NEWS FROM THE LAB - Thursday, January 19, 2006

Feebs: perfect (anti)social engineering? Posted by Jarkko @ 11:25 GMT

We saw first versions of Feebs worm couple of weeks ago. Feebs spreads itself in HTA (HTML application) scripts which it re-generates every time it sends them out. The actual script contains the worm binary file, or in some cases it can download the worm from other locations. This way Feebs can send highly variable HTA scripts that possibly download new Feeb variants from the web. While this is quite rare approach for a mass-mailing worm, in addition to its built-in SMTP engine, Feebs has another quite unusual e-mail spreading technique in its sleeve.

While we were checking the rootkit features of Feebs (yes, among other things, Feebs can also hide itself using rootkit techniques), we saw a weird hook in Windows socket library.

When application in infected system sends data to network, Feebs makes some extra checks. If it detects traffic to port 25 (SMTP default port) which looks like e-mail with a MIME attachment, it generates the HTA script and injects it in the e-mail as an extra attachment! This is not very efficient spreading mechanism measured in volume, but in some cases it might produce quite legitimate looking e-mails. Feebs doesn't have to use social engineering in messages, it just sits in memory, waits for the user to send messages and silently inserts itself in them.

BlackLight detecting Feebs

While it is rare, the spreading technique is not unique. The Ska worm used similar spreading method already back in 1999!