| mNW Alert: Iraq Worm propagating via tcp/445This info is available here on DSLR FIRST!:
Time to learn about 'Null Sessions' boys and girls:
This worm utilizes Windows Null Sessions against Windows 2000 and XP systems to enumerate user account names and group memberships..then it launches a simple brute force dictionary attack against all discovered user names. We suspect the number of infected hosts is already in the thousands, and expect many more infections as there are many hosts poorly secured against this type of mechanized attack.
Full details are here:
mNW Research Note: IraqiWorm
Many thanks to psloss and 'steve' for their tireless help in analyzing this one.
This was a very validating experience...using aggregated event data to identify abnormal trend, focus analysis on that specific target type, BAM auto-worm detection.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch
No modifications made to the contents of this post --WCB!
[text was edited by moderator] |
|
|
|
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | Re: mNW Alert: 'IraqWorm' propagating via tcp/445 This has been a fun collaboration.
Lawrence's great myNetWatchman service detected this, and he's been able to see how it's spreading. Philip and Lawrence did dynamic analysis on a running system and are now probably sick of packet traced. I've been doing static analysis of the binary, reverse engineering it back to C++. I'm still working on the fine points of the code, but we're sure we know exactly what this worm does.
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • my web site |
|
| reply to NetWatchMan
i would have figured it would have a larger dictionary of possible passwords. |
|
 phriday613Your Avatar Is Nice... For Me To Poop OnPremium
join:2002-02-06
Eastchester, NY | reply to NetWatchMan
awesome collaboration, and excellent work to all 3 of you for a good catch!
Keep up the good work!  |
|
 KrispyPremium,VIP
join:2001-12-11
the stix
kudos:1 | reply to NetWatchMan
Yes, these guys rock like 12,000 men. I've already started warning infected subscribers thanks to the quick analysis (and lack of sleep) of these guys. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
| reply to NetWatchMan
NetWatchMan  and psloss are the only ones to talk to about the dynamic/propagation/infection issues, but those who want to see the reverse engineered worm in progress (which is newer than the one linked in Lawrence's advisory) can find it on my research page:
»www.unixwiz.net/iraqworm/
Steve
edit: moved the link
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • my web site
[text was edited by author 2002-12-16 18:55:24] |
|
 pH1Rawr
join:2001-12-31
Canada | reply to Krispy
said by Krispy:
Yes, these guys rock like 12,000 men. I've already started warning infected subscribers thanks to the quick analysis (and lack of sleep) of these guys.
I think you guys blocked port 445 a while back too right? |
|
KrispyPremium,VIP
join:2001-12-11
the stix
kudos:1 | said by pH1:
I think you guys blocked port 445 a while back too right?
Nope |
|
| reply to NetWatchMan
Wow!~ What a great job. Thanks, guys, I am off to warn my buds.
--
It takes a disaster to make a woman out of a female |
|
| reply to NetWatchMan
Can i have please the binary of this worm
to virus@gladiator-antivirus.com ?
I will include him to detection
--
GAV - Gladiator AntiVirus - »www.gladiator-antivirus.com |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
| It's on my web site: »www.unixwiz.net/iraqworm/
Steve
[text was edited by author 2002-12-16 18:57:48] |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to NetWatchMan
Woo hoo! This thread made Front Page News |
|
| reply to NetWatchMan
Ok This Worm is detected by GAV since pattern Version 0.5.0
The Worm is UPX 1.23 compressed.
Gladiator
--
GAV - Gladiator AntiVirus - »www.gladiator-antivirus.com |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
| Then this is a different worm: there is no UPX in the one we have analyzed: I did the disassembly myself.
Steve
[text was edited by author 2002-12-16 19:45:24] |
|
| reply to NetWatchMan
It's UPX 1.23 compressed.
And this worm does excatly what you describe...
And he copys as "Iraq_Oil.exe" into system32
--
GAV - Gladiator AntiVirus - »www.gladiator-antivirus.com |
|
| reply to NetWatchMan
The worm is compressed 16896 bytes and expanded 40960 bytes.
The worm is compressed at 13.12.2002 at 21:43 clock.
More Questions ?
--
GAV - Gladiator AntiVirus - »www.gladiator-antivirus.com |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Gladiator_AV
I've just been informed that the iraq_oil.exe I got was UPX packed but was uncompressed before it was given to me.
Sorry, Gladiator: you're right.
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • my web site |
|
| reply to NetWatchMan
You are welcome |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | said by Gladiator_AV:
You are welcome
That's my bad...it's harder to figure out what these things do without unpacking them and we gave Steve that version...the MD5 for the packed file is:
6FE6CE9373D784BCC5F65AB5CEE39010
Philip Sloss
--
stuff@lupwa.org |
|
| reply to NetWatchMan
No problem at all
But i must look "into the files" before i make signatures.
If GAV detects a UPX compressed file, it does unpack it before scanning - thats why i need to add pattern of the uncompressed file
Very good review/article anyway. Congrats
--
GAV - Gladiator AntiVirus - »www.gladiator-antivirus.com |
|
