DeLoder Worm/Trojan Analysis (DeLoder-A)

URL of this article: http://www.klcconsulting.net/deloder_worm.htm

version 1.5 --- (Initial Release 1.0 - March 11, 2003)

Author: 

Kyle Lai, CISSP, CISA

KLC Consulting, Inc.

klai@klcconsulting.net 

www.klcconsulting.net 

************

The analysis of the follow-up experiment was released on 3/27/2003.  The full analysis is available at http://www.klcconsulting.net/articles/deloder/deloder_loads_vnc_password.pdf

Quick info on the follow-up experiment:

Let's get right to the point:  Deloder worm has resurfaced again during the past few days.  Deloder worms loads VNC remote control software and a password during infection.  Anyone can take over the infected systems with the right password, and it's easy to crack!

************

Table of Contents

• Introduction

• System configuration

• UserID configurations

• System Folders

• Analysis

• Files involved

• Removal Instructions

• Recommendations for Protections

• Passwords Used to Compromise Systems

• Worm/Trojan Alias

• References

• About the Author

• About KLC Consulting

• Additional virus/worm/Trojan resources

Introduction   Back to the top

A computer running Windows 2000 Professional was put online via a cable modem for ONLY 5 hours, from 4PM to 9PM, March 8, 2003.  The purpose of this experiment was to verify if the recent outbreak of port 445 activities are related to IRC type of worms, Trojans, or viruses.   

The IRC type of worms and Trojans usually target home and small business users where there is less security around the network or computers.  High Speed connections are getting more and more popular.  Many home and business users who sign up for Cable Modem or DSL simply plug in their PC's without any security and protection.  These PC’s are therefore extremely vulnerable to these types of attacks.

What is the big deal about home users getting hit by these types of worms/Trojans?  Answer:  There could be huge ripple effects.

1.     Compromised systems will connect to IRC Servers as DDoS zombies and might be waiting for a command to start DDoS attacks.

2.     Compromised systems might be used as VPN or dial-up clients to a corporate network, resulting in security vulnerabilities since VPNs and dial-up connections are the weakest link in secure computer networks.

This experiment simulates a typical setup of home users who use either Windows 2000 or XP systems.  Most of the home users do not secure their PC’s while they are on the high-speed Internet, and this experiment will show how fast a system can be compromised, and what damages these worm/Trojans can do to this system and to other systems around the world.

Within the beginning of March, 2003, there were many discussions on the incidents discussion on Security Focus regarding “Port 445 Scans,” with people concluding that it’s the “Randon” worm; however, the author of this article was not convinced because there are several variants of IRC related worms/Trojans out there, with some more malicious than the others.

With a brand new installation of Windows 2000 Professional and a configuration designed to be attacked by mIRC related viruses, we have put it to the test.  Within 10 minutes of this box being put online, port 445 was probed.  Within a 1-1/2 hours of this box being put online, it was infected with an IRC Trojan, now identified as "DeLoder."  At the 4^th hour, it was infected with a mIRC Trojan, which was identified as IRC_SCREWS by some virus vendors.

This analysis focuses on the DeLoder worm/Trojan.  Some interesting discoveries were found, including some that have yet to have been been reported by the virus vendors and other researchers. 

System configuration   Back to the top

• Windows 2000 Professional (Build 5.0.2195) with SP3
• Default Windows installation
• Set to disable Netbios over TCP/IP to filter out port 139 activities
• Open Ports
  • epmap           135/tcp    DCE endpoint resolution
  • epmap           135/udp    DCE endpoint resolution
  • microsoft-ds    445/tcp    Microsoft-DS
  • microsoft-ds    445/udp    Microsoft-DS

UserID configurations   Back to the top

This experiment was designed to have the test computer (honeypot) get infected with the IRC type of worms/Trojans, so the computer was set up with minimum security.  The default Windows 2000 professional settings were used, and no password for the Administrator user account was set.

Default Windows 2000 Professional users:

Guest user account is disabled. (by default)

System Folders   Back to the top

For simplicity, the following environment variables for this report were used:

• %windir% = C:\WINNT\
• %SystemRoot% = C:\WINNT

Analysis   Back to the top

Infections

• IRC Trojan (not mIRC)

• Remote Control tool – VNC

• Trojan files were placed in winnt\fonts\ folder.

• Cygwin1.dll was placed at winnt\system32\ folder.

Detailed Technical Analysis

• This worm/Trojan spread by scanning random IP's, and attempted to connect to the Windows 2000/XP shares, which is TCP port 445 (SMB over TCP).  Once it discovered a Windows 2000/XP systems share \\[system]\IPC$, it then started using its built-in password dictionary to connect to it.  A list of these passwords has been included in the Password section of this report.  Once it successfully connected to a Windows 2000/XP system, it started to scan for other systems so that it may spread itself again.

• Once a worm/Trojan connects to a system through \\[system]\IPC$ as an administrator of the system, it can launch (execute) and kill processes as it wishes.  It uses PSEXEC.EXE (from SysInternals) to copy the worm/Trojan to vulnerable systems it successfully scanned and identified, then it execute them.

• This IRC Trojan consists of an IRC client and VNC.

• The IRC client requires cygwin1.dll to run, which indicated that this file was originally a Unix/Linux IRC source code, and was re-compiled via Cygwin for the Windows environment.  Cygwin1.dll was placed to the system as one of the Trojan files.

• All Trojan files besides Cygwin1.dll were placed in the winnt\fonts\ folder (assuming “\winnt” as the Windows folder.)  winnt\fonts\ folder was the choice for some Trojan authors because this folder only shows the fonts when viewed through Windows Explorer, and not the executable or Trojan files, even though those were in the folder as well.  The only ways to see non-font files are to:
       (1) use Find/Search Files feature; 
       (2) use “DIR” command in the Command Prompt.
  
  The easiest way to try this is to right click on the c:\winnt\fonts folder, then select Search, and search for *.*.  You will be able to see all the files not visible through Windows Explorer.

• VNC server (v. 3.3.3.9) filename was renamed to “Explorer.exe,” and registry values for VNC were applied to the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3.”  Within the VNC registry values, you would see that the encrypted VNC password was “F3 40 BB C8 07 36 DE 47."  After running the encrypted password through VNCrack by Phenoelit, the password was cracked successfully and it was "strict".  

  The VNC server executable "explorer.exe" was the same as the original VNC server executable from the VNC official website.

  Here was the list of registry values Deloder added:

  [HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3]
  "SocketConnect"=dword:00000001
  "AutoPortSelect"=dword:00000001
  "InputsEnabled"=dword:00000001
  "LocalInputsDisabled"=dword:00000000
  "IdleTimeout"=dword:00000000
  "QuerySetting"=dword:00000002
  "QueryTimeout"=dword:0000000a
  "Password"=hex:f3,40,bb,c8,07,36,de,47
  "PollUnderCursor"=dword:00000001
  "PollForeground"=dword:00000001
  "PollFullScreen"=dword:00000001
  "OnlyPollConsole"=dword:00000001
  "OnlyPollOnEvent"=dword:00000001

• Deloder worm launched "explorer.exe", which is an VNC server.  It opens TCP port 5800 and 5900 and started listen for VNC requests.  If a VNC clients requested a connection to the compromised system, and also provided the correct password, the user of the VNC client can remote control the compromised system, or simply spy on every single keystroke and mouse move there.

• 2 Registry values were added to automatically run the Trojan at the system startup:

Registry key = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• The worm/Trojan attempts to drop the trojan installer on the compromised system in the following share folders.  This is just a way for the worm/Trojan author to add multiple ways to start the worm/Trojan during the user logon if the Trojan doesn't start during the system startup:
  

• C$\WINNT\All Users\Start Menu\Programs\Startup\inst.exe

• C$\WINDOWS\Start Menu\Programs\Startup\inst.exe

• C$\Documents and Settings\All Users\Start Menu\Programs\Startup\inst.exe

• dvldr32.exe and inst.exe are the worm/Trojan package files, and were deleted after this Trojan was run from the "Startup" directories.  The original inst.exe in the c:\winnt\system32 was still intact.

• When this worm/Trojan runs, it attempts to remove the following network shares:

• ADMIN$
• IPC$
• C$
• D$
• E$

• F$

• This worm/Trojan attempts to connect to many different IRC Servers.  During the investigation, several IRC servers were connected manually.  6 out of 7 IRC servers that were tried (manually) returned an error "All connections in use."  One IRC server "h13-2-4-00-0396.beready.communitech.net" was connected successfully (luckily, only 3 spots left before reaching the maximum users limit at that time.)  Once connected, I noticed that this IRC server disguised itself as an AOL.COM IRC server.  On this server there were close to 3,000 connections (possibly DDoS zombies(?)).  Base on the information displayed during initial connection, there were close to 15,000 connections throughout 7 IRC servers this IRC server connected to.

Here are the IRC servers (there may be more):

• h13-2-4-00-0396.beready.communitech.net (6667)
• 64.23.55.21 (6667)
• dedicated1.airwire.net (6667)
• sowqube.ten6.com (6667)
• j1.mediag3.com (6667)
• boom.sh3ll.la (6667)
• 198.65.147.245 (6667)

Files involved   Back to the top

• WINNT\fonts\ folder

  • VNCHooks.dll – VNC Server component

  • omnithread_rt.dll – VNC Server component

  • explorer.exe – VNC server

  • ~GLH0003.TMP – IRC client

  • rundll32.exe – IRC client (There is a legit rundll32.exe which is a legitimate Windows system file, but it resides in the Winnt\system32 folder.)

  • dvldr32.exe – Worm/Trojan package file (deleted after the Trojan is executed.

• WINNT\SYSTEM32\ folder

  • Cygwin1.dll – a component required by rundll32.exe

  • psexec.exe - Remote process execution utility by SysInternals.

  • inst.exe – Trojan file

Removal Instructions   Back to the top

1.     (Optional) Download TCPViewer from SysInternals and run it on the compromised systems.  This is a utility that will show you the process running, as well as the ports it connects in real time.  It will also show you the status.  This is a more powerful version of "NetStat."  

A.    If you see Explorer.exe running, 

a.     doubleclick on the Explorer.exe to check the actual file location in the properties window.  If it shows "c:\winnt\fonts\explorer.exe" instead of "c:\winnt\explorer.exe," then 

                                                                   i.          close the properties window

                                                                  ii.          right click on the "explorer.exe" process and click "End Process."

B.    If you see rundll32.exe running, 

a.     doubleclick on the rundll32.exe to check the actual file location in the properties window.  If it shows "c:\winnt\fonts\rundll32.exe" instead of "c:\winnt\system32\rundll32.exe," then 

                                                                   i.          close the properties window

                                                                  ii.          right click on the "rundll32.exe" process and click "End Process."

2.     Get Anti-Virus software with the latest definitions and run it against your compromised and/or suspected Windows systems.  If you don't have one, I recommend using the AVG Anti-Virus Free Edition.  This free version also has definition update capability.  Please check the license agreement to make sure you comply with the agreement.  Symantec, McAfee, TrendMicro, AVG and other paid versions of Anti-Virus software have more comprehensive capabilities, but the free version is sufficient for home use.

3.     Get Anti-Trojan software.  This type of software usually detects and removes Trojans/worms and "security tools" that are missed or have been intentionally left off by the Anti-Virus software.  If you don't have one, I recommend swat-it by Lockdowncorp.com, a FREE Trojan Scanner.  This scanner also comes with definition update capability.

4.     Verify that the following start-up files have been removed:

A.    C$\WINNT\All Users\Start Menu\Programs\Startup\inst.exe

B.    C$\WINDOWS\Start Menu\Programs\Startup\inst.exe

C.   C$\Documents and Settings\All Users\Start Menu\Programs\Startup\inst.exe

5.      Verify that the following files have been removed:

• WINNT\fonts\ folder

  • VNCHooks.dll – VNC Server component

  • omnithread_rt.dll – VNC Server component

  • explorer.exe – VNC server

  • ~GLH0003.TMP – IRC client

  • rundll32.exe – IRC client (There is a legit rundll32.exe which is a legitimate Windows system file, but it resides in the Winnt\system32 folder.)

  • dvldr32.exe – Worm/Trojan package file (deleted after the Trojan is executed.

• WINNT\SYSTEM32\ folder

  • Cygwin1.dll – a component required by rundll32.exe

  • psexec.exe - Remote process execution utility by SysInternals.

  • inst.exe – Trojan file

6.     Make sure all user passwords are changed; strong (complex) passwords are recommended.  There is a good chance that the Trojan author(s) already owns a copy of your user IDs and passwords (SAM database.)

Recommendations for Protections   Back to the top

1.     Install Anti-virus software with the latest virus definitions and make sure you check the virus definition files at least once a day.  Some organizations are set up to update their virus definition file at least once an hour in a more proactive approach on their virus protection efforts.

2.     Run the Anti-Virus Scan at least once a day.

3.     Install an Anti-Trojan software and make sure you scan your systems regularly.  Make sure you get the latest Trojan definition files.

4.     Make sure you have a firewall on your network.  On this firewall, make sure you 

A.    have the latest patches

B.    turn firewall logging function ON so you can use it for investigation if necessary

C.   only allow the necessary port to go out and come in

D.   explicitly deny all unnecessary ports (Deny Any Any)

5.     On Critical systems, you may want to put them into a different subnet.  In addition, you may want to install another layer of firewall for this subnet for extra protection.  As always, only allow necessary ports to open and explicit deny all other traffics.

6.     If you have remote users connecting to corporate networks via VPN or Dial-up connections, you should seriously consider installing "Personal Firewall" on each remote clients.  There will be more management efforts so do this if benefits outweigh the costs.  Like regular firewalls, you should only allow necessary ports to go out and come in and deny all unnecessary ports.

Passwords Used to Compromise Systems   Back to the top

This virus took advantage of the Microsoft SMB over TCP (Port 445), which uses NetBios names to connect to remote systems.  
It attempted to spread to Windows 2000 Professional, Windows 2000 and XP with weak and guessable administrator account and passwords:

Worm/Trojan Alias   Back to the top

References   Back to the top

• Incidents.org received 15,776,173 reported port 445 activities on March 9, 2003.

About the Author   Back to the top

Kyle Lai, CISSP, CISA has worked in the Information Security Industry for over 8 years.  He is currently the CEO of KLC Consulting, Inc., where he helps clients with their specific security concerns.  Mr. Lai's main areas of expertise include security architecture, risk assessments, vulnerability and penetration testing, virus analysis, security tools development, and security product analysis and research.  Prior to KLC Consulting, he provided consulting services for several large and medium size  companies in the area of Government, Financial, Healthcare, Utility, Manufacturing, and Higher Education that include HP (formerly Compaq/Digital), Polaroid, MIT.

Mr. Lai has published several analysis and articles on the virus, worms and Trojans, which included the analysis on the first widely spread worm targeting Windows shares, Trojan.IrcBounce, Deloder Worm and the serious Windows 2000 WebDAV vulnerability.

Mr. Lai is also the co-author of the network security utility SMAC, a Windows MAC Address Modifying tool.  It has been widely used in network troubleshooting and wireless penetration testing and various areas.

About KLC Consulting   Back to the top

KLC's mission is to provide a continuous effort to protect the confidentiality, integrity and availability of your corporate resources and data. Through each stage of the information security lifecycle, we help you prevent, detect, respond to, and resolve your enterprise security issues.

KLC encompasses security expertise in the MAC Address (Network Address) based Security, Networking and Application Security, Financial Institutions (GLBA), Healthcare (HIPAA) and Pharmaceutical (21 CFR Part 11), Vulnerability Management and Protection, Security Technologies Design and Implementation, and a full range of Professional Security Services.