Zafi Alert

infectionvectors.com

December 2004

Vector              Email

Impact              Medium (backdoor is opened, network traffic from mass mail)

Zafi (also called Erkez) has found great success in the mass mailing game. Originally released in April of 2004, the worm appeared to be politically motivated, displaying a message calling for change in Hungary (the worm displayed the message on May 1, 2004 – the date Hungary joined the EU). The original version of the worm attempted to only target Hungarian domains.

In early June of 2004 another version of Zafi was released, this time with a “demand” for the death penalty in Hungary. The success of the first worm was replicated, again the worm found itself in the Inboxes of thousands of users around the world. During the last week of October 2004 another variant surfaced, this time aiming at the Hungarian Prime Minister, Zafi.C also launched a denial of service attack against the Prime Minister’s website. The email associated with the worm, however, did not carry a political message.

Zafi.D surfaced in December of 2004, posing as a Christmas greeting. Sophos reported that this variant accounted for 10% of all email traffic during one point on December 15.

http://www.sophos.com/virusinfo/articles/zafid2.html

Zafi.D carries no DoS routine or otherwise destructive payload (although it does appear to attempt a connection to www.microsoft.com). The worm does open a backdoor to the infected machine (TCP 8181) through which it downloads additional code. Zafi propagates via a fairly standard mass mailing system: it hooks the local machine’s Registry to start up automatically, it scans the local hard disk for email addresses, and uses its own SMTP engine to deliver new copies of itself to other users.

Zafi’s attachments arrive with BAT, CMD, COM, PIF, or ZIP extensions. The email is constructed from the possible attachment extensions, 14 subject lines, 14 message bodies,  a spoofed From address, and a small picture file of 2 smiley face characters. The messages have the following characteristics:

Subject:

boldog karacsony...

Buon Natale!

Christmas - Kartki!

Christmas Kort!

Christmas pohlednice

Christmas postikorti!

Christmas Postkort!

Christmas Vykort!

ecard.ru

Feliz Navidad!

Joyeux Noel!

Merry Christmas!

Prettige Kerstdagen!

Weihnachten card.

Message body:

Buon Natale!

Feliz Navidad!

Fröhliche Weihnachten!

Glaedelig Jul!

God Jul!

Happy HollyDays!

Iloista Joulua!

Joyeux Noel!

Kellemes Unnepeket!

Naujieji Metai!

Prettige Kerstdagen!

Veselé Vánoce!

Wesolych Swiat!

(note:each of these has a common second line, “:) [sender’s address]”

 Mitigation

Zafi does not represent any unique challenges to security administrators: it is widely distributed and carries a relatively well-crafted message like Beagle and relies upon an attachment to reach a user's Inbox like most mass mailers. Stripping the attachments listed above at the mail gateway is the easiest way to defend against Zafi. It does have a static set of subject lines, however this type of defense doesn't scale very well.