New Worm Installs Sniffer

fmorgan writes "Netcraft just posted a note saying that a new worm installs a network sniffer in the infected computers." When I read these things it kind of makes me wonder why it took this long. Update: 09/13 22:47 GMT by T : More innovation: Ant writes "The Register has a story about a piece of malware that 'talks' to victims. The Amus email worm uses Windows Speech Engine (which is built-in to Windows XP) to deliver a curious message to infected users. The message reads: "How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye". "Hamsi" is a small fish, like an anchovy, found in the Black Sea). F-Secure has a copy of the sound file generated by the message."

If only the worm installed a Swiffer

Then dust free computers for all!

More technical details

[Lord+Grey]

Here is propagation information on the worm WORM_SDBOT.UH from Trend Micro (link pulled from the article):

Network Propagation and Exploits

This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. Read more on this vulnerability from the following link:

Microsoft Security Bulletin MS03-026

It also takes advantage of the Buffer Overflow in SQL Server 2000 vulnerability. Read more on this vulnerability from the following link:

Microsoft Security Bulletin MS02-061

This worm also exploits the IIS5/WEBDAV buffer overrun vulnerability affecting Windows NT platforms, which enables arbitrary codes to execute on the server. The following link offers more information from Microsoft about this vulnerability:

Microsoft Security Bulletin MS03-007

It also exploits the Windows LSASS vulnerability. This is a buffer overrun vulnerability that allows remote code execution. Once successfully exploited, a remote attacker is able to gain full control of the affected system. For more information about this vulnerability, refer to the following Microsoft Web site:

Microsoft Security Bulletin MS04-011

This worm spreads via network shares, using NetBEUI functions to get available lists of user names and passwords. It then searches for and lists down the following shared folders, where it drops a copy of itself using the gathered information:

• Admin$\system32
• C$\windows\system32
• C$\winnt\system32
• Ipc$

Trend Micro reports that the worm runs on Windows 95, 98, ME, NT, 2000, and XP. But notice that they report that the worm as not in the wild. So... where is it? Did they get a prerelease?

Re:More technical details

[baadfood]

Duh! They made it themselves of course!

How much longer?

[cbrocious]

How much longer before worms use their own TCP/IP stack? Wouldn't much suprise me, and might be beneficial for getting around firewalls. Might be a cool little project to make a zoo virus that does it.

New worms...

[Nos.]

The newest MyDoom variant has the author asking for a job...
http://www.vnunet.com/news/1158043
The arnus worm speaks to infected users.
I don't know if I should laugh or cry. I just know I'm getting calls in the next few days because someone's computer says "How are you...".

Encrypt!

[WD_40]

As demonstrated at DEFCON with "The Wall of Sheep" (stupid name, cool idea) it seems that a lot of people who should know better still don't encrypt their password transmissions.

If you haven't already, it's time to get serious about encryption.

Re:Encrypt!

[koreth]

That won't help you if you're infected by this worm, which does keystroke logging. You can encrypt your password six ways from Sunday and it will still have been intercepted before it ever reaches your encryption software.

Not that I'm against encryption or anything. But it won't necessarily stop your passwords from being stolen.

Re:Encrypt!

[dasmegabyte]

I used to use an encryption program that attempted to get around keystroke loggers...by remapping your keyboard when you were in the password box. A keystroke logger would see gobbeltygook...granted, it was a simple cipher, but since there isn't enough information in a single 16 character password to generate a key for such a cipher, it was still pretty secure.

I stopped using it when I got my mac, because built in AES-128 is just easier than mucking about with encrypted disk drivers and suchlike. I don't have that much to keep secure anyway...just some receipts, beer recipes and incriminating photos

Re:Encrypt!

[rainer_d]

> You can encrypt your password six ways from
> Sunday and it will still have been intercepted
> before it ever reaches your encryption software.

Indeed. But there's that nice Squirrelmail plugin that lets you use a virtual keyboard to enter your password ;-)

Rainer

A few points

[Meostro]

1. A Link to Trend Micro's SDBot.UH analysis

2. I love the fact that this worm drops itself as BLING.EXE

3. This worm uses carnivore network sniffer and checks for the following strings
As Taco said, I'm surprised it's taken this long. Considering it uses 5 patched vulnerabilities I'd say you deserve what you get in this case.

4. This is particularly... clever? It does all kinds of things that I would put in as feature requests for the perfect worm

• It has 6 paths of infection: 5 vulnerabilities (as above) plus open shares
• It attempts to steal CD keys for some games.
• It installs a network sniffer
• It has an interface with 26 commands that the bad guys can use on an 0wned box
• It can log keystrokes

It doesn't destory anything all by itself, although it probably crashes some boxen through the exploits (was that just Sasser, or is that part of the LSASS flaw?) It still sucks, but it's just an expected evolution.

I'm still waiting for the really bad one...

Re:A few points

[savagedome]

I'm still waiting for the really bad one...

A really bad one would look for Excel/Word files and modify a couple of data entries in a huge list of numbers.

Kind of like someone breaking into the house, leaving something obnoxious under the fridge that starts smelling bad really gradually over a period of few months.

Imagine the look on the PHB's face when 6 months down the line he realizes while doing some entires in the sheet that the p/e ratio is negative!

Re:A few points

[ricotest]

As soon as your comment was posted, a dozen hackers got to work on a virus that does exactly what you describe. Thanks for helping fuck up my reports, asshole.

Re:A few points

[randomiam]

"inusable"?

That's unpossible, isn't it?

Re:A few points

[Elwood+P+Dowd]

The really bad ones are already out in the wild, and they do not damage your data.

They wait 'till you go to an HTTPS site and then they log your keystrokes. It's about cash money for the villains, and not doing anything to get caught.

Re:A few points

[EngMedic]

I still think the best (worst?) virus would delete one card at random from solitare....

Squawker

[swordboy]

This one talks to the infectee through Windows speech interface. Nice!

Proper switches will defeat the sniffer

[Jailbrekr]

If you have a proper switch, then sniffing should not be a problem, as the traffic on the network will not reach the infected computer (unless it is also a server). Sadly, I fear that alot of the consumer "switches" on the market do not do proper routing, and have insufficient mac routing tables.

Re:Proper switches will defeat the sniffer

Hubs, switches and routers are three different pieces of network equipment.

Hubs are collapsed ethernet busses: Every attached device can see every ethernet frame sent by any other attached device.

Switches work on a higher layer: They inspect the frames and send only broadcast frames to all devices. For the rest of the frames, they maintain a table of MAC-layer addresses of all devices attached to the switch ports. Targeted frames only get sent to the port to which the target device is connected.

Routers work on an even higher level: They inspect IP packets and do with them about the same as what switches do with ethernet frames. Routers are generally more flexible about the rules regarding the packet flow than switches. It is not uncommon for routers to have the ability to perform switch-like ethernet level functions as well, but conceptually routing and switching are two different beasts.

At least cheap home switches can be tricked into passing frames to the "wrong" ports in several ways. One method is to flood the MAC-address-to-port table. Most switches then fall back into hub mode. Generally speaking, non-manageable switches and switches without clearly-defined reactions to MAC flooding are not security devices. You should assume that an attacker can read your packets on a switched network.

Non-malicious worms

[MisterP]

"When I read these things it kind of makes me wonder why it took this long."

I often wonder the same thing. With all the different worms that infect unpatced Windows machines, why hasn't someone wrote one that effectively deletes everything on the machine just short of rendering itself unable to propogate?

Re:Non-malicious worms

[newend]

If you delete everything on the machine, then the virus can't propagate. What would have to happen is the virus would have to have a delay, and then there is a risk that it will be discovered before the payload (deletion) takes place. Futher, I think most of the virus writers think of it more as a game, and don't really want to destroy data so much as see what they can accomplish. Would you rather destroy Rome or own it?

Is it just me....

[grolschie]

...or does the term "packet sniffer" remind anyone of someones pet dog?

Re:Is it just me....

[Oxy+the+moron]

I believe that would be "package sniffer" if I'm not mistaken. ;)

I don't know about you....

[soulsteal]

..but I, for one, don't care about our network-sniffing overlords.

I dont even get the purpose....

[stickystyle]

Most networks are switched these days, making this pointless. Why not install a keylogger???
Then the evil person doesnt have to deal with all the encryption mumbo-jumbo.

What if someone made a worm that just........

[ARRRLovin]

......ran windows update on all infected machines? Would people get pissed?

Re:What if someone made a worm that just........

[still_sick]

......ran windows update on all infected machines? Would people get pissed?

Would people get pissed? HELL YES.

I recall one particularly annoying weekend when my computer DVD player stopped working. Something screwed up or something - whatever it was, the damn video was not being decoded properly.

Tried everything I could think of. New Drive, New Drivers, endless newsgroup searching, blah blah blah to no avail.

Then it occured to me that between the time that my DVD player last worked and then did not, I had installed Win2k SP4.

So just as a test I went and uninstalled the bastard, everything worked FINE after that - with the original HW/SW configuration.

So now I'm not installing SP4 because it BREAKS MY SYSTEM - not because I'm unaware of it, or too stupid to install it.

I don't need nor want some dumbass "I'm smarter than you, and doing this for your own good" 1337 prick trying to install SP4 for me.

I installed my sniffer on a computer once...

[rwven]

...Afterwards it took me over an hour to unscrew the side of my case to get my nose out...

uIP already exists...

Seems like the uIP embedded TCP/IP stack would be ideal for this, as it is very small and portable. Also, it apparently already has been ported to and run on laptop keyboard microcontrollers. How about that kind of sniffer virus!

SSL for everything

[Matt+Perry]

from the hope-you're-using-ssl-for-everything dept.

Why aren't we using SSL for everything? Why aren't we building strong encryption into everything? I started wondering this several months ago when I had to run VNC on a windows box and had no way to secure it. Sure, under linux you can tunnel it over SSH, but that wasn't an option on a windows machine.

And regarding another thing, how come so many services require a certificate (such as SSL with email, imap, pop, etc) rather than auto-negotiating it like SSH does?

A machine on one of our networks....

[caluml]

This is strange - I found a bling.exe on a Windows machine at work a while ago, as it was spewwing out 445 if I remember rightly - several weeks. I searched for info on it, and I didn't find anything, which I thought was strange.
I think I must have got hit by an early-adopter version.

Worms are just like any other software

[ChiralSoftware]

Remember back to the days of MS-DOS? Everything was very minimal and non-bloated, but still, things were slow. As computers got faster, software didn't get faster. It just got more bloated to take advantage of all that new speed and memory available. Today I have dozens of windows open, a media player, and IDE, mail reader, etc, and you need 256mb to run Linux or Windows XP. That's bloat. But, they do a lot more than they used to. Much much more.

And it's the same with worms. Rather than hand-coding them in assembly to get them in under 1000 bytes (or whatever) they can now be developed with good tools, useful libraries, and they can have all kinds of extra functionality built in. So expect worms with more features as we go along.

It's time to really start thinking about security-by-design. VM systems like Java, or capability-based systems like EROS are the way we are going to finally squish these worms. I'm so tired of helping relatives with anti-virus software. There shouldn't be anti-virus software. Operating systems shouldn't allow viruses and worms to exist. Security problems like this are not an inherent part of software.

Need one that does some damage

[bdigit]

Dear Worm Writers,

Please create a worm that will actually destroy the users harddrive that way at work when they call up I can tell them its a hardware problem and we do not support that. Also it will teach everyone a valuable lesson in running windows update and enabling their firewalls.

Thank you
Student worker @ University Helpdesk

yep!

[Zilfondel2]

Yea, actually, a lot of the time the virus writers DO email them to the different antivirus companies. Having your virus added to the weekly virus definition files is part of their bragging rights.

Do you really think there are 55,000 viruses in the wild?

Yea yea, I worked for symantec for a couple of years.

Re:yep!

[f8free]

I've always wondered about that kind of thing... most especially, what's to stop the antivirus companies from writing their own virii?

Not that they'd need to do it at this point, but talk about your perpetual business model...

Re:yep!

[One+Louder]

...what's to stop the antivirus companies from writing their own virii?

The competition.

Imagine the publicity if an anti-virus software vendor were able to prove that a virus was produced by one of its competitors.

Re:Best AntiVirus? Help...

[jcr]

This reminds me, I'm in the process of building a new pc and want to get the opinion of the shack collective on what is the best antivirus software.

Take your pick: *BSD, SuSE, Red Hat...

-jcr

A sniffer would still be helpful...

[raehl]

Especially if it gives warning messages, like:

"It is time to empty the litter box."

or

"Please do your laundry."

or

"Are you really sure you want to eat that leftover pizza?"

or

"For the love of god, please try deodorant. Any deodorant."

Of course, there are also downsides, like your stash of coke always vanishing.

Re:A sniffer would still be helpful...

[YetAnotherDave]

>> "For the love of god, please try deodorant. Any deodorant."

we could use this one at my work... :(

the bad one

[Clover_Kicker]

I'm waiting for a virus that greps all your documents for each name in your address book.

If a document contains a person's name, email it to them.

I can see it now, salary spreadsheets and confidential memos flying around to the very people who are not allowed to see them...

As usual these useless virus alerts lack info.

[zaqattack911]

How does it Normally spread?
What windows vulnerabilities is it using?
is it an email attachment? what is the attachement called .. or its variants??

For christ sake...

Love, Zaq

Why did it take this long?

[rjamestaylor]

Perhaps it took this long because the bad guys were busy installing keystroke recorders so that they could defeat encrypted network traffic. Also, switched networks help keep the impact of the sniffing to the infected computer -- unless the network terminates at an infected computer -- thus making this less as threat to large organization using 100% switched networks...

Proper switches cannot always defeat a sniffer

[thanasakis]

Why your switched network isn't secure.

Re:HACKED BY CHINESE

[Cheffo+Jeffo]

Um ... I THINK that was an attempt at humour ... HACKED BY CHINESE was the tagline appearing on web servers infected with Code Red ... IIRC, that is.

Beating keystroke loggers

[JaredOfEuropa]

You can beat keystroke loggers by entering your password a few letters at a time in random order, using the mouse to place the cursor at the correct location in the half-finished password. I don't think there's a keystroke logger that is able to work out where you clicked in the password entry box.

Cumbersome, but it's something I do on untrusted computers like the ones in web cafés.

Re:Beating keystroke loggers

[anti-trojan]

Once you know the characters that the password consists of, the possible combinations are very limited. You can try every combination in a few seconds.

PromiscDetect

[rsteele19]

The Netcraft article noted that checking to see if your network adapter is in promiscuous mode is a good way to tell if your machine has a sniffer running on it. Unfortunately, they did not mention how one can go about doing this.

If you're using Linux, just run

ifconfig -a

and look for the string "PROMISC".

If, however, you're using Windows, you need to get a utility called PromicDetect. Run it from a command prompt. If it indicates the Directed, Multicast and Broadcast filters are active, then you're probably OK.

Source: Computerworld