close the doors. stop the bots. protect the perimeter.

vectorblog  about  contact

MSN Search

 

 

 

 

 

 

 


 

Mytob Alert

infectionvectors.com

Updated: June 2005

 

Infection Vectors:          Mass Mail, LSASS overflow

 

Impact:                         High (backdoor component, traffic generation)

 

Description:

February 2005

 

Mytob is a combination mass mailer/network worm that comes equipped with routines very similar to those found in popular "bot" kits such as SDbot. The bot part connects to an IRC channel (at irc.blackcarder.net, TCP 6667) and carries the usual functionality: download and execute files. The worm is also capable of reporting the system uptime to the controller. 

 

Mytob's mass mailer includes the following subject line strings:

 

Error 
hello 
Mail Delivery System
Mail Transaction Failed 
Server Report
Status

 

the following message bodies:

 

Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. 
The message contains Unicode characters and has been sent as a binary attachment. 

 

and uses generic-sounding attachment names such as "document," "readme," and, "message" with single or double extensions. All of these characteristics make it very similar to MyDoom variants (especially early 2004 versions). The similarities don't end there, the composition of the worm is also very similar to MyDoom (at least the mass mailing portions, worm is still under examination). In addition, the "do not send to" list, the way it may guess the SMTP server name of the target email address, and the way it builds "from" addresses are all MyDoom routines. This similarity is the reason for the name, F-Secure also noted these traits and named it "Mytob" as an apparent take off on "My"Doom and SD "bot." 

 

The worm also carries the ability to scan for and exploit machines that are vulnerable to the LSASS overflow from April of 2004 (MS04-011). Machines not patched should be protected (TCP 445). General mail defense (scanning, blocking executable attachments) should be sufficient for perimeter defense. Monitoring connections to this worm's IRC server is also recommended. Expect future variants of this branch of MyDoom's family tree to change the IRC server as well as the email shell (the same way the original MyDoom and Beagle worms did).

 

Update: March 28, 2005

 

In the month since the original release of this hybrid code, Mytob has been tweaked and released over a dozen times. The malware displays the same traits as the original: a combination of MyDoom’s mass mailing components and the network worm/IRC bot pieces of Sdbot.

The worm’s email propagation uses the same 6 subject lines mentioned above, along with one addition: “Good day.” Other features, including the “From” fields and message bodies are the same as used in previous MyDoom variants.

The worm component continues to use the LSASS overflow (MS040-011).

 

IRC servers used in the current batch, for IDS signature or firewall rule use (using Symantec’s notation for easier lookup):

 

Mytob.F                       bleh.darkacidonline.us

Mytob.E,G,H,I,J,R            blackcarder.net

Mytob.K                      metalhead2005.info

Mytob.L,M,O,S            d66.myleftnut.info

Mytob.Q                      m3t4lh34d.info

 

With the inclusion of the Sdbot code, there are a number of commands and functions available to the controller. Trend Micro reports seeing a variant that spreads via fileshares here:

 

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=

WORM%5FMYTOB%2ER&VSect=T 

 

Symantec notes that Mytob.R also employs the RPC DCOM overflow made famous in 2003 by Blaster:

 

 http://www.symantec.com/avcenter/venc/data/w32.mytob.r@mm.html

 

 

So far, the alert level has remained low, indicating a small seeding of this worm. Standard email blocking rules will protect most users from the mass mailed version as it continues to use attachments with the following extensions: PIF, SCR, EXE, ZIP.

 

As for the two network propagation vectors, most corporate firewalls already block inbound access to TCP 135, 445, and other possible DCOM RPC-binding ports. Once an infection occurs on the inside, however, machines that are still unpatched for MS03-026/39 and MS04-011 may be compromised quickly if internal port filtering is not in place. Egress monitoring/blocking for IRC traffic (unnecessary for virtually all business environments) will help detect these boxes if they exist.

 

Update: June 2005

 

In mid-June 2005, a new blast of Mytob variants hit the Internet. With slightly modified email messages and subject lines, the latest wave of code continues to employ the tactic of changing code packing methods to fool antivirus scanners. The use of "familiar" names in the "From:" fields (recall MyDoom's function that creates usernames from a pre-configured list as well as from harvested addresses) has been a source of some confusion for users that recognize one of the many common names and assume it is from their friends. 

 

The current batch of Mytob variants is using the following set of Subject lines:

 

*DETECTED* Online User Violation 

Email Account Suspension 

Important Notification 

Members Support 

Notice of account limitation 

Security measures 

Warning Message: Your services near to be closed 

You have successfully updated your password 

Your Account is Suspended 

Your Account is Suspended For Security Reasons 

Your new account password is approved 

Your password has been successfully updated 

Your password has been updated

 

And carries email messages warning of account suspension or password changes, hoping to entice a user into opening the attachment.

 

For additional Mytob information, please see the feature report, Mytob Infantry.

Copyright Ó 2005 infectionvectors.com. All rights reserved.