IRC Worm/Trojan Analysis
PO Box 395, Holden, MA,01520
|Trojan Analysis||Security Resources||Spoof MAC Address|
NEWS! SMAC Made Headlines!
DeLoder Worm/Trojan Analysis (DeLoder-A)
URL of this article: http://www.klcconsulting.net/deloder_worm.htm
version 1.5 --- (Initial
Release 1.0 - March 11, 2003)
The analysis of the follow-up experiment was released on 3/27/2003. The full analysis is available at http://www.klcconsulting.net/articles/deloder/deloder_loads_vnc_password.pdf
Quick info on the follow-up experiment:
Table of Contents
A computer running Windows 2000 Professional was put online via a cable modem for ONLY 5 hours, from 4PM to 9PM, March 8, 2003. The purpose of this experiment was to verify if the recent outbreak of port 445 activities are related to IRC type of worms, Trojans, or viruses.
The IRC type of worms and Trojans usually target home and small business users where there is less security around the network or computers. High Speed connections are getting more and more popular. Many home and business users who sign up for Cable Modem or DSL simply plug in their PC's without any security and protection. These PC’s are therefore extremely vulnerable to these types of attacks.
What is the big deal about home users getting hit by these types of worms/Trojans? Answer: There could be huge ripple effects.
1. Compromised systems will connect to IRC Servers as DDoS zombies and might be waiting for a command to start DDoS attacks.
2. Compromised systems might be used as VPN or dial-up clients to a corporate network, resulting in security vulnerabilities since VPNs and dial-up connections are the weakest link in secure computer networks.
This experiment simulates a typical setup of home users who use either Windows 2000 or XP systems. Most of the home users do not secure their PC’s while they are on the high-speed Internet, and this experiment will show how fast a system can be compromised, and what damages these worm/Trojans can do to this system and to other systems around the world.
Within the beginning of March, 2003, there were many discussions on the incidents discussion on Security Focus regarding “Port 445 Scans,” with people concluding that it’s the “Randon” worm; however, the author of this article was not convinced because there are several variants of IRC related worms/Trojans out there, with some more malicious than the others.
With a brand new installation of Windows 2000 Professional and a configuration designed to be attacked by mIRC related viruses, we have put it to the test. Within 10 minutes of this box being put online, port 445 was probed. Within a 1-1/2 hours of this box being put online, it was infected with an IRC Trojan, now identified as "DeLoder." At the 4th hour, it was infected with a mIRC Trojan, which was identified as IRC_SCREWS by some virus vendors.
This analysis focuses on the DeLoder worm/Trojan. Some interesting discoveries were found, including some that have yet to have been been reported by the virus vendors and other researchers.
This experiment was designed to have the test computer (honeypot) get infected with the IRC type of worms/Trojans, so the computer was set up with minimum security. The default Windows 2000 professional settings were used, and no password for the Administrator user account was set.
Default Windows 2000 Professional users:
Guest user account is disabled. (by default)
For simplicity, the following environment variables for this report were used:
Detailed Technical Analysis
key = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Here are the IRC servers (there may be more):
1. (Optional) Download TCPViewer from SysInternals and run it on the compromised systems. This is a utility that will show you the process running, as well as the ports it connects in real time. It will also show you the status. This is a more powerful version of "NetStat."
A. If you see Explorer.exe running,
a. doubleclick on the Explorer.exe to check the actual file location in the properties window. If it shows "c:\winnt\fonts\explorer.exe" instead of "c:\winnt\explorer.exe," then
i. close the properties window
ii. right click on the "explorer.exe" process and click "End Process."
B. If you see rundll32.exe running,
a. doubleclick on the rundll32.exe to check the actual file location in the properties window. If it shows "c:\winnt\fonts\rundll32.exe" instead of "c:\winnt\system32\rundll32.exe," then
i. close the properties window
ii. right click on the "rundll32.exe" process and click "End Process."
2. Get Anti-Virus software with the latest definitions and run it against your compromised and/or suspected Windows systems. If you don't have one, I recommend using the AVG Anti-Virus Free Edition. This free version also has definition update capability. Please check the license agreement to make sure you comply with the agreement. Symantec, McAfee, TrendMicro, AVG and other paid versions of Anti-Virus software have more comprehensive capabilities, but the free version is sufficient for home use.
3. Get Anti-Trojan software. This type of software usually detects and removes Trojans/worms and "security tools" that are missed or have been intentionally left off by the Anti-Virus software. If you don't have one, I recommend swat-it by Lockdowncorp.com, a FREE Trojan Scanner. This scanner also comes with definition update capability.
4. Verify that the following start-up files have been removed:
A. C$\WINNT\All Users\Start Menu\Programs\Startup\inst.exe
B. C$\WINDOWS\Start Menu\Programs\Startup\inst.exe
C. C$\Documents and Settings\All Users\Start Menu\Programs\Startup\inst.exe
5. Verify that the following files have been removed:
6. Make sure all user passwords are changed; strong (complex) passwords are recommended. There is a good chance that the Trojan author(s) already owns a copy of your user IDs and passwords (SAM database.)
Recommendations for Protections Back to the top
1. Install Anti-virus software with the latest virus definitions and make sure you check the virus definition files at least once a day. Some organizations are set up to update their virus definition file at least once an hour in a more proactive approach on their virus protection efforts.
2. Run the Anti-Virus Scan at least once a day.
3. Install an Anti-Trojan software and make sure you scan your systems regularly. Make sure you get the latest Trojan definition files.
4. Make sure you have a firewall on your network. On this firewall, make sure you
A. have the latest patches
B. turn firewall logging function ON so you can use it for investigation if necessary
C. only allow the necessary port to go out and come in
D. explicitly deny all unnecessary ports (Deny Any Any)
5. On Critical systems, you may want to put them into a different subnet. In addition, you may want to install another layer of firewall for this subnet for extra protection. As always, only allow necessary ports to open and explicit deny all other traffics.
6. If you have remote users connecting to corporate networks via VPN or Dial-up connections, you should seriously consider installing "Personal Firewall" on each remote clients. There will be more management efforts so do this if benefits outweigh the costs. Like regular firewalls, you should only allow necessary ports to go out and come in and deny all unnecessary ports.
Passwords Used to Compromise Systems Back to the top
This virus took advantage of
the Microsoft SMB over TCP (Port 445), which uses NetBios names to connect
to remote systems.
Kyle Lai, CISSP, CISA has worked in the Information Security Industry for over 8 years. He is currently the CEO of KLC Consulting, Inc., where he helps clients with their specific security concerns. Mr. Lai's main areas of expertise include security architecture, risk assessments, vulnerability and penetration testing, virus analysis, security tools development, and security product analysis and research. Prior to KLC Consulting, he provided consulting services for several large and medium size companies in the area of Government, Financial, Healthcare, Utility, Manufacturing, and Higher Education that include HP (formerly Compaq/Digital), Polaroid, MIT.
Mr. Lai has published several analysis and articles on the virus, worms and Trojans, which included the analysis on the first widely spread worm targeting Windows shares, Trojan.IrcBounce, Deloder Worm and the serious Windows 2000 WebDAV vulnerability.
Mr. Lai is also the co-author of the network security utility SMAC, a Windows MAC Address Modifying tool. It has been widely used in network troubleshooting and wireless penetration testing and various areas.
KLC's mission is to provide a continuous effort to protect the confidentiality, integrity and availability of your corporate resources and data. Through each stage of the information security lifecycle, we help you prevent, detect, respond to, and resolve your enterprise security issues.
KLC encompasses security expertise in the MAC Address (Network Address) based Security, Networking and Application Security, Financial Institutions (GLBA), Healthcare (HIPAA) and Pharmaceutical (21 CFR Part 11), Vulnerability Management and Protection, Security Technologies Design and Implementation, and a full range of Professional Security Services.
Additional resources on recovery:
Trojan Ports list:
Compromised Computer Identification and Fixing Guidelines by Allen Chang at UC Berkeley
Additional resources on Trojan Horse:
mIRC Trojan Variants:
IETF Assigned Ports:
Copyright © 2002-2011 KLC
All rights reserved.