SoundBot Exploits Network Vulerabilities

| | Comments (0)
Hey there.  It is time for another thrilling adventure into the world of security threats.  This time I'll be going over a worm we like to call SoundBot.  This worm has the potential to leak sensitive information to the attacker about the victim's network infrastructure.  It manages to do this by not only blocking many of the security applications designed to detect it, but also by using legitimate processes that make removal difficult.

The main culprit in this infection is a file called Soundman.exe.  If you see this file on your computer don't panic just yet.  Its also a legitimate process.  Here are some things you should watch for:

One of the first things SoundBot does is disable any type of program that would detect or remove it.  It uses 2 separate methods to do this.  When installed, it disables several legit services related to security applications such as:
kmailmon.exe
kavstart.exe
shstat.exe
runiep.exe
360safe.exe
360tray.exe
cacls.exe
ccenter.exe
rav.exe
iris.exe
vpcmap.exe
vmsrvc.exe
vmusrvc.exe

It also sets up Image File Execution Options to make sure if the processes are restarted they are ineffective.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe       
...360safe.exe       
...360safebox.exe       
...360tray.exe       
...CCenter.exe          
...KPPMain.exe       
...KWatch.exe       
...QQDoctor.exe       
...QQKav.exe       
...RavMon.exe       
...RavMonD.exe       
...safeboxTray.exe
AND finally,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe    Debugger    "SoundMan.exe"

This shows us that Soundman.exe is ran instead of ctfmon.exe whenever executed.  This is an effective way of making sure the worm file is ran.  This effectively removes the need to have an Autostarter value (which are common investigative techniques used when attempting to pinpoint the actual infection in a forum environment).


soundman.PNG This is a closer look at the actual worm file.  Upon closer inspection of Soundman.exe we see that it is iterating through a common network structure looking for open ports.  This gives the attacker certain advantages when/if he ever decides to infiltrate the victim's network.

endpoint.PNGThe above picture depicts just exactly what is going on while Soundman.exe is running.  It makes ARP requests and epmap requests throughout the entire network looking for potential holes.

A malware infection  just wouldn't be a malware infection unless it phoned home to install numerous other infections.  Soundbot is no different.  It contacts a site to download a .jpg file that is no mere picture file.  It is actually collection of download links to more bad files.

jpg2.PNG
The final blow to this worm is dealt by another file that poses as a legitimate process.  It creates a service called "helpsvc" related to another file that intializes soundman.exe.

helpsvc.PNG
Network administrators should look for any unnecessary or suspicious traffic happening on their network as explained above.  If you suspect your organization is under attack from this threat, then I suggest using our handy MicroScanner!








Leave a comment

About this Entry

This page contains a single entry by Chris Mannon published on June 6, 2008 9:23 AM.

Build-Your-Own-Bot Tool Makes Everything Nice And Easy was the previous entry in this blog.

Family Guy Goes AWOL is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.