MS06-040 Update

Tuesday, August 15. 2006
Yesterday I blogged about the recent MS06-040 vulnerability and the malware related to it. As noted by Tom Fischer, the bot-herders also install additional software on the infected machines. They issue a download for http://media.pixpond.com/l9rXXX.jpg (MD5 9bc2f9e15a4802fe5be55a0510f2f0e3 at time of this writing), which is classified by different AV-engines as


AntiVir:

---------



Signature Update:  	 2006-08-13 15:40:06

Product Version:  	 2.1.7-31

Signature Version:  	 6.35.1.85

Result:  	 Trojan/Dldr.Bary.FL.2



Signature Update: 	2006-08-14 09:40:05

Product Version: 	2.1.7-31

Signature Version: 	6.35.1.87

Result: 	Trojan/Proxy.FV



BitDefender:

--------------



Signature Update: 	2006-08-14 00:40:06

Product Version: 	7.0.2492

Signature Version: 	444432

Result: 	Backdoor.Proxy.Piky.B



ClamAV:

---------



Signature Update: 	2006-08-13 21:40:05

Product Version: 	0.88.2

Signature Version: 	1655

Result: 	Trojan.Proxy.Ranky-29


There is also an analysis of this binary from our sandbox (and in XML).

Update: LURHQ has also an update on Mocbot Spam Analysis.
Posted by Thorsten Holz at 17:49 | Comments (0) | Trackbacks (0)

Honeypot Compromises I

Tuesday, August 15. 2006
Some time ago I blogged about several compromises at our honeypots deployed in Germany. Now it is time for an update and a closer look at what happened during these incidents. Today we will take a closer look at the compromise of a Suse 9.1 honeypot with a vulnerable Horde Framework. The attacked installed several scripts on the honeypot and also tried to set up a phishing web site.

Motivation:
On May 5th 2006 our Suse 9.1 based Honeypot was attacked and successfully compromised by exploiting a vulnerable web application, the Horde Application Framework. The vulnerability could be exploited by a remote attacker to execute arbitrary commands with the privileges of the running Apache webserver process. This flaw is due to an input validation error in the help viewer of the application. The vulnerability was first discovered in March 2006 and affects all Horde Application Framework versions prior to 3.1.1.

The full analysis was written by Jan Göbel during his thesis work.
Posted by Thorsten Holz in honeynets at 11:25 | Comments (0) | Trackbacks (0)

MS06-040 and Related Malware

Monday, August 14. 2006
The Internet Storm Center has a nice write-up with links regarding MS06-040 and the malware related to exploits of this vulnerability. Currently, there are mainly two bots that take advantage of this vulnerability:


MD5                                 FILENAME

9928a1e6601cf00d0b7826d13fb556f0    wgareg.exe

2bf2a4f0bdac42f4d6f8a062a7206797    wgavm.exe

With the help of our sandbox, it is possible to get a quick analysis of both of them. You can find this analysis at wgareg.exe-cwsandbox.html (or for the XML output: wgareg.exe-cwsandbox.xml) and wgavm.exe-cwsandbox.html (XML: wgavm.exe-cwsandbox.xml). CWSandbox is able to extract enough information to get a first insight of what the binaries do. The main IRC server used for Command & Control is revealed (bniu.househot.com), together with information about nick- and username.

In addition, we have also now a system to keep track of AV signatures in different AV engines (thanks to Jan Göbel for implementing most parts of it during his thesis!). This allows us to track when a certain AV engine has added signatures to detect a new binary. Below you can find a sample output for wgareg.exe:


Virus scanner analysis for MD5 9928a1e6601cf00d0b7826d13fb556f0:

AntiVir

--------

Signature Update: 	2006-08-12 14:40:06 	

Product Version: 	2.1.7-31 	

Signature Version: 	6.35.1.84

Result: 	OK



Signature Update: 	2006-08-13 15:40:06 	

Product Version: 	2.1.7-31 	

Signature Version: 	6.35.1.85

Result: 	Worm/IRCBot.9609



BitDefender

---------------

Signature Update: 	2006-08-12 22:40:05 	

Product Version: 	7.0.2492 	

Signature Version: 	444351

Result: 	Generic.Malware.IXdld.658BDD6B



Signature Update: 	2006-08-13 12:40:05 	

Product Version: 	7.0.2492 	

Signature Version: 	444407

Result: 	Backdoor.IRCBot.ST



ClamAV 

---------

Signature Update: 	2006-08-12 17:40:05 	

Product Version: 	0.88.2 	

Signature Version: 	1650

Result: 	OK



Signature Update: 	2006-08-13 14:40:05 	

Product Version: 	0.88.2 	

Signature Version: 	1654

Result: 	Trojan.IRCBot-689


The signatures for the binary with MD5 2bf2a4f0bdac42f4d6f8a062a7206797 look similar.
Posted by Thorsten Holz in malware at 18:25 | Comments (2) | Trackbacks (0)

Silence at the blog

Monday, August 14. 2006
Hi everyone,

after a long time, finally another blog post from me. I was quite busy in the last few weeks, mainly due to moving from Aachen to Mannheim. Most of the stuff has now settled down, so I start blogging again.

In case you wonder why you land at this site when you open up http://tracking-hackers.com: Lance was so kind to donate me this DNS entry. In the future, I will also post some basic documents regarding honeypots here, so that you find what you are looking for...

Cheers,
Thorsten
Posted by Thorsten Holz in administrativa at 18:14 | Comments (0) | Trackbacks (0)
« previous page   (Page 2 of 2, totaling 9 entries)