MS06-040 and Related Malware
Monday, August 14. 2006
The Internet Storm Center has a nice write-up with links regarding MS06-040 and the malware related to exploits of this vulnerability. Currently, there are mainly two bots that take advantage of this vulnerability:
With the help of our sandbox, it is possible to get a quick analysis of both of them. You can find this analysis at wgareg.exe-cwsandbox.html (or for the XML output: wgareg.exe-cwsandbox.xml) and wgavm.exe-cwsandbox.html (XML: wgavm.exe-cwsandbox.xml). CWSandbox is able to extract enough information to get a first insight of what the binaries do. The main IRC server used for Command & Control is revealed (bniu.househot.com), together with information about nick- and username.
In addition, we have also now a system to keep track of AV signatures in different AV engines (thanks to Jan Göbel for implementing most parts of it during his thesis!). This allows us to track when a certain AV engine has added signatures to detect a new binary. Below you can find a sample output for wgareg.exe:
The signatures for the binary with MD5 2bf2a4f0bdac42f4d6f8a062a7206797 look similar.
MD5 FILENAME
9928a1e6601cf00d0b7826d13fb556f0 wgareg.exe
2bf2a4f0bdac42f4d6f8a062a7206797 wgavm.exe
With the help of our sandbox, it is possible to get a quick analysis of both of them. You can find this analysis at wgareg.exe-cwsandbox.html (or for the XML output: wgareg.exe-cwsandbox.xml) and wgavm.exe-cwsandbox.html (XML: wgavm.exe-cwsandbox.xml). CWSandbox is able to extract enough information to get a first insight of what the binaries do. The main IRC server used for Command & Control is revealed (bniu.househot.com), together with information about nick- and username.
In addition, we have also now a system to keep track of AV signatures in different AV engines (thanks to Jan Göbel for implementing most parts of it during his thesis!). This allows us to track when a certain AV engine has added signatures to detect a new binary. Below you can find a sample output for wgareg.exe:
Virus scanner analysis for MD5 9928a1e6601cf00d0b7826d13fb556f0:
AntiVir
--------
Signature Update: 2006-08-12 14:40:06
Product Version: 2.1.7-31
Signature Version: 6.35.1.84
Result: OK
Signature Update: 2006-08-13 15:40:06
Product Version: 2.1.7-31
Signature Version: 6.35.1.85
Result: Worm/IRCBot.9609
BitDefender
---------------
Signature Update: 2006-08-12 22:40:05
Product Version: 7.0.2492
Signature Version: 444351
Result: Generic.Malware.IXdld.658BDD6B
Signature Update: 2006-08-13 12:40:05
Product Version: 7.0.2492
Signature Version: 444407
Result: Backdoor.IRCBot.ST
ClamAV
---------
Signature Update: 2006-08-12 17:40:05
Product Version: 0.88.2
Signature Version: 1650
Result: OK
Signature Update: 2006-08-13 14:40:05
Product Version: 0.88.2
Signature Version: 1654
Result: Trojan.IRCBot-689
The signatures for the binary with MD5 2bf2a4f0bdac42f4d6f8a062a7206797 look similar.
".
