Note that only a VERY small portion of the code is based on open-source software.
Actually, most of the code *is* GPL. It is mainly composed of Agobot, ftplib and WASTE. All three are GNU GPL licensed. The only source not available is the mods made by the Phatbot developers.
There's no need to make this stuff up - there is already more malware out there than is being analyzed. I often find trojans that are undetected by AV but were compiled 2 or 3 months before.
Some AV companies consider this a variant of Agobot/Gaobot, since it shares a lot of the same code base. Which is funny, because when I analyzed Doomjuice and called it "MyDoom.C", they all said it was too different to be called a MyDoom variant (even though it was the same code with functionality removed).
I consider the addition of the WASTE code and removal of the IRC code to be significant enough to call this by a new name. Not to mention all the other added features that are not part of the Agobot code.
In the past two days, my honeypot listening on port 3127 has captured 56 copies of Doomjuice.A, 10 copies of Doomjuice.B and 1 copy of Mitglieder. It's really not a lot if you think about how big the Mydoom.A outbreak appeared to be. Here's an extra credit math problem - take those numbers and the time it takes to scan a subnet and get a rough estimate of infected machines. Each Doomjuice-infected system starts 64 threads, each one picks a class C at random and attempts to connect to hosts 1-254 in sequence (the 127.x.x.x class A subnet is the only one skipped)
Vesser was discovered before Doomjuice, but if you look at the PE timestamp header, you see that Deadhat/Vesser was compiled on Tue Feb 4 06:23:59 2003, while Doomjuice was compiled on Tue Jan 27 06:22:58 2004. While the PE timestamp field can be easily edited, these dates are probably accurate in my opinion. So, Doomjuice can't be considered a copycat of Vesser.
Regardless of how many functions changed, it is a variant in the sense that it came from the same source tree, as opposed to DeadHat, which is from completely separate source, yet similar in spreading functionality.
The AV companies decided to rename it because it isn't a variant by their strict definition. Apparently in the AV world, a variant doesn't even have to be by the same author, as long as it is very similar.
Firewall denies their check, they consider that a failure, the switch in the closet it told to forget about the port to which your wire is connected to, you're off the network, buh-bye.
iptables -j REJECT --reject-with tcp-reset
Icarus sees port as being closed instead of filtered. Problem solved.
Actually the worm included its own NTP client which it would use to verify the date by querying NTP servers on the Internet.
Actually only the download function was synchronized
using NTP. The function to determine "expiration" is
based off of the machine's localtime. However, setting the clock forward wouldn't remove the worm, it would just cause it to exit. It would be back after the system time was set back and a reboot occured.
I'm interested to see if is updated to include info on -f. the -e article was a good eye-opener.
Thanks.
Before I update the paper I'm waiting to see if there are any substantial changes in the second and third stages - these won't be known for a couple of days probably, depending on the worm author's schedule, but it could
be as early as tonight. So far though, the functionality
is almost the same as described in the Sobig.e paper.
It's not FUD. You have to realize the concept
of a reverse-proxy is not something most NY Times
readers are going to understand, so those details
get left out a lot. But this really is what's happening. More technical details are
here:
It's not just another open proxy story. This
trojan also has a reverse HTTP proxy, which
means the trojaned machines appear to be hosting
the porn site. The DNS for the porn site
cycles through all the trojaned machines minute-by-minute.
Hadn't seen this mentioned in the book or in any
comments so far: If you are wanting to get started
reverse-engineering on Windows, you don't need to shell out big bucks (or pirate) softice unless you plan
to do hard-core driver/kernel debugging. Seriously, check
out
Ollydbg
It's freeware AND it kicks ass. I'm using it to do almost all my reverse engineering now.
Here are a couple of beginner-level articles I've written on reverse-engineering malicious code:
> JUST RUN A DAMN VIRUS SCANNER ON THE FREAKING EMAIL SERVER!
It's a big part of the solution, but it will not
stop certain viruses. For sobig, there is a high
possibility that the initial "seeding" of the virus
is done by spamming it out to hundreds of thousands
of users. This is very likely because it is
suspected that a spammer is behind the spread of sobig.
This would infect a great number of people before AV vendors have a chance to push out signatures. The only way it could be thwarted is by heuristic scanning, which can never be 100% effective. (But can be quite good - messagelabs is catching these before signatures are available)
Just this week there was a phony
"apply this critical patch" mass-spammed to countless users, with the URL "windows-update.com"
(as opposed to the genuine windowsupdate.com). This fooled a lot of people into clicking through
to the site, where they were immediately exploited if they were using IE without the June 4 hotfix. At this point they became part of an IRC trojan botnet.
Even heuristic email virus scans would not have caught this.
There is a payload, but it is not immediately obvious. Like every sobig variant, its job is to download a second stage trojan. Check out the whole story of
what sobig.a (and likely all the rest) are supposed to do after infecting you: http://www.lurhq.com/sobig.html
If it is mapping, it's doing a very poor job of it. What
many analysts have seen (including myself) is that
once it sends a packet to a particular IP address,
it will repeat that packet over and over again. 81%
of the "odd" traffic I am seeing on a particular class
C is the same spoofed source to the same non-existent host on the class C, from the same source port
to the same destination port. Over 900 packets since
May 18, with that same signature. I don't think it's a mapper.
The windows-based code is _not_ the trojan that Intrusec and ISS analyzed. It was a IRC bot that
I analyzed and sent to the AV companies, pointing
out that it also used a window size of 55808 when synflooding victims, so you couldn't just take seeing that size option as evidence that you were seeing the "odd" traffic; the packet-building code could have been re-used elsewhere for other purposes as well.
This new "odd data" is mimicing the attack parameters of the previous bugbear variant, because it's appearing to target more banks and government institutions rather than random internet addresses
I don't know where you got that from, but it's not
true. We are seeing this to and from random internet
addresses.
this is why the lack of detail in the published articles, it's a serious national security thing.
The lack of detail is due to the fact the traffic itself
has no clear purpose, but some security companies
have tried to speculate that it is a trojan/distributed portscanner, even though the traffic pattern doesn't fit. "Third-gen trojan" sounds much more newsworthy
than "We're seeing some weird nonsense-type traffic and don't know what it is".
If things weren't already confusing enough, someone
wrote a copycat trojan to simulate aspects of the traffic. However, they didn't quite get it right. Hopefully
this was someone's idea of a joke; not a security company trying to produce some "evidence".
On top of it all, the nature of TCP/IP escapes most journalists, which muddies the issue even further.
Idle scanning doesn't require a valid source IP address.
Yes, it does. It merely hides your true IP address from
the system you are attacking by utilizing a "idle host"
as a man-in-the-middle. You find out what ports are
open by counting the sequence of IP ID numbers
on the idle host. The traffic your between the idle host and your target will have valid and routable source and destination IP addresses.
There is an excellent freeware program for Windows called Game Maker which allows you to create simple to sophisticated 2-D arcade/rpg
style games through a drag-and-drop interface.
My 9 year old enjoys creating the games this way,
but the beauty is in the built-in scripting language. When
he can't accomplish what he wants using drag-and-drop, I teach him how to insert a snippet
of code into the game objects to get the results he wants. Little by little, he learns to program this way.
Not that I posted this story two hours before, only to have it rejected... *sigh*
There's often a delay of a few hours between a submission's approval and its posting, so you probably were just not the first submission. I posted a story and had it almost immediately rejected, then saw the same story posted the next day. Turns out the submitter had sent it in an hour and a half ahead of me, but it wasn't posted for 18 hours. So don't be too bummed out about it.
Slashdot Mirror
That's because it's not Phatbot. The Gaobot.RF is Agobot. Phatbot is based on the Agobot code but has additional features and uses P2P instead of IRC.
-Joe
The Gnutella cache servers for Phatbot are:
: //tv2knet.basm.be/gcache.php5 h.com/gwcii.phph e.cgi c ommontology.de/andreas/gwebcache/gcach e.phpt tp://bobsmith.kicks-ass.org/gwebcache/gcache.php : //mikama.host.sk/gcache.php
http://www.d.umn.edu/~shar0213/gcache.php
http
http://gwebcache.h4
http://gwc.gwc.niet.net/gwc/gcac
http://www.rodage.net/gnetcache/gcache.php
http://www.blackfedora.com/gcache/perlgcache.cgi
http://g2wc.markushenn.de/gwcii.php
http://www.
http://www.edazzle.net/gerry/gerry2.asp
h
http://www.xolox.nl/gwebcache/default.asp
http
Look for hosts using port 4387, pretending to be GNUT clients.
-Joe
Actually, most of the code *is* GPL. It is mainly composed of Agobot, ftplib and WASTE. All three are GNU GPL licensed. The only source not available is the mods made by the Phatbot developers.
-Joe
http://www.f-secure.com/v-descs/agobot_fo.shtml
NAME: Agobot.FO
ALIAS: Backdoor.Agobot.fo, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot
ALIAS: Phatbot, Phat
There's no need to make this stuff up - there is already more malware out there than is being analyzed. I often find trojans that are undetected by AV but were compiled 2 or 3 months before.
-Joe
Some AV companies consider this a variant of Agobot/Gaobot, since it shares a lot of the same code base. Which is funny, because when I analyzed Doomjuice and called it "MyDoom.C", they all said it was too different to be called a MyDoom variant (even though it was the same code with functionality removed).
I consider the addition of the WASTE code and removal of the IRC code to be significant enough to call this by a new name. Not to mention all the other added features that are not part of the Agobot code.
-Joe
http://www.joestewart.org/phatbot.html
-Joe
In the past two days, my honeypot listening on port 3127 has captured 56 copies of Doomjuice.A, 10 copies of Doomjuice.B and 1 copy of Mitglieder. It's really not a lot if you think about how big the Mydoom.A outbreak appeared to be. Here's an extra credit math problem - take those numbers and the time it takes to scan a subnet and get a rough estimate of infected machines. Each Doomjuice-infected system starts 64 threads, each one picks a class C at random and attempts to connect to hosts 1-254 in sequence (the 127.x.x.x class A subnet is the only one skipped)
There is now- it's called DoomHunter.A.
My writeup of Doomjuice: http://www.lurhq.com/mydoom-c.html
The name MyDoom.C came from me, since I was the first to post an analysis of it at http://www.lurhq.com/mydoom-c.html
The AV companies decided to rename it because it isn't a variant by their strict definition. Apparently in the AV world, a variant doesn't even have to be by the same author, as long as it is very similar.
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
iptables -j REJECT --reject-with tcp-reset
Icarus sees port as being closed instead of filtered. Problem solved.
Actually only the download function was synchronized using NTP. The function to determine "expiration" is based off of the machine's localtime. However, setting the clock forward wouldn't remove the worm, it would just cause it to exit. It would be back after the system time was set back and a reboot occured.
Thanks.
Before I update the paper I'm waiting to see if there are any substantial changes in the second and third stages - these won't be known for a couple of days probably, depending on the worm author's schedule, but it could be as early as tonight. So far though, the functionality is almost the same as described in the Sobig.e paper.
http://www.lurhq.com/migmaf.html
Also search Google Groups for "onlycoredomains.com"
It's not just another open proxy story. This trojan also has a reverse HTTP proxy, which means the trojaned machines appear to be hosting the porn site. The DNS for the porn site cycles through all the trojaned machines minute-by-minute.
There is a technical writeup here:
http://www.lurhq.com/migmaf.html
Mirror: http://www.joestewart.org/migmaf.html
Here are a couple of beginner-level articles I've written on reverse-engineering malicious code:
Reverse Engineering Hostile Code
Alien Autopsy: Reverse Engineering Win32 Trojans on Linux
It's a big part of the solution, but it will not stop certain viruses. For sobig, there is a high possibility that the initial "seeding" of the virus is done by spamming it out to hundreds of thousands of users. This is very likely because it is suspected that a spammer is behind the spread of sobig.
This would infect a great number of people before AV vendors have a chance to push out signatures. The only way it could be thwarted is by heuristic scanning, which can never be 100% effective. (But can be quite good - messagelabs is catching these before signatures are available)
Just this week there was a phony "apply this critical patch" mass-spammed to countless users, with the URL "windows-update.com" (as opposed to the genuine windowsupdate.com). This fooled a lot of people into clicking through to the site, where they were immediately exploited if they were using IE without the June 4 hotfix. At this point they became part of an IRC trojan botnet. Even heuristic email virus scans would not have caught this.
There is a payload, but it is not immediately obvious. Like every sobig variant, its job is to download a second stage trojan. Check out the whole story of what sobig.a (and likely all the rest) are supposed to do after infecting you: http://www.lurhq.com/sobig.html
If it is mapping, it's doing a very poor job of it. What many analysts have seen (including myself) is that once it sends a packet to a particular IP address, it will repeat that packet over and over again. 81% of the "odd" traffic I am seeing on a particular class C is the same spoofed source to the same non-existent host on the class C, from the same source port to the same destination port. Over 900 packets since May 18, with that same signature. I don't think it's a mapper.
The windows-based code is _not_ the trojan that Intrusec and ISS analyzed. It was a IRC bot that I analyzed and sent to the AV companies, pointing out that it also used a window size of 55808 when synflooding victims, so you couldn't just take seeing that size option as evidence that you were seeing the "odd" traffic; the packet-building code could have been re-used elsewhere for other purposes as well.
I don't know where you got that from, but it's not true. We are seeing this to and from random internet addresses.
this is why the lack of detail in the published articles, it's a serious national security thing.
The lack of detail is due to the fact the traffic itself has no clear purpose, but some security companies have tried to speculate that it is a trojan/distributed portscanner, even though the traffic pattern doesn't fit. "Third-gen trojan" sounds much more newsworthy than "We're seeing some weird nonsense-type traffic and don't know what it is".
If things weren't already confusing enough, someone wrote a copycat trojan to simulate aspects of the traffic. However, they didn't quite get it right. Hopefully this was someone's idea of a joke; not a security company trying to produce some "evidence".
On top of it all, the nature of TCP/IP escapes most journalists, which muddies the issue even further.
Yes, it does. It merely hides your true IP address from the system you are attacking by utilizing a "idle host" as a man-in-the-middle. You find out what ports are open by counting the sequence of IP ID numbers on the idle host. The traffic your between the idle host and your target will have valid and routable source and destination IP addresses.
Game Maker URL: http://www.cs.uu.nl/people/markov/gmaker/
There's often a delay of a few hours between a submission's approval and its posting, so you probably were just not the first submission. I posted a story and had it almost immediately rejected, then saw the same story posted the next day. Turns out the submitter had sent it in an hour and a half ahead of me, but it wasn't posted for 18 hours. So don't be too bummed out about it.