[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Which worm?

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Which worm?
From: Wolfram Schroeder <ws@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Apr 2004 22:29:14 +0200

Hi,

I'm currently in the process of learning how to analyse worms ... here are some things I learned/guessed/newbied so far:

1) So far, the recent notorious port-scans/exploitation-attempts appear to come from AGOBOT-Variants. These are complex trojans acting as IRC-Bots. Look for descriptions of the at AV-companies.

2) The easiest way is to get a sample is to netcat -l -p 3127 > sample. The port 3127 was the original MYDOOM-backdoor port. You have to remove the first 5 bytes to get a working executable, I use vi for this. Many of the samples you get with netcat are broken - complete samples seem to have sizes > 99k, up to 150k, we're told. The largest one I got was 130k (may be a broken version of the 150k sample), many others are 104k. AV-scanners will sometimes identify the broken samples, sometimes not. My heuristics is to look at the end of the file and see if there's a list of dll's. If not, I consider it broken - does this make sense?

3) The samples are compressed using various EXE-compressing tools. You can learn about/download them at www.exetools.com. One sample I got (the 130k sample) has been compressed using exe32pack (writes this info into the executable), another one (99k) using UPX (has section names UPX0, UPX1 etc). the next one (104k) is compessed using an unknown tool or by an handwritten tool. The exe32pack-packed sample expands to over 400k, the UPX-sample to roughly 300k code. This is huge, for a worm.

These compessors often destroy information helpful with disassembling, with the notable exception of UPX. If you want to have an easy to disassemble sample I suggest you wait for the UPX-Version. You can discern it by loading it into vi and look for UPX0, or download upx.exe and run upx -t virussample. You decompess it using the -d switch.

Another question: Is there a quick way to find out which tool compressed an executable? A tool maybe?

4) When you have an unpacked version, you can go and look for the strings in the executable. The authors were helpful enough to include help texts. I have the theory that you should be able to get the host/channel/username/password for the relevant IRC-Channels from the executable or a network sniffer, log in using an IRC-Client and execute bot.die. Didn't try it, though.

=>>> Final question: Is there a forum for worm-disassembling wannabes? <<<=

Regards,
Wolfram

Maxime Ducharme schrieb:

Same thing for me :)
Here are some dumps i got if someone would like
to study them :
http://maxon.homeip.net/3127dumps/
login : mydoom
pass : 3127
Archive pass : 3127dumps

If you do any analysis, please cc me i'm interested.

Have a nice day

Maxime Ducharme Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- From: "bob sagart" <bobsagart500@xxxxxxxxxxx> To: <full-disclosure@xxxxxxxxxxxxxxxx> Sent: Tuesday, April 13, 2004 10:22 PM Subject: RE: [Full-Disclosure] Which worm?

Heres the capture file I got, I started sending this to individual people but I decided to send it to the whole list so sorry if your one of the

ones
that got it twice. the zip file password is: pass
From: "bob sagart" <bobsagart500@xxxxxxxxxxx>
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Which worm?
Date: Tue, 13 Apr 2004 23:53:17 +1200
MIME-Version: 1.0
Hey everyone The other night I decided to see what traffic I could capture on tcp port 3127 (MyDoom backdoor) since I have been getting a lot of connection attemps showing up in my firewall logs. I got several dumps of the traffic using nc -l -p 3127 > out.dmp most of them are around 10-20kB which I thought was the about the right size of most of the worms and backdoors using that port. But one of the dumps I got was 150kB and I was just wondering if anyone could tell me
what
I might be?
I cannot send it as an attachment as hotmail says it is a virus.
Thanks.
_________________________________________________________________
Check out news, entertainment and more @  http://xtra.co.nz/broadband
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_________________________________________________________________
Check out news, entertainment and more @  http://xtra.co.nz/broadband
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Which worm?
  - From: morning_wood

References:
- RE: [Full-Disclosure] Which worm?
  - From: bob sagart
- Re: [Full-Disclosure] Which worm?
  - From: Maxime Ducharme

Prev by Date: Re: [Full-Disclosure] The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011
Next by Date: Re: [Full-Disclosure] Cisco LEAP exploit tool...
Previous by thread: Re: [Full-Disclosure] Which worm?
Next by thread: Re: [Full-Disclosure] Which worm?
Index(es):
- Date
- Thread