Educause Security Discussion mailing list archives
[Fwd: [unisog] Info on Gaobot.AFJ]
From: Phil Rodrigues <phil.rodrigues () NYU EDU>
Date: Fri, 30 Apr 2004 07:34:21 +0200
This is an excellent summary of current activity by Brian Eckman of the University of Minnesota, a poster to this list. He sums up what many of us have been trying to get across: "If you don't think you have or have had a gaobot problem, I fear you might be dead wrong." I am re-posting this here at the risk of being annoying. If you are a CISO or CITO and have not heard anything from your staff about their efforts against this type of exploit, share this email with them. -------- Original Message -------- Subject: [unisog] Info on Gaobot.AFJ Date: Thu, 29 Apr 2004 16:14:24 -0500 From: Brian Eckman <eckman () umn edu> Reply-To: UNIversity Security Operations Group <unisog () lists sans org> To: unisog () lists sans org I know some Universities are seeing hosts infected with Gaobot.AFJ, and more with variants just like it. I have analyzed what Symantec detects as Gaobot.AFJ, and have some details that people might find helpful. First off, it really should be called Polybot/Phatbot and not Gaobot/Agobot. Second, it is mostly like what McAfee is calling W32/Gaobot.worm.ali. I'll outline differences below: McAfee URL (I've posted it here before, recently :) http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125006 I've seen it as %SystemRoot%\System32\WMIPSVSC.EXE and %SystemRoot%\System32\WMIPRVSC.EXE Both files are essentially the same, but the MD5s are different. This is probably because Polybot is polymorphic. The registry keys are just like McAfee's writeup, except they will be like: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "Microsoft Update" = wmipsvsc.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunServices "Microsoft Update" = wmipsvsc.exe It tries to connect to three different DNS names to find its DNS controller. It tries: ph4tbackupz4.alt-bin.com:7000/tcp (131.96.173.146, status: host down) ph4tbitch4.no-ip.info:7000/tcp (10.10.10.10) ph4tbackupz4.no-ip.info:7000/tcp (63.215.241.236, status: host up, no IRC server present) It is possible that 7000/tcp will actually be stunnel, pointing to 6667/tcp on the same host. This is presumably to encrypt the IRC traffic to make the botnet harder to find. Variants of Gaobot/Polybot have been doing this for some time, often using 1331/tcp for stunnel. If Gaobot.AFJ can connect to it's IRC server, it will be fully active. It will look for a huge list of running processes, and terminate them if they are running. Processes include AntiVirus software, Ethereal, MSconfig, Regedit, etc. (some or all of these processes might be terminated even before it connects to the IRC server). However, it searches for active processes by name, so if you make a copy of regedit.exe and call it something different, it should run. You can then remove the keys for wmipsvsc.exe and reboot. Then, the file will no longer be hidden from Windows (it hides itself, but cannot do that if it is not running), and you can delete it from a command prompt, Explorer, et. al. Note that the above paragraph is likely relevant for any modern variant of Polybot. Replace wmipsvsc.exe with whatever name your variant is using, and it will often work. Note that all variants of Gaobot/Polybot allow the IRC channel op to download and install additional software on infected computers, so the above might not be all that is needed to make a computer "clean". Remember also that these newer variants are sniffing and sending screen captures back to the IRC channel op, so users should change passwords on a clean computer ASAP after infection is noticed. There are several variants of this same type of worm out there, and they are successfully exploiting the LSASS flaw in MS04-011 as one method of spreading. We all likely have hundreds or even thousands of unpatched hosts on our network, so prevention is ideal, but early detection of infected hosts on your network is an absolute *must* if you want to contain this. Polybot variants may try to spread via various exploits over TCP ports 80, 135, 139, 445, 1434, 2745, 3127, 3410, 5000, 6129, and others I've forgotten or just missed. Note it is almost always a subset of those ports/vulnerabilities, and not every single one. Fully patched machines are not necessarily safe, as it throws a laundry list of username/password combos at hosts trying to get in via "weak" passwords. Some of the passwords it tries are not ones some admins would call "weak". You absolutely cannot count on antivirus software to protect you from gaobot/polybot. New variants are coming out daily. McAfee reports that there have been over 900 variants so far, and most of which have likely come in the last six months. If you don't think you have or have had a gaobot problem, I fear you might be dead wrong. This is one of the most successful worms in history that nobody has heard of. Check for flows to bogon hosts such as 1.3.3.7, 10.0.1.128 and 31.3.3.7. Common TCP ports used for the IRC communication have been 1331, 6667 and 7000, but each variant can use whatever it chooses. If you suspect a host has Gaobot/Polybot, you might want to nMap it (use -p 1-65535 of course). It most likely has two or more "odd" ports open. If you telnet to those odd ports, and one of the following happens, changes are good that you have 'bot: 1. If it replies "220 Welcome to Bot FTP Service", you have Gaobot 2. If it replies "220 Bot Server (Win32)", you have Polybot 3. If it throws a ton of garbage at you, you probably have Gaobot. Try other ports to see if any match #1 or #2 above. If you use netcat to connect to the port that causes #3 to happen, and pipe the output to a file, you will have a copy of the binary with four extra bytes at the front of it. If you delete the first four bytes in a hex editor and save it, you should have an actual copy of the virus binary. However, modern Polybot variants no longer send themselves automatically upon connection, so this won't always work for you. Good luck out there, Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota _______________________________________________ unisog mailing list unisog () lists sans org http://www.dshield.org/mailman/listinfo/unisog ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- [Fwd: [unisog] Info on Gaobot.AFJ] Phil Rodrigues (Apr 29)