Here's links to two interesting virus-related papers released recently:
http://www.dtc.umn.edu/weis2004/weaver.pdf "A worst case worm", by Nicholas Weaver and Vern Paxson (and Stuart Staniford) - these are some of most respected researchers on worm spreading theory.
In this paper they speculate that a worst-case worm could cause $50 billion or more in damage by attacking Microsoft Windows systems and carrying a destructive payload.
http://policy.gmu.edu/imp/research/Microsoft_Threat.pdf "Is Microsoft a threat to National Security? The effect of technology monocultures on critical infrastructure", by a Gorman, Kulkarni, Schintler and Stough at the George Mason University.
To balance the previous paper, this research shows that while Windows worms can be really expensive, they don't necessarily take down the world.
The Korgo network worm keeps spreading actively, and it's aggressively stealing user information from infected machines. It does this via a keylogger which specifically collects user logins for online banks (the ones which do not use one-time passwords). It also logs everything the user types to any web form - this will collect lots of credit card numbers, passwords etc.
If you've been infected by Korgo, change your passwords and cancel your credit cards. Especially the ones you've used during last week. This is not a joke.
One more bust. This time it's Mr. Wang An-ping how was arrested Kaohsiung. Which is in Taiwan.
Mr. Wang is being charged for writing and distributing the Peep backdoor. Peep is a remote access trojan, similar to Netbus and Back Orifice. It consists of client and server parts.
Client part is graphical, and operates in Chinese:
So over the last three weeks we have:
- Several arrests in Germany on Sasser, - Several arrests in Germany on Agobot - One arrest in Canada on Randex - One arrest in Taiwan, on Peep
...and we are aware of at least one virus investigation against an active virus group.
Heck, if things continue at this pace, we can soon retire.
According to the China Post Magazine, "Wang, a bachelor, said he spent most of his free time on designing software programs and surfing the Internet. He had intended to sell the 'Peep' system but couldn't find a buyer."
Wang, who is 30 years old, was arrested last week by CIB, The Taiwan Criminal Investigation Bureau.
Good news. In addition of the recent Sasser arrests and Agobot arrest in Germany, the Royal Canadian Mounted Police has yesterday arrested a 16-year old Canadian, charging him for creating the Randex worm family.
Suspect's name is not released under the Canadian Youth Criminal Justice Act.
This should be interesting, as Randex-generated proxy networks have been known to be resold to spammers for spamming purposes. This was proved in February by two C'T researchers who went underground and actually purchased such networks.
Microsoft has released a thorough public document titled Solutions for Security - The Antivirus Defense-in-Depth Guide. This is a 90-page document detailing the current threats and background, how to deploy antivirus protection for corporate use and how to control virus outbreaks. It's a pretty good document (yeah, we helped review it).
The file is available for download from Microsoft Technet. I just can't figure out why a PDF file has to be installed before it can be viewed.
F-Secure Anti-Virus detects both Korgo worm variants with the latest (2004-05-24_02) updates. The worm variants are detected as 'Worm.Win32.Padobot' and 'Worm.Win32.Padobot.b'.
Yet another new worm using the LSASS vulnerability has been found...but this one doesn't seem to be spreading much. Known as "Korgo", this one tries to connect all infected hosts to IRC channels for remote control.
There's now four different versions of the Bobax worm. All of them are used by spammers and controlled through a handful of websites. Some of the variants now even do bandwidth testing to find the most useful machines for spammers to send their spam from.
Also, later variants in the family spread also through the RPC DCOM hole (135/TCP) in addition of the LSASS hole (445/TCP) - and they fingerprint target systems through UPnP (5000/TCP).
We've received some reports of a new password stealer being spammed around the world. This one doesn't spread further, so it's not a virus. Once the user opens the attachment, a password stealer and a backdoor is installed to the system.
The emails look like this:
From: [random email address] Subject: Important news about our soldiers in IRAQ!!! To: [random email address]
Seven officers was lost today, follow the link to get the full story.
http://www.iraqbodycount.net/bodycount.htm
Attachment: IMPORTANT INFORMATION.ZIP
The mail links to website iraqbodycount.net, which has nothing to do with the whole case.
Turns out the Bobax worm also generates port 5000 traffic.
Unlike the SdtBot aka Kibuv worm (which is based on the SdBot family), Bobax does not try to infect machines through this port. It just uses it to fingerprint the target system.
Bobax is yet another spammer-related worm, creating networks of proxy machines that spam gangs can use to send unsolicitated bulk email.
Right now we can't determine which of these two worms is generating more of the 5000/TCP traffic. Nevertheless, more than 400,000 IP addresses have been seen scanning for this port over the last days.
Port 5000 traffic has risen considerably over the past 24 hours. This port is used by the Universal plug-n-play service of Windows 98, Windows Me and Windows XP.
We're not sure if all of this traffic can be attributed to a new worm known as Kibuv or StdBot, but this new worm does scan for several known vulnerabilities, including the UPnP hole and the Sasser FTP server hole.
We have seen increased numbers of Sober.G worm during the weekend. It sends emails in both German and English with varying content. The attachment is an executable or a zip archive.
We got a few reports about Sober.G spreading in the wild. After comparing samples from the worm's messages and the sample that we had originally received and described, we found out that our conclusions about Sober.G being intended were incorrect. It happened because the sample that we originally got was taken from an infected computer's Windows System folder and not from an e-mail message. Sober worm has a "feature" of modifying its executable file that it drops to a hard drive. It changes a byte at offset 0xA0 to 0x60 when its file is installed to a system. However, the file that the worm sends out in e-mail messages has this byte value zeroed. So the sample we originally received did not install itself properly and it did not create MIME-encoded files for spreading because the worm "thought" it was already installed. Failure of the worm to install itself properly and create files necessary for its spreading drove us to the conclusion that the worm was intended. We are sorry for confusion. The description of the worm will be updated shortly.
As we have posted earlier, a vulnerabilty has been found in the Sasser worm's FTP server. A new worm that exploits the vulnerability has appeared shortly after. Dabber spreads to computers which are already infected by the Sasser worm.
As a payload Dabber disables several different worms and installs a backdoor to the infected computer.
It is quite a surprise to see that the latest SDBot.MD backdoor we received kills 3 Sasser variants and installs KB835732 security patches for Windows 2000 and XP. However it still remains a backdoor because it allows remote access to an infected computer.
New SdBot variants were found in the wild today. They use different exploits including the LSASS exploit (MS04-011)to spread to vulnerable computers. One of the side effects is that the infected computer reboots.
We received several reports of Wallon worm this evening (mostly from Europe). Wallon sends HTML emails that contain a link to a web site. In order to spoof the real web location, it uses the Yahoo redirection service.
The FTP server in the Sasser worm family has an apparent buffer overflow vulnerability. A small program has appeared on the InterNet that exploits this vulnerabilty and opens a remote shell on TCP port 530 (by default).
The idea behind the exploit is unknown considering that computers infected with the Sasser worm are most likely vulnerable to MS04-011 already. On the other hand exploiting a vulnerabily in a virus is quite unusual.
We reported earlier that the first known case of Sasser.E was reported roughly 10 hours after the arrest of the author. After this several users have contacted us and reported seeing the worm even before that.
The arrest was done in Germany on Friday the 7th of May 2004 at 13:00 GMT (14:00 German time).
The earliest report of spotting Sasser.E we now know of was 3 hours and 45 minutes later, on Friday the 7th of May 2004 at 16:45 GMT (this was in east coast USA, with infection coming from Sweden).
However, since Sasser spreads really fast, there must be even earlier spottings...or Sasser.E was not released by the apprehended virus writer (Mr. "SJ").
We here at F-Secure viruslab were surprised by the development where it appears that the group behind Netsky, "SkyNet antivirus Team from Russia", turned out to be one guy from Germany.
Lets go back and look at some of the texts embedded inside Netsky variants:
Netsky.J: We want to destroy malware writers business, including MyDoom & Bagle. This is the last version of our antivirus. The source code is available soon.
Netsky.N: Thanks to the S*k*y*N*e*t alias *N*e*t*S*k*y* crew for the sourcecode. We have rewritten *N*e*t*S*k*y.Our group will continue the war. We are greeting all russia people!
Netsky.Q: We are the only SkyNet, we don't have any criminal inspirations. and we aren't children. Best regeards, the SkyNet Antivirus Team, Russia 05:11 P.M
Netsky.R: Netsky is Skynet, a good software, Good guys behind it. Thanks To all people in cz and russia.
Netsky.S: Thanks to russia, and thanks to CCC for support. 09:34 A.M, Russia
etc, etc...
So, if all Netsky variants really were coming from a single source, all the discussion about a "team" and references to Russia and Czech were just left there as misdirection. Which is nothing new. However, in this case there was also other circumstancial evidence pointing towards several different authors.
Apparently the caught teenager is co-operating with the German police. Hopefully we will hear the full story behind the whole saga eventually.
The Sasser arrest has been big news, of course. However, there was another, important arrest in Germany on Friday too: a 21-year old unemployed man linked to creating Phatbot / Agobot (or variants) was apprehended too. This was in Loerrach, Germany.
There seems to be no link between this guy and the Sasser author. Regardless of that, both arrests were synchronised to happen on Friday at 14:00 local time.
As reported here before, the source code of Phatbot has been floating around in the underground, so this arrest probably won't directly stop the flow of new variants. Indirectly it might have an effect, though. Hopefully the pressures among the virus writers are growing.
New variant of Sasser has been found, even after the author has been apprehended. The first known case of Sasser.E was reported roughly 10 hours after the arrest.
We believe Mr. "SJ" (who has confessed to writing all the Sasser and Netsky variants) had distributed this version shortly before his arrest. He has been released on bail, but this was only after first reports of this new variant were in.
The E variant does not appear to be hack done by someone else. For one, it tries to remove the Bagle worm, unlike earlier Sassers but just like many Netsky variants.
This may also be related to the creator/s of NetSky, as messages in the latest version of this worm claimed Sasser was created by the same group responsible for NetSky.
NetSky worms had launched DDoS attacks against German and Swiss educational and medical sites.
TV Crew shooting home of the Sasser worm author (AFP)
It is now possible to statically link to our weblog articles. All the article titles in the archives have been changed to links which can be copied for linking.
More and more news on organizations that have been hit by Sasser is coming out.
According to the sources quoted below, there have been Sasser-related problems in organizations and companies all over the world, including:
- County hospital in Lund, Sweden (5000 computers and X-ray equipment offline) - European Commission in Brussels (1200 machines offline) - Coastguard in UK (19 regional offices offline) - British Airways in UK (flights delayed) - Westpac Bank in Australia (offices and call centers closed) - Post Office systems in Taiwan (1600 machines offline, 400 offices affected) - Heathrow airport in UK (computers at one terminal offline) - Public courts in Cantabria, Spain - Hong Kong government systems - State hospital of Hong Kong - Suntrust Bank in USA - American Express in USA - Nova University in USA
Microsoft's update server was slowed down on Monday and was even briefly offline as massive amounts of users tried to get the latest patches to protect against the worm, reports Netcraft.
Microsoft itself reports that almost four times more users are downloading security patches now than in autumn 2003. Which is great.
In a previous entry, it was mentioned the claim by the NetSky.AC authors that they had also created Sasser. As a proof it was mentioned the similarity of some common code, specifically of the FTP function, between NetSky.V and Sasser.D.
We took a look into it, and came up with the following visual example. The following graphs represent the code of functions (Control Flow Graphs) in the worms' code. The text within the graph's nodes represent calls to other functions and references to text strings.
The following image shows the Install function in both Sasser.D and Netsky.V.
The following image shows the FTP function in both Sasser.D and Netsky.V. The main difference is that in NetSky.V, this function is called once and in Sasser.D is a thread. Therefore it is invoked differently and the initialisation is not the same. However, after this code, most of the function is basically identical. (It can be seen clearer in the PDF files, Sasser.D FTP function and NetSky.V FTP function.
The Sasser disinfection tool has been updated to remove Sasser.D. The tool is available from the description page.
If the tool finds an active infection it implements a workaround to prevent the constant reboots that make patching really difficult.
One sideffect of Sasser worm's spreading is that it crashes LSASS.EXE which forces Windows to reboot. This makes it rather difficult to fetch and install the required security patch.
A simple workaround can be implemented to prevent LSASS.EXE from crashing. The following file must be created with Read-Only attribute set:
%SystemRoot%\Debug\dcpromo.log
where %SystemRoot% is the Windows Directory (typically C:\WINDOWS or C:\WINNT).
Since the MS04-011 vulnerability is in a debug print code, if the debug log file can not be opened the vulnerable code part will not be executed.
As said, the F-Sasser tool now creates this file automatically when run.
Today it's been exactly four years since the outbreak of the Loveletter (aka ILOVEYOU) email worm. Together with the Melissa worm, Loveletter was among the first massive email virus outbreaks.
Back then email worms were a new concept and people were happily doubleclicking on any attachments. In fact, many still are...anyway, this was way before any network worms (like Sasser) was found.
It's hard to figure out how much of the 445/TCP port traffic is created by the Sasser outbreak, as this is a pretty busy port always.
In any case, the amount of computers scanning the net with this target port has risen over the last days from half a million to over 1,2 million, according to this graph from www.incidents.org.
Another Sasser variant has been found, this one is known as Sasser.D. Main difference between Sasser.D and the earlier variants is that the main worm file is now named SKYNETAVE.EXE instead of AVSERVE.EXE or AVSERVE2.EXE.
Sasser.D is detected with our latest updates (2004-05-03_03), released two hours ago.
In August 2003, Blaster worm outbreak disrupted bank systems as well as air and train traffic.
This seems to be happening all over again. According to the sources quoted below, there have been Sasser-related problems in at least three large banks. RailCorp rail traffic was halted in Australia on Saturday, leaving 300,000 travellers stranded - CEO of the company is quoted saying a virus might be the reason. Also, according to several sources, Delta Airlines had their planes grounded in USA on Saturday for several hours, because of a "computer glitch"...but this case has not been confirmed to be related to Sasser.
New variant of Netsky (Netsky.AC, the 29th variant) was found last night. Nothing new in there.
However, this variant contains this text embedded in the code, which we will be posting publicly although we normally don't do this:
Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet...
Unlike we said earlier in the weblog, there are functional differences between Sasser.C and earlier Sasser variants: it starts up 1024 processes to scan for new vulnerable hosts instead of 128. This should make this variant spread faster. However, right now Sasser.B seems to be the biggest problem.
Also, Sasser.C was not based on A but B variant, ie. the filenames it uses are AVSERVE2.EXE and WIN2.LOG.
We've received some reports of large corporations being hit in their internal networks. Otherwise things are still relatively calm. The main assumption remains that monday morning will decide how bad this is going to get. We've talked to several large companies, and most of them had succesully installed the needed Windows patches before this weekend. Good news.
In the meanwhile, a minor repacked variant of Sasser.A has been found. For now, we detect it as Sasser.A, but it will be renamed later to Sasser.C. There are no functional differences in this version.
Microsoft has posted an ActiveX scanning tool on their Sasser infopage, which you can use to easily check online if you're infected or not. Then again, if you are infected, you might not make it to that page before you're machine is rebooted again.
If you find yourself infected, you can use our Free F-Sasser Tool to clean the worm from your machine. You also need to install the Windows patches to prevent you from getting reinfected.
Also, about the rebooting problem: Windows XP users with the constant rebooting problem might want to try the "shutdown -a" Command Prompt command to abort an active reboot countdown.
In other news, we've also sent out a public alert on the situation.
People will be starting their working day in Sydney in five hours from now...
The B variant was also found during yesterday. This is when got the first reports of these variants: - Sasser.A around 02:00 GMT on May 1st - Sasser.B around 16:00 GMT on May 1st
Both are detected by current F-Secure Antivirus updates, but the most important thing right now is to get the latest patches from Microsoft.
Sasser.B is a minor variant of Sasser.A, with identical length and functionality. The binary image looks different and the dropped filename has been changed from AVSERVE.EXE to AVSERVE2.EXE. Also the logfile name is now WIN2.LOG instead of WIN.LOG.
You would expect a new automatic network worm like Sasser to hit even harder than it seems to be hitting right now. Of course, it's weekend time, but most infected machines would be home computers, many of which are turned on and online always.
Sasser could be compared to the Blaster/Lovsan outbreak in last August in many ways. Both are automatic network worms affecting Windows 2000 and XP users, scanning random IP addresses and using FTP (or TFTP) to transfer the actual worm file to infected host.
Also, both worms cause unpatched machines to start to reboot. With Sasser, users typically seem something like this:
Blaster was a massive case, partly because the patch was only available for 32 days before the outbreak started - and that was during best holiday season. With Sasser, the time difference between the patch and the worm was just 18 days.
But the bottom line is that although Sasser starts several threads which constantly scan random addresses with minimal time delay, we aren't seeing massive amounts of infections. Not yet anyway.
We now detect this worm with our latest updates (2004-05-01_01).
The vulnerability used by Sasser is caused by a buffer overrun in the Windows' Local Security Authority Subsystem Service, and will affect all machines that are:
- Running Windows XP or Windows 2000 - Haven't been patched against this vulnerability - Are connected to the internet without a firewall
It scans random IP addresses, targeting TCP port 445.
After infection it opens a shell that listens on TCP port 9996.
And then downloads the actual worm code through a FTP connection at TCP port 5554.
A new Internet worm Sasser is spreading through the LSASS vulnerability without user assistance. There is no detection yet, but one sign of infection seems to be the existance of a file named C:\WIN.LOG on the target system.
See the Microsoft Bulletin for more info on the vulnerability, and run Windows Update to patch your systems now.
