MyMoon (Was: new threat)

[johnny]

Here is a sample:
[Spamfilter] fisherLycur!~[email protected] matches filter 'http://2': [PRIVMSG #jacuzzi: 'Shakira Dancing virual girl , visit my private server while im online... http://220.255.21.77:3322/'] [trojan]

What I did is:
/spamfilter add cnp block - trojan http://1
/spamfilter add cnp block - trojan http://2
/spamfilter add cnp block - trojan http://4
/spamfilter add cnp block - trojan http://6
/spamfilter add cnp block - trojan http://8

Fortunately this trojan can't tell a private IP from a public one so many advertise 192.168.x.x and 10.0.0.x IPs, if they are in a LAN.

[AngryWolf]

But unfortunately these spamfilters can sometimes be harmful. For example:

<User1> Where can I download UnrealIRCd?
<User2> http://64.84.10.70:81/?page=downloads

(In this example, I type http://www.unrealircd.com, but it changes to http://64.84.10.70:81/, you know.)

[codemastr]

Yes, that spamfilter is *VERY* broad.

[aquanight]

Solution:

private server .+ http://([0-9]{0,3}\.){3}[0-9]{0,3}:3322/

Adjust port number as necessary.

[codemastr]

Why not include all the "'Shakira Dancing virual girl , visit my private server while im online... " as well?

[johnny]

Yes, that spamfilter is *VERY* broad.

very true, but the spam message changes from spammer to spammer and the only pattern I could notice is "http://numericIP:someport"

blocking it seemed the lesser evil to me

[Guest]

Why not include all the "'Shakira Dancing virual girl , visit my private server while im online... " as well?

"Shakira Dancing virual girl , visit my private server while im online..." is just an example, they vary

[Syzop]

Guys, not everyone is good at regexes.. I'm already happy someone reports such spam here in the first place ;).

johnny: could you mail me at syzop AT unrealircd DOT com some more examples of recent blocked msgs? I want to see if I can connect at that host and grab the virus to analyze ;). [the http://220.255.21.77:3322/ one is already dead]

Thanks.

[Syzop]

Ok, I've received the virus and it does indeed what was described above...
It's 4am here so I'm gone now, but I'll certainly take a look again tomorrow.

Anyway, since I was curious, here some facts:
- It is not recognized by current F-Secure antivirus
- The executable that stays running and connects to IRC servers etc is 'sysconf32.exe' (stored in c:\winnt\sysconf32.exe), this is also added to runservices so it starts on boot (well, on login).
- Has a nice file c:\ReAd_ThiS_ShiT.txt:

Code: Select all

Microsoft, you can lick my discusting ass
Bill Gates, suck my hairy balls
All AV companies, suck my huge cock
You can arrest all of us, but there will always be someone to shit on your software.
-------------------------------
Hey Gates, even if you gave all your millions,
you couldn't stop virus coders, especially me! You should better fix
your own software than use the money to stop us
So suck my big d*ck :)
-------------------------------
Greets to:mOfo,MorphinE,e-man,e[a]x,pcmaniac
all Bihnet.org,DTM,ACIdPheaK,Dominus
-------------------------------
greets from ACIdCooKie (old/skool)
see ya next time bro hehehe.. / 1997-2004
VirusKrew of Serbia

(boring :P)
- Creates a nice c:\irclog.txt where it stores stuff
- Has a .vbs script which does some stuff with (collecting) email addresses.
- The following servers are found in the binary:

Code: Select all

irc.afternet.org
irc.accessirc.net
irc.ablenet.org
irc.afterx.net
irc.amcool.net
irc.angeleyez.net
irc.animeirc.de
irc.aniverse.com
irc.arabmirc.net
irc.astrolink.org
irc.asylum-net.org
irc.aurosoniq.net
irc.awesomechat.net
irc.axenet.org
irc.bdsm-net.com
irc2.beyondirc.net
irc.blabber.net
irc.blitzed.org
irc.bolchat.org
irc.bongster.org
irc.brokenirc.net
irc.chat4all.org
irc.chatnet.org
irc.chatsociety.net
irc.chatspike.net
irc.chung.li
irc.coolchat.net
irc.crazednet.co.uk
irc.dal.net
irc.dark-storm.net
irc.d-t-net.de
irc.deviantart.com
irc.rizon.net
irc.tsk.ru
irc.saltek.net
irc.scoobynet.org
irc.serbiancafe.ws
irc.sexnet.org
irc.shadowfire.org
irc.syrolnet.org
irc.thundercity.net
irc.unionlatina.org
irc.unreal-irc.net
irc.webchatting.com
irc.webchat.org
irc.whatnet.org
irc.msinternals.net
irc.xtasy-chat.net
irc.zurna.net
irc.unerror.com
irc.quicknet.nl
irc.overdriveirc.net
irc.rezosup.org
irc.sorcery.net
irc.spacetronix.net
irc.spidernet.org
irc.staff-chat.net
irc.starchat.net
irc.starfusion.org
irc.starlink.org
irc.stormdancing.net
irc.tevhid.net
topircnet.com
irc.uaap.net
irc.underz.org
irc.virtualife.com.br
irc.voila.fr
irc.zirc.org
irc.tehnicom.net

(might have missed a few)

It seems that per-network it has coded some specific channels to join/herass, but I don't have time to analyze that atm ;)... I can say it has a HUGE channellist however (roughly 400) :/.


- Some interresting detail:

Code: Select all

C:\WIN98\Desktop\Lucifer\mymoon\mymoon.vbp

is found in the binary ;) [yes, it's VB]
- It downloads the ms winsock .ocx from several sites if needed
- It kills antivirus software
- It seems it can spread via mail too
- It acts as a HTTP server for a site with a lot of cracks/keygens/etc... I'm not sure about the port number in the http://ip:port/ thing... It doesn't look consistent, but I don't know how random it is.
- There are several sentences, with a quick look I think there are like 40 or 50
- The nick seems to be composed of a list of 142 names of which 2 are concated together (eg: frostMenon, butlerLesbos), it seems to use 1 name in ident (eg: Lesbos) and there could be a pattern in here.

Anyway, this was my analysis after ~20m, but I'm really tired now... I haven't even looked at traffic analysis or pretty much anything...
I'll look more into it tomorrow and most likely I'll have a rule (or rules, or whatever) ready to catch this nasty thing :)

[Syzop]

I've been working on a mod that detects + gzline's them before they even join channels etc.
I've sent the mod to johnny to see if it also works on a real network (locally it did detect and kill them).

Still, I guess it's a good idea to also make some spamfilters available, I'll see if I can work on that a bit later.

I'll also post the url to the mod here (+some other places) once I know it actually works ;).

Oh, btw...
- F-Secure now detects the virus as 'Worm.Win32.VB.g'.
- Clam-AV detects it as ''Worm.Dica.A'
- TrendMicro did NOT detect it
- Others I haven't checked.

[Syzop]

Here are the spamfilters that seem to work:

Code: Select all

/*** MyMoon ***/
/* NOTE: MyMoon consists of 42 random sentences, I did my best
 * to reduce them to <42 spamfilters while still spending few
 * CPU time, having few false positives, and keeping some readability.
 * This was mainly done by using ^ for all regexes. -- Syzop
 */

spamfilter { /* matches 3 sentences */
        regex "^i have big list of (XXX passwords|URL porn Movies|URL porn Pics Gallerys).+at my private server\.\.you can see while im online.+http://([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{3,4}/$";
        target { channel; };
        action block;
        reason "MyMoon";
};

spamfilter { /* matches ~9 sentences */
        regex "^(want hot chix as ur screensaver|everyone interested in the newest cracks|download Britney Spears virual girl|Shakira Dancing|everyone interested to see new Ana Kurnikova hot|i have new version Microsoft Office XP|ppl new|hey see this|best virual girls and cracks on net).+private (web|warez ){0,1}server.+http://([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{3,4}/$";
        target { channel; };
        action block;
        reason "MyMoon";
};

spamfilter { /* matches 3 sentences */
        regex "^(download hot virual girls|download new cracks and screensavers|HELLO PPL hehee i update my|I ADD NEW XXX password list|I ADD NEW p-o-r-n password list on).+private (web){0,1}server.+http://([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{3,4}/$";
        target { channel; };
        action block;
        reason "MyMoon";
};

spamfilter { /* matches 4 sentences */
        regex "^(hey ppl new worm|the antivirus company Sophos released a remove-tool|ppl the anti-virus\.com company released a remove-tool).+i-worm\.mymoon.+http://([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{3,4}/$";
        target { channel; };
        action block;
        reason "MyMoon";
};

spamfilter { /* matches 2 sentences */
        regex "^(i update my private server now|my private server is updated now).+crack.+http://([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{3,4}/$";
        target { channel; };
        action block;
        reason "MyMoon";
};

spamfilter { /* matches 6 sentences */
        regex "^(download |hey ppl ){0,1}new version of.+(crack|Keygen|key generator).+http://([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{3,4}/$";
        target { channel; };
        action block;
        reason "MyMoon";
};

spamfilter { /* matches 3 sentences */
        regex "^J-LO Nude (\(REAL|2004 Virual).+visit (my ){0,1}page.+http://([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{3,4}/$";
        target { channel; };
        action block;
        reason "MyMoon";
};

spamfilter { /* matches 3 sentences */
        regex "^hey (I found hot Britney|download FREE new 2004|dowload FREE nude).*screen.*saver.+http://([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{3,4}/$";
        target { channel; };
        action block;
        reason "MyMoon";
};

spamfilter { /* matches 2 sentences */
        regex "^(see funny video of naked Bush|ahhaa funny video of naked Bush|who need new cracks and cool p-o-r-n).+http://([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{3,4}/$";
        target { channel; };
        action block;
        reason "MyMoon";
};

spamfilter { /* matches 7 sentences */
        regex "^(you can download new 2004 Alicia Silverstone Nude|ppl who need Nero Burning ROM v5.5.8.2|ppl download remove tool for new worm|new virual GIRLS is now on my server|Cracks and muck more programs and|Britney Spears virual girl screensaver|want hot chix as ur screensaver?).+http://([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{3,4}/$";
        target { channel; };
        action block;
        reason "MyMoon";
};

I worked on this for an hour or something so I did my very best, well.. you noticed the comment :).
I didn't use stuff like:
"(private server|private webserver|private warez server).+http[etc]"
because that could still have a few false positives (think: cable/*dsl user announcing his server to his friends).
I think what I have now is a good tradeoff between speed, false positives and readability.

Anyway, my mod is a better solution. I've put it online on <someurl>. It seems johnny is unable to test it right now, so hopefully some other net with this virus can ;). I'll ask around.

*update, 2004-09-21 01:21 GMT+2*
The module seems to work fine at another network, I've put it on my site and also in the modules section @ unrealircd.com.
*/update*

[Cheese]

Thank you very much, I am an oper on one of the affected servers in the list (irc.unerror.com) and the bot has been driving me up the wall
I first attempted to ban the bot by baning http://(inturnal ip ranges here),However this only banned bots which displayed inturnal IP's, so I had to resort to banning ALL http:// links until we found a better solution to this problem.

I got hold of the virus myself and like other users in this post, Tried to gather has much info about it has I could, Personally, I think its a rather pointless virus, Because the "Backdoor" part of it (accessed by adding /acookie to the links it spits out) doesn't really give the skiddie much power to do anything.

I then tried to locate a common pattern that all the bots have, The only thing I noticed was that all the bots always had a real name of blah3452 eg Letters/numbers, Whist I wasn't very keen on it, I added a regexp gline of (^\S+\s[A-z]+[0-9]+)! which auto glined users with letters/numbers, This generally didn't effect our userbase, and any legal users that were affected with this ban emailed the kline addy for our network.

I sent the virus to both mcafee and norton, Mcafee got back to me within an hour and sent me a dat file, that when added to a mcafee install, Will detect the virus up, Although mcafee have yet to give the virus a proper name, It will pick it up has Generic/A. You can get the .dat file athttp://www.unerror.com/viewtopic.php?p=48#48
Has of writing (23rd sep 2004) this has yet to be added to mcafee's standard .dat file

Also, I noticed that generally, ALL infected machines connect to irc.tehnicom.net and join the channel #myboom, where they spam the channel with infomation about the server that the bot is connected to, What channel its spamming, username and other info. the bots generally stay in here until they get disconnected(eg user switching off machine) However, removing this channel won't stop the bots, irc.tehnicom.net went' down for a peroid yesterday afternoon and yet the bots still came.

[MicroBurn]

I can confirm this module works on my network (irc.unerror.com) as well, running UnrealIRC3.2.1. Thanks.

microburn

[Syzop]

Thanks, glad to hear that :)

[Stealth]

Syzop, how exactly does the module detect them? It seems that there can be many fals posatives if it is detecting them when they connect.