We saw a flurry of new viruses last Friday which gave us a further insight into the methodologies of virus writers (VXers) and exposed the staging ground for a new series of breplibot/brepibot variants.
It all started on Friday morning, when we received an email with a “photo+article.zip” attached. We recognised it as a Brepibot virus and began investigating if this was an unknown variant or not. Extracting the attachment from the mail we thought it odd that the attachment was corrupt and we couldn’t break apart the archive. Looking inside the archive itself we noticed something quite odd about it, instead of the usual zip ‘footer’; it contained the following html:
HTTP/1.0 403 Forbidden
Server: http_scan/1.1.2.5.10
Mime-Version: 1.0
Date: Fri, 16 Jun 2006 06:14:45 GMT
Content-Type: text/html
Content-Length: 768
Expires: Fri, 16 Jun 2006 06:14:45 GMT
X-Squid-Error: ERR_BARRACUDA_FOUND_VIRUS 0
<html><head><meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<title>VIRUS BLOCKED ERROR: The requested URL is blocked</title>
<style type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></style>
</meta></head><body>
<table width=100% bgcolor=#cccccc border=0><tr><td><b>Access Blocked - Virus Alert</b></td></tr></table>
The URL:
<a HREF="http://[REMOVED]/y.zip”>http://[REMOVED]/y.zip</a> was blocked
<ul>
<li>
The link you are accessing has been blocked by the Barracuda Spyware Firewall because it contains VIRUS, the name of the virus is: “Trojan.IRCBot-635 ”
<br />
</li><li>
If you believe this is an error or need to access this link please contact your administrator.
</li></ul></body></html>
We could see some form of rewriting had taken place. The email, or archive originally attached had passed through someone’s Barracuda Spyware Firewall which had rewritten a part of the zip with it’s Squid proxy virus error page, which is similar to our Icap-based Web Filtering.
We were particularly amused by the fact the virus it caught, “Trojan.IRCBot-635″ was one we had found a week earlier.
Looking at the url embedded in the zip file, we attempted to enumerate other variants of the virus.
Painting with Numbers
In a previous post, regarding the ‘Suhoy’ virus, we found VXers were using versioning on their viruses (something normally associated with program developers). During our follow-up on the Suhoy virus we found three variants from the original, purely by incrementing/decrementing version numbers. Originally, we found suhoy316.exe and suhoy320.exe listed by a directory index of the site. Later on, when the directory index was not allowed anymore, we enumerated all possible numbers between 100 and 400 and discovered three more variants of the Suhoy virus on the website.
Using the same technique on the site with the new IRCBot-636 virus, we enumerated characters between ‘a’ and ‘z’ and found zip files for versions a, t, u, v, w, y, and z. We published ‘z.zip’ to Clamav.org and this was recognised as ‘Trojan.IRCBot-637′ within an hour.
Later on in the day, we saw v, u and t being recognised as variants 636 and 638.
Using our deductive abilities, we also tried numerical variants and found a ‘2.zip’ which was an unknown variant at the time so this was published aswell.
Complete Coverage
All of these viruses are now detected by Clam (as of 6pm Fri 16th June). See our breakdown of the AV coverage of IRCBot-639.
2.zip: Trojan.IRCBot-639 FOUND
a.zip: Trojan.Small-237 FOUND
t.zip: Trojan.IRCBot-638 FOUND
u.zip: Trojan.IRCBot-638 FOUND
v.zip: Trojan.IRCBot-636 FOUND
w.zip: Trojan.Brepibot.V FOUND
y.zip: Trojan.IRCBot-635 FOUND
z.zip: Trojan.IRCBot-637 FOUND
The Development Cycle
Listing the files by order of creation (see below), we can see the author started using numbers initially, his earliest creation was on the 31st of May, and there have been several variants, and a few different viruses seen since that time.
5246 May 31 09:58 2.zip
Jun 7 12:09 a.zip
Jun 15 19:41 z.zip
Jun 15 20:32 y.zip
Jun 16 09:30 w.zip
Jun 16 10:55 v.zip
Jun 16 11:27 u.zip
Jun 16 12:18 t.zip
The author switched to a different virus and used alphabetic versioning with his second creation; version ‘a’ (variant 237) of the ‘Trojan.Small’ family; exactly 7 days later than the first.
Another week later, the author switched back to the Brepibot variant, and began with version ‘z’ (later identified as variant 637), quickly followed by version ‘y’ (variant 635), then in the morning of the next day versions ‘w’ and ‘v’ (Brepibot.V and variant 636 respectively) and later on in the same day (Friday 16th June), versions ‘u’ and ‘t’ (both are variant 638 - but with different timestamps).
Based on these observations we can note that the first virus we saw (y.zip) was the third variant the author had created (he was seemingly testing his previous creations on a smaller scale); and due to the order in which these viruses were seen, the site is being used as a staging ground for his creations. We can see the relative rapid increase in variants from the 15th June onwards is indicative of bugfixes or modifications to bypass virus scanners. The ‘y’ variant was the first widespread release that we saw, and there were a further 4 variants released within 24 hours.
It was only through our ‘reverse versioning’ technique that previous variants, ‘z’ and ‘2′ were discovered (which accounts for the difference in ordering of the variant numbers to their release date).
Seeding Exposed
Following up this sequence of viruses, we checked for alphanumerical characters wider than a single character (aa, ab…zz) and found a single file ‘dm.zip’ which turned out not to be a virus, but the ‘Dark Mailer’ spamming software.
With this, we found the template message used when sending this particular virus to email addresses as an attachment (seen below).
|
|
We now know that VXers, use software like Dark Mailer to seed the virus to it’s first hosts. The link between spammers and VXers is ever closing as PC’s, turned into zombies by VXers, become tools for spammers and scammers to send their wares to unsuspecting users.
The site from where our original ‘y.zip’ was downloaded represents a staging ground from which this VXer publish his trojans, viruses and worms. Had we not checked back for previous versions, it’s likely these viruses would never have been found. As we have done before, we can use this technique to find new viruses, before the author ‘officially’ publishes it, helping everyone stay one step ahead of the VXers.