Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« Latest Tech Stories From The Web According to Digg | Main | IM Worm Attack Cloaked in Virtual Card Hoax- W32Heartworm.A »

  • Pipeline Worm Floods AIM with Botnet Drones

Proactive research on security threats is the key to catching hidden threats before they can collect confidential data, deliver adware, or take down a network. When researchers grab a threat, it's usually been doing the rounds for some time. Here, we've caught them in early in the act of assembling what looks like a very sophisticated operation - in fact, we've caught it so early that many of the domains called by the first infection file aren't hosting infectious files yet.

How does this infection start off? As always, it begins with a seemingly innocent web address passed to you via Instant Messaging. Click the link and allow the file to execute and your day will quickly go bad.

http://blog.spywareguide.com/upload/2006/09/image23wrm3-thumb.jpg
Click to Enlarge

At this point, the command file downloads a file called csts.exe - and this is where things get interesting.

The file starts making calls to many, many domains - one of which is related to the Cuebot Worm that posed as the Windows Genuine Advantage Validation Notification.

The final port of call is a number of servers located in Korea, which are repeatedly connected to by the infection:

image23wrm1.jpg

One of these servers has a single mention in Google. As fortune would have it, and we aren't surprised, this server seems to have something of a Spam-related linkfarm going on:

http://blog.spywareguide.com/upload/2006/09/image23wrm4-thumb.jpg
Click to Enlarge

...as you might have guessed, all of those blue links lead to what are effectively spam pages. It's worth mentioning that some of the Korean servers pinged by the various infection files have been blacklisted due to spam. Is there a financial motive at work here? Hard to say, though hopefully they won't be able to get very far as they've been caught out before they could really get things moving.

Eventually, a randomly named executable is created in the System32 Folder and at this point, if the user is running AIM they will fire the following message at their contacts, the hackers using IRC channels to achieve this:

http://blog.spywareguide.com/upload/2006/09/image23wrm2-thumb.jpg
Click to Enlarge

Anyone that clicks the link and runs the file will end up continuing the cycle of infections. This attack is very well structured and "modular" in concept, so the people behind it can shuffle their executables around, download new infections to target PCs and do pretty much anything else they feel like doing.

As an example of the modular behaviour of this attack, here are just three of the many scenarios we encountered during analysis.

Scenario One

1) "hey would it be ok if i upload this picture of you to my blog?" downloads the image18.com file (disguised as a jpeg). Running the file results in csts.exe being created in your system32 Folder. At this point, you may well be part of a Botnet (though not in all cases) and the infection has the potential to call down new files onto your PC, which are randomly selected from the numerous files waiting in "storage" that have been spread around the Net.

Scenario Two

1) "hey would it be ok if i upload this picture of you to my blog?" downloads the image18.com file (disguised as a jpeg). Running the file results in csts.exe being created in your system32 Folder.

2) The infection has the potential to call numerous other files, such as files with fixed, unchanging names and randomly named executables which are constantly being updated. Depending on what files you end up with, the infection may create an unwanted service named RPCDB, opens up smtp port 25 (mail) and attempts to connect to a file upload site. In addition, some files attempt to exploit ADS (alternate data streams).

Scenario Three

1) "hey would it be ok if i upload this picture of you to my blog?" downloads the image18.com file (disguised as a jpeg). Running the file results in csts.exe being created in your system32 Folder.

2) The infection has the potential to call numerous other files, such as d227_seven2.exe and randomly named executables which are constantly being updated. Depending on what files you end up with, the infection may create an unwanted service named RPCDB, opens up smtp port 25 (mail) and attempts to connect to a file upload site. In addition, some files attempt to exploit ADS (alternate data streams). You will also potentially end up with a Rootkit on your PC as a result of this particular scenario.

3) At this point, the infected PC is a Botnet drone and can be commanded to send new infection messages via AIM such as:

"hey is it alright if i put this picture of you on my egallery album? ", which will download the image22.com file (again, disguised as a jpeg).

4) At this point, the cycle begins again and they can look to infect fresh victims with this exploit.

As you can see, the emphasis here is not so much on the files themselves, but on the way these files are deposited onto the system. Previous Instant Messaging attacks have tended to focus on the damage done by the files, with little thought on the method of delivery, save for the quickest way to get those files onto a PC. Here, the thrill for the bad guys seems to be in lining up as many of these "install chains" as possible - I keep thinking of a ten move combo on a fighting game such as Tekken...not a bad way to describe it, actually. What's smart about this attack is that it doesn't matter if you get a file "out of step" - if you start off with a particular file out of sequence, you'll just end up somewhere else in the chain instead. There is no right or wrong place to start with this one - the hackers will make sure you get your fill of infection files! The amount of effort that's gone into this kind of attack hints at a level of planning we've previously only seen here. And we're not done yet...

The Botnet Connection

Some things to note - along with their inventive use of positioning numerous downloads to hit infected machines, they also have a better-than-most idea of how to lock down their Botnet. For one thing, they won't allow you to enter the channel using a "standard" IRC client. This prevents people from snooping around. Nice idea, though there's numerous ways around this if you have an ace or two up your sleeve.

They also have various aspects password protected, though you can still obtain these here by the usual method - simply running the executables and sniffing the traffic. They also force infected machines into various channels on a regular basis - effectively herding them into new channels where they can push new installers, send out new infection messages...pretty much whatever the Botnet owners feel like doing. As always, the only limits are greed and imagination.

Though it's always exciting to catch somebody in the final stages of putting their "Masterplan" together, it's also a touch worrying as you know that they're not quite done yet. Will we see more developments from this case, much like we did with the drawn-out saga of the AIM Rootkit from the tail-end of 2005? That particular story started with Instant Messaging Rootkits, diverted down the path of a group of hackers based in the Middle-East and finished up with fake BitTorrent clients and Mr Bean movies. We think this particular group have many more executable files ready and waiting to go live, so where this one will end up is anyone's guess.

...did I mention this infection would give you a very bad day?

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, Manoj V Nair, FSL Threat Researcher
Technical Research: Chris Mannon, FSL Senior Threat Researcher
E-commerce Evaluation: Wayne Porter, Senior Director Special Research
Technical Research: Tyler Wells, Development Director.

  • TrackBack

Listed below are links to weblogs that reference Pipeline Worm Floods AIM with Botnet Drones:

» Twisted Pair at Network World Talk Pipeline Worm from The SpywareGuide Greynets Blog
Remember the modular Pipeline Worm the Facetime Security Labs Team uncovered recently? The W32.Pipeline Worm, which hit right before the really strange MSN HeartWorm.a...Thanks to the guys Twisted Pair at Network for the mention of the menace. They als... [Read More]


  • Comments

The tech folks here at AOL tell me that we've been blocking IMs containing the URL used in that attack since last Tuesday (9/12), so it should no longer be able to spread through the AIM network.

Andrew Weinstein
Spokesperson, AOL


This has been around for months. I'm amazed I only saw a post about it now...


Hi,

What exactly do you mean by disguised as a jpeg in your description?

Thanks


you forgot to mention that some of them actually say "click here for our myspace pictures http://myspace.com/asofjsoasjdf.JPG" or something and it links to a .com or a .pif file.


Wondering how I get the FIRST message on AIM... the hacker should be accepted first in my AIM contacts???

thanks


Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.