Analysis of new Sober variant

Discussion in 'malware problems & news' started by Rmus, Nov 24, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The new Sober variant retains many of the same characteristics as the earlier ones,
    and is easily prevented from 1) installing or 2) carrying out its payload.

    From the Symantec site:

    -----------------------------------
    Name of attachment: Zip file name Varies, but will contain the following file:
    File-packed_dataInfo.exe
    -----------------------------------

    NOTE: Whitelist-protection will prevent inadvertent or unauthorized extracting (copying) of the file.

    inadvertent --> user clicks on file w/o thinking, sees alert, and says, "do I really want to do this"

    unauthorized --> other user of the computer (eg, other family member) w/o principal user's permission

    Example from a previous Sober variant (file name is different in this variant):

    http://www.rsjones.net/img/sober_1.gif

    --------------------------------------------
    Should the user be persuaded into authorizing the file to extract and run,
    anti-virus may or may not alert. If not, W32.Sober.X@mm performs the following actions:

    Displays a message with the following text:

    Error in packed Header
    --------------------------------------------

    http://www.rsjones.net/img/sober_2.gif

    ----------------------------------------
    Copies itself as the following files:

    %Windir%\WinSecurity\services.exe

    Checks the network connection of the compromised computer, and the current date,
    by connecting to one of the following NTP servers on TCP port 37:
    -----------------------------------------

    NOTE: The directory created for services.exe, and the NTP servers are different in this variant,
    but the action is the same. Your firewall will alert the outbound attempt to Port 37
    if your Port rules are configured correctly:

    http://www.rsjones.net/img/sober_3.gif

    At this point, the alert user will

    1) notice that services.exe is not the correct Windows file,

    2) or at least ask, why is something trying to connect out to this site, anyway?

    3) and then realize that something is amiss and close the on-line connection.


    Now, the worm is prevented from carrying out the payload:

    ----------------------------------------
    Attempts to send a copy of itself to the email addresses gathered using one
    of the SMTP servers selected above.
    -------------------------------------------

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello Marcos,

    Thanks for posting that link.

    I don't have the tools to do a complete analysis, for my interest is in learning how these worms can be prevented from installing, or, containing the damage locally.

    isc.sans.org reports today that mail servers monitored by a fellow handler caught over 46,000 instances of Sober.y in the last 24 hours.

    There is really no need for that amount of spreading of the worm if proper firewall protection were in place.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
Loading...
Thread Status:
Not open for further replies.