[Fwd: [unisog] Info on Gaobot.AFJ]

[Phil Rodrigues <phil.rodrigues () NYU EDU>]

This is an excellent summary of current activity by Brian Eckman of the
University of Minnesota, a poster to this list.  He sums up what many of
us have been trying to get across:

"If you don't think you have or have had a gaobot problem, I fear you
might be dead wrong."

I am re-posting this here at the risk of being annoying.  If you are a
CISO or CITO and have not heard anything from your staff about their
efforts against this type of exploit, share this email with them.

-------- Original Message --------
Subject: [unisog] Info on Gaobot.AFJ
Date: Thu, 29 Apr 2004 16:14:24 -0500
From: Brian Eckman <eckman () umn edu>
Reply-To: UNIversity Security Operations Group <unisog () lists sans org>
To: unisog () lists sans org

I know some Universities are seeing hosts infected with Gaobot.AFJ, and
more with variants just like it. I have analyzed what Symantec detects
as Gaobot.AFJ, and have some details that people might find helpful.

First off, it really should be called Polybot/Phatbot and not
Gaobot/Agobot. Second, it is mostly like what McAfee is calling
W32/Gaobot.worm.ali. I'll outline differences below:

McAfee URL (I've posted it here before, recently :)
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125006

I've seen it as
%SystemRoot%\System32\WMIPSVSC.EXE
and
%SystemRoot%\System32\WMIPRVSC.EXE

Both files are essentially the same, but the MD5s are different. This is
probably because Polybot is polymorphic. The registry keys are just like
McAfee's writeup, except they will be like:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Microsoft Update" = wmipsvsc.exe
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices "Microsoft Update" = wmipsvsc.exe

It tries to connect to three different DNS names to find its DNS
controller. It tries:

ph4tbackupz4.alt-bin.com:7000/tcp   (131.96.173.146, status: host down)
ph4tbitch4.no-ip.info:7000/tcp    (10.10.10.10)
ph4tbackupz4.no-ip.info:7000/tcp    (63.215.241.236, status: host up, no
IRC server present)

It is possible that 7000/tcp will actually be stunnel, pointing to
6667/tcp on the same host. This is presumably to encrypt the IRC traffic
to make the botnet harder to find. Variants of Gaobot/Polybot have been
doing this for some time, often using 1331/tcp for stunnel.

If Gaobot.AFJ can connect to it's IRC server, it will be fully active.
It will look for a huge list of running processes, and terminate them if
they are running. Processes include AntiVirus software, Ethereal,
MSconfig, Regedit, etc. (some or all of these processes might be
terminated even before it connects to the IRC server). However, it
searches for active processes by name, so if you make a copy of
regedit.exe and call it something different, it should run. You can then
remove the keys for wmipsvsc.exe and reboot. Then, the file will no
longer be hidden from Windows (it hides itself, but cannot do that if it
is not running), and you can delete it from a command prompt, Explorer,
et. al.

Note that the above paragraph is likely relevant for any modern variant
of Polybot. Replace wmipsvsc.exe with whatever name your variant is
using, and it will often work.

Note that all variants of Gaobot/Polybot allow the IRC channel op to
download and install additional software on infected computers, so the
above might not be all that is needed to make a computer "clean".
Remember also that these newer variants are sniffing and sending screen
captures back to the IRC channel op, so users should change passwords on
a clean computer ASAP after infection is noticed.

There are several variants of this same type of worm out there, and they
are successfully exploiting the LSASS flaw in MS04-011 as one method of
spreading. We all likely have hundreds or even thousands of unpatched
hosts on our network, so prevention is ideal, but early detection of
infected hosts on your network is an absolute *must* if you want to
contain this. Polybot variants may try to spread via various exploits
over TCP ports 80, 135, 139, 445, 1434, 2745, 3127, 3410, 5000, 6129,
and others I've forgotten or just missed. Note it is almost always a
subset of those ports/vulnerabilities, and not every single one. Fully
patched machines are not necessarily safe, as it throws a laundry list
of username/password combos at hosts trying to get in via "weak"
passwords. Some of the passwords it tries are not ones some admins would
call "weak".

You absolutely cannot count on antivirus software to protect you from
gaobot/polybot. New variants are coming out daily. McAfee reports that
there have been over 900 variants so far, and most of which have likely
come in the last six months.

If you don't think you have or have had a gaobot problem, I fear you
might be dead wrong. This is one of the most successful worms in history
that nobody has heard of. Check for flows to bogon hosts such as
1.3.3.7, 10.0.1.128 and 31.3.3.7. Common TCP ports used for the IRC
communication have been 1331, 6667 and 7000, but each variant can use
whatever it chooses.

If you suspect a host has Gaobot/Polybot, you might want to nMap it (use
-p 1-65535 of course). It most likely has two or more "odd" ports open.
If you telnet to those odd ports, and one of the following happens,
changes are good that you have 'bot:

1. If it replies "220 Welcome to Bot FTP Service", you have Gaobot
2. If it replies "220 Bot Server (Win32)", you have Polybot
3. If it throws a ton of garbage at you, you probably have Gaobot. Try
other ports to see if any match #1 or #2 above.

If you use netcat to connect to the port that causes #3 to happen, and
pipe the output to a file, you will have a copy of the binary with four
extra bytes at the front of it. If you delete the first four bytes in a
hex editor and save it, you should have an actual copy of the virus
binary. However, modern Polybot variants no longer send themselves
automatically upon connection, so this won't always work for you.

Good luck out there,
Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

_______________________________________________
unisog mailing list
unisog () lists sans org
http://www.dshield.org/mailman/listinfo/unisog

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.