and it actually changes and relates to actual events, so they're not necessarily synonymous...), has been changed to YELLOW on account of exploitation of the new ANI vulnerability that entered the scene on Friday. Using a specially-crafted animated cursor, an attacker can use e-mail, web, or Windows Explorer to execute arbitrary code. In addition, a worm has been making the rounds that exploits the vulnerability (more here and here). You can find the original CERT advisory here, as well as a list of affected mail clients and their respective vulnerability levels from the ISC here. ISC's description of YELLOW status is:
We are currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: 'MSBlaster' worm outbreak.
Seems that this 'sploit is worrisome-enough that Microsoft will be releasing an out-of-cycle patch for it come tomorrow (Tuesday). If that's the case, expect a return to Green soon thereafter, save for the poor sots who don't have Automatic Updates, or at least notification thereof, on and configured. However, until then, it's essential to continue with best practices, including NOT VISITING SPAMMED LINKS (c'mon, folks!), keeping your AV active and up-to-date, and, if you're that concerned, consider implementing the Zeroday Emergency Response Team's (ZERT) unofficial patch, with the caveat that it's just that: unofficial. Use at your own risk.
An interesting look at creating a 0-Day signature for the attack is available over at Errata Security.
Hunker-down for the day, take care while visiting your daily spams for deals on vIaGgr@ and C!@li$$, and turn back-on and update your AV that's been gathering dust in the taskbar. You won't be sorry. (Though, if that was the case, you may already be in a world of hurt...)
- David
posted by David @ 11:45 AM,
,
