Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-Disclosure] Which worm?
From: Wolfram Schroeder (wsinformatik.uni-bremen.de)
Date: Thu Apr 15 2004 - 15:29:14 CDT
I'm currently in the process of learning how to analyse worms ... here
are some things I learned/guessed/newbied so far:
1) So far, the recent notorious port-scans/exploitation-attempts appear
to come from AGOBOT-Variants. These are complex trojans acting as
IRC-Bots. Look for descriptions of the at AV-companies.
2) The easiest way is to get a sample is to netcat -l -p 3127 > sample.
The port 3127 was the original MYDOOM-backdoor port. You have to remove
the first 5 bytes to get a working executable, I use vi for this. Many
of the samples you get with netcat are broken - complete samples seem to
have sizes > 99k, up to 150k, we're told. The largest one I got was 130k
(may be a broken version of the 150k sample), many others are 104k.
AV-scanners will sometimes identify the broken samples, sometimes not.
My heuristics is to look at the end of the file and see if there's a
list of dll's. If not, I consider it broken - does this make sense?
3) The samples are compressed using various EXE-compressing tools. You
can learn about/download them at www.exetools.com. One sample I got (the
130k sample) has been compressed using exe32pack (writes this info into
the executable), another one (99k) using UPX (has section names UPX0,
UPX1 etc). the next one (104k) is compessed using an unknown tool or by
an handwritten tool. The exe32pack-packed sample expands to over 400k,
the UPX-sample to roughly 300k code. This is huge, for a worm.
These compessors often destroy information helpful with disassembling,
with the notable exception of UPX. If you want to have an easy to
disassemble sample I suggest you wait for the UPX-Version. You can
discern it by loading it into vi and look for UPX0, or download upx.exe
and run upx -t virussample. You decompess it using the -d switch.
Another question: Is there a quick way to find out which tool compressed
an executable? A tool maybe?
4) When you have an unpacked version, you can go and look for the
strings in the executable. The authors were helpful enough to include
help texts. I have the theory that you should be able to get the
host/channel/username/password for the relevant IRC-Channels from the
executable or a network sniffer, log in using an IRC-Client and execute
bot.die. Didn't try it, though.
=>>> Final question: Is there a forum for worm-disassembling wannabes? <<<=
Maxime Ducharme schrieb:
>Same thing for me :)
>Here are some dumps i got if someone would like
>to study them :
>login : mydoom
>pass : 3127
>Archive pass : 3127dumps
>If you do any analysis, please cc me i'm interested.
>Have a nice day
>Maxime Ducharme Programmeur / Spécialiste en sécurité réseau
>----- Original Message -----
>From: "bob sagart" <bobsagart500hotmail.com>
>Sent: Tuesday, April 13, 2004 10:22 PM
>Subject: RE: [Full-Disclosure] Which worm?
>>Heres the capture file I got, I started sending this to individual people
>>but I decided to send it to the whole list so sorry if your one of the
>>that got it twice. the zip file password is: pass
>>>From: "bob sagart" <bobsagart500hotmail.com>
>>>Subject: [Full-Disclosure] Which worm?
>>>Date: Tue, 13 Apr 2004 23:53:17 +1200
>>>The other night I decided to see what traffic I could capture on tcp port
>>>3127 (MyDoom backdoor) since I have been getting a lot of connection
>>>attemps showing up in my firewall logs.
>>>I got several dumps of the traffic using
>>>nc -l -p 3127 > out.dmp
>>>most of them are around 10-20kB which I thought was the about the right
>>>size of most of the worms and backdoors using that port. But one of the
>>>dumps I got was 150kB and I was just wondering if anyone could tell me
>>>I might be?
>>>I cannot send it as an attachment as hotmail says it is a virus.
>>>Check out news, entertainment and more http://xtra.co.nz/broadband
>>>Full-Disclosure - We believe in it.
>>Check out news, entertainment and more http://xtra.co.nz/broadband
>Full-Disclosure - We believe in it.
Full-Disclosure - We believe in it.