Mal...where?

Fighting the Global War on Malicious Code

Worms, Part 3

So...looks like Mr. Rinbot has decided to release a new version of the beastie through computers already infected with the recent Rinbot.BC variant. Symantec is supposedly detecting this one as Rinbot.BF, though the variant mentioned in the write-up is NOT the same as the recent nasty, which runs from a file named "norantivirus.exe" in the Windows\System32 directory.

File name: norantivirus.exe
File size: 252416 bytes
MD5: e0fd62d3d4c0258547690524563d8419
SHA1: a63f017a3ab3405465ba90ba5377f30674aedbd3
packers: EXECryptor

AhnLab-V32007.4.21.004.20.2007no virus found
AntiVir7.3.1.5304.22.2007BDS/VanBot.CN
Authentium4.93.804.20.2007no virus found
Avast4.7.981.004.21.2007no virus found
AVG7.5.0.46404.22.2007Win32/CryptExe
BitDefender7.204.22.2007no virus found
CAT-QuickHeal9.0004.21.2007Backdoor.VanBot.cn
ClamAVdevel-2007041604.23.2007no virus found
DrWeb4.3304.22.2007BackDoor.IRC.Sdbot.1323
eSafe7.0.15.004.22.2007Win32.VanBot.cn
eTrust-Vet30.7.358504.21.2007Win32/Nirbot.AZ
Ewido4.004.22.2007Backdoor.VanBot.cn
FileAdvisor104.23.2007no virus found
Fortinet2.85.0.004.23.2007W32/VanBot.BX!worm
F-Prot4.3.2.4804.20.2007no virus found
F-Secure6.70.13030.004.23.2007Backdoor.Win32.VanBot.cn
IkarusT3.1.1.504.23.2007Backdoor.Win32.VanBot.cn
Kaspersky4.0.2.2404.23.2007Backdoor.Win32.VanBot.cn
McAfee501404.20.2007W32/Nirbot.worm.gen
Microsoft1.240504.23.2007no virus found
NOD32v2221004.22.2007no virus found
Norman5.80.0204.21.2007W32/Malware.PXQ
Panda9.0.0.404.22.2007no virus found
Prevx1V204.23.2007Malware.Trojan.Backdoor.Gen
Sophos4.16.004.20.2007W32/ExDns-Fam
Sunbelt2.2.907.004.19.2007no virus found
Symantec1004.23.2007W32.Rinbot.BF
TheHacker6.1.6.09504.15.2007no virus found
VBA323.11.404.21.2007no virus found
VirusBuster4.3.7:904.22.2007no virus found
Webwasher-Gateway6.0.104.23.2007Trojan.VanBot.CN

In addition, it was found active on a system running a vulnerable version of Symantec Client Security, but with NEW definitions loaded -- it was not detected upon a manual scan, either. Strange. Many of the vulnerable systems have already been exploited, cleaned, and patched with the BC run, though, so this one may have a harder time of things. Until there's a new 0-day to target, and there remains one dormant backdoored system on the network...

If nothing else, this is a reminder that a backdoor on a system is not just a risk for the user -- it's a backdoor into an entire network, and, conceivably, any and every computer on it.

- David

Labels: ,

posted by David @ 7:23 PM, ,

Worm Update #2

Symantec has added a new designation for the Rinbot described earlier, W32.Rinbot.BC. They also say that, "Virus definitions dated April 16, 2007 or earlier may detect this threat as W32.Rinbot.A", which is utter crap -- as of the outbreak yesterday, their signatures didn't detect it as anything. After some newer releases arrived in the afternoon, suddenly it was recognized as Rinbot.A, and only now as the new variant.

The bottom line? Signature-based scanners are losing their effectiveness, and fast.

- David

Labels: ,

posted by David @ 11:30 AM, ,

Worms Update

Looks like I got my however many bits of fame, as this Bot is actively exploiting the Windows DNS Server RPC Vulnerability, and my submission got a mention over at the SANS ISC Handler's Diary:

http://isc.sans.org/diary.html?storyid=2643

You saw it here first, folks. ;) The benefits of doing this stuff on the front lines...

- David

Labels:

posted by David @ 3:23 PM, ,

When Worms Attack...

We're experiencing what can only be described as a Red-Alert day on the University network. We are seeing:

1) A Friday outbreak of the Peacomm / Nuwar / Storm Worm, which was contained and cleaned with some groans but not too much trouble.

2) A new outbreak of RinBot / DelBot, exploiting the Remote Buffer Overrun in outdated versions of Symantec AV. Though Symantec is responding to submissions with a link to Rinbot.A, this NEW variant (and believe me, it is a new variant) is not currently flagged by Symantec, and the associated files have little to no detection on VirusTotal / Jotti. In fact, the main Bot EXE is currently detected by NO ONE on Jotti, even using heuristics.

Files associated with the new RinBot outbreak:

mdnex.exe / U.exe
MD5: C1A6A22B2415BA608FB894B4E036E19C
199,680 bytes

AntiVir
Found HEUR/Crypted
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Win32/CryptExe
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found BackDoor.IRC.Sdbot.1299
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

radi.exe
MD5: 06A57B1BB9DEFC0405B5E475F03FE99A
1,035 bytes / 4,096 on disk

AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

This is nasty, folks...RinBot is nothing to sneeze at. Anyone in a government / academic setting who runs Symantec Client Security or Corporate Edition, check you versions!

- David

Labels:

posted by David @ 11:30 AM, ,

Worms making the Rounds

Well, looks like the latest spamming of the Storm Worm / Nuwar / Peacomm worm managed to trick quite a few folks -- our University has been experiencing a minor outbreak among computer users who just can't remember that unsolicited EXE's, even in password-protected ZIP files, are a bad, bad thing...

Add to that another computer I'm working-on that was hit with a fresh copy of Delbot / Rinbot today, and we're having fun in IT...I can't imagine what a day like today would be like, should someone release something with as much staying power as Storm Worm (and old favorites like Bagle and Mydoom before it) and, say, a 0-Day 'sploit. Swell.

(To be honest, I get excited in a nerdy sort of way during worm outbreaks. I'm hard-coded to go into Network Security, I swear...)

- David

Labels:

posted by David @ 11:58 AM, ,

ANI Patch Problems?

SANS ISC has a brief notice about some problems with the now-famous ANI patch. One, with Realtek drivers, is confirmed and has its own patch provided by Microsoft. Anyone with other problems is urged to call Microsoft Product Support Services at 1-866-PCSAFETY (which opens at 6am Pacific time).

I installed the patch on my XP lappy yesterday without a hitch. Updating my Vista Enterprise system this morning, however, managed to disassociate my account from its Users directory, creating a TEMP directory at each logon instead. Needless to say, that's a problem. Thankfully, a quick System Restore fixed it. The folks at the ISC said that they haven't received any other complaints with the same issue. Anyone?

- David

Labels: ,

posted by David @ 4:34 AM, ,

Silly Spammer...

Looks like someone needs to work on their l33t h4x0r skills...I received a spam e-mail to a class listserve with a link to a PNG file hosted at ImageShack. Assuming it to be malicious (as it probably is/was), I WGET'ed it, CURLed it, and did my best to try and get it, even Sandboxing my browser and just visiting the link with NoScript denying globally (yes, I was that frustrated). Then I looked at the link:

hxxp://[REMOVED]imageshack.us/my.php?image=w7xp5.png

The guy didn't send the web address -- he spammed the link from his own logged-in session on the site. Meaning, sans cookie or hidden fields in the site's HTML, there's no session data, nothing to point to his file uniquely, and just a redirect to the main page. Oops.

(And I was all excited to dissect some malware, too...)

- David

Labels: ,

posted by David @ 11:39 AM, ,

Microsoft Releases Out-of-Cycle Patch

KB 925902 was just released to patch the previously-mentioned ANI exploit. Kudos to M$ for releasing this patch out-of-cycle before the crackers got a chance to exploit it further.

- David

UPDATE: As expected, the InfoCon is back to GREEN.

Labels: , ,

posted by David @ 11:31 AM, ,

InfoCon: YELLOW


The SANS ISC InfoCon (if you aren't familiar with it, think of it as a "Terror Alert Status" for the web...oh, and it actually changes and relates to actual events, so they're not necessarily synonymous...), has been changed to YELLOW on account of exploitation of the new ANI vulnerability that entered the scene on Friday. Using a specially-crafted animated cursor, an attacker can use e-mail, web, or Windows Explorer to execute arbitrary code. In addition, a worm has been making the rounds that exploits the vulnerability (more here and here). You can find the original CERT advisory here, as well as a list of affected mail clients and their respective vulnerability levels from the ISC here. ISC's description of YELLOW status is:

We are currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: 'MSBlaster' worm outbreak.

Seems that this 'sploit is worrisome-enough that Microsoft will be releasing an out-of-cycle patch for it come tomorrow (Tuesday). If that's the case, expect a return to Green soon thereafter, save for the poor sots who don't have Automatic Updates, or at least notification thereof, on and configured. However, until then, it's essential to continue with best practices, including NOT VISITING SPAMMED LINKS (c'mon, folks!), keeping your AV active and up-to-date, and, if you're that concerned, consider implementing the Zeroday Emergency Response Team's (ZERT) unofficial patch, with the caveat that it's just that: unofficial. Use at your own risk.

An interesting look at creating a 0-Day signature for the attack is available over at Errata Security.

Hunker-down for the day, take care while visiting your daily spams for deals on vIaGgr@ and C!@li$$, and turn back-on and update your AV that's been gathering dust in the taskbar. You won't be sorry. (Though, if that was the case, you may already be in a world of hurt...)

- David

Labels: , ,

posted by David @ 11:45 AM, ,


Web This Blog

About me

    I'm David From Atlanta, Georgia, United States -- I'm a Computer Science undergrad at Emory University seeking to go into Network Security after grad school. More than that, I am a follower of Christ and a Christian, living the Journey and learning from others who are doing the same. My family and home rest in Fredericksburg, VA.
    My profile

Archives

Previous Posts

Helpful Sites

Favorite Forums

Favorite Blogs

Powered By

Powered by Blogger>