BKDR_HACKARMY.J Is TDS really the best?

Discussion in 'Trojan Defence Suite' started by jhietter, Jan 25, 2004.

Thread Status:
Not open for further replies.
  1. jhietter

    jhietter Registered Member

    Joined:
    Jan 25, 2004
    Posts:
    4
    I guess I'm a bit a novice re security, so maybe someone can set me straight. On 1/24/04, I was transferring files just fine, but my browsers wouldn’t work, so I took a look at my processes. I found svchhhost.exe running from my system32 folder & it obviously seemed suspect (svchhhost instead of svchost). As soon as I killed it, my browser worked again. So I put it in its own folder & scanned that folder with TDS, AVG, AdAware & Spybot and none of them found anything. When I ran it myself, I did a mutex memory scan & a process memory scan in TDS and it found nothing!! I searched all the major security software sites and only one has record of it; TrendMicro; in an article about BKDR_HACKARMY.J. I tested it out & this thing runs exactly like they say it does. They found it on 1/21/04. I submitted the file to TDS, but I thought the scans in TDS would pick up on this type of process, even if it was a new one. It's been 4 days since Trend Micro discovered it & still no one has any record of it. I know what TDS is, and yes, I also always have a virus scanner & 2 firewalls (soft/hard) running, but I'm losing my faith in TDS a bit. Can someone set me straight?
    Thanks,
    John
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi John, Welcome!
    You zipped and send it to submit@diamondcs.com.au and/or gavindcs@iinet.net.au and no reply yet?
    Do you mind zipping and sending it again to both addresses to make sure they have it?
    Thanks in advance!

    There are several variants in the pirmaries list since some time, this might be another variant.
    I'm going to dig for the info now.

    You might like on the www.avp.ru site, in top get the english site, at the bottom get the "online virus check" and have in a few seconds the KAV analyses of the file too.
     
  3. jhietter

    jhietter Registered Member

    Joined:
    Jan 25, 2004
    Posts:
    4
    Actually, I submitted to support@diamondcs.com.au because I didn't know the other address. I just sent it to both just now though. My original email was only just yesterday. Thanks for the advice.
     
  4. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    For adding malware to the database DiamondCS is depending on users submitting suspicious files, as they cannot find them all by themselves.
    So you have done the right thing by submitting it to diamondcs.
    However, there are no updates during the weekend, so the process will not be detected till monday. Why the program isn't detected by other detecting features of TDS I don't know. Only DiamondCS can answer that question, if you have configured TDS the right way. ;)
    Dolf
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are you sure you had a svchhhost.exe with 3 hhh and not 2 hh in the middle? That could indicate another variety.

    As i see in descriptions several have another file included wuaumg.exe, which i know as part of various spybots, --which detection is also included in TDS-- you might like to have an additional scan with SpybotS&D and see if anything shows up, or with JavaCools software (other part here in the Wilders forum).


    You might also like to install Port Explorer (eval is free) to keep an eye on all your connections and what they use, as this hackarmy tries to connect to mIRC via ports 6666 and 6667 and there might happen more unwanted stuff, which you can discover immediately and kill right instantly.

    Looking forward to next developments here, so keep us updated, so that we can keep you clean and safe!
     
  6. jhietter

    jhietter Registered Member

    Joined:
    Jan 25, 2004
    Posts:
    4
    I did check the ports, but as suspected, my firewalls weren't letting any traffic to any ports that I hadn't specified (I don't use IRC). I used to have TDS default sockets initialized, but now I just let the FW handle that. I mainly use TDS to scan hidden processes & hopefully detect infected files that are brand new to the streets & not in anyone's definitions yet. This file creates a mutex - well, here's the whole description:

    Installation

    Upon execution, this backdoor drops and executes the following copy of itself in the Windows system folder:

    SVCHHHOST.EXE
    The dropped copy, once it is executed, deletes the original malware file.

    It creates a mutex called "botsmutex" for checking and ensuring that only one copy of itself is running at a given time.

    Autostart Techniques

    This backdoor creates the following registry entry so that it executes every time Windows starts:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Winsock32driver = svchhhost.exe

    Backdoor Capabilities

    This backdoor operates as an Internet Relay Chat (IRC) bot. It connects to the server, updates.badpenguin.net, through port 6667. It then joins the channel, #updates, where it listens for commands coming in from remote users.

    It executes the commands locally on the infected machine, providing remote users virtual control over affected systems.

    This IRC backdoor allows remote users to do the following:

    Disconnect from the server
    Execute a file
    Delete a file
    List a process
    Kill a process
    Update the malware
    Read logs
    Obtain the following information:

    Uptime of the Windows OS
    CPU speed
    Online duration
    Current logged on user
    IP address
    Processor
    Other Details

    This backdoor is compressed under a modified UPX algorithm. Its icon resembles one commonly associated with media files.

    I'm probably just expecting way too much of any program.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Does Port Explorer show any more processes and connections to be blocked or killed? Keep it up for a while.
    Did you check the locations from your description for files and regkeys?
    The nasty is in the primaties for some time so should be detected, if you check all scan options in the scan control.
     
  8. Caliban

    Caliban Registered Member

    Joined:
    Dec 17, 2003
    Posts:
    42
    It sounds like a variant to me, there is no end to the Hackarmy/Spybot variants. They are easily manipulated by almost anyone to get past the signatures in the database. I have a trojan right now that is undetected by all AVs and ATs, when I find them I send them to DCS and others. The fact that KAV, NAV, RAV, TrendMicro, TDS, BOClean, etc. do not detect this nasty does not mean they are bad or don't function as advertised, it means that they are dependent on signatures made from the code in the malware. Heuristic detection is not yet capable of replacing signature based detection. My bet is it's a variant and do your computing comrades a public service and send it to your favorite AV and AT vendors. My two pence.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Caliban, did you in TDS check all the scan options and on highest sensitivity, do you get any alert like "suspicious" or are there other indications about your trojan?
    Is it trying to call outside or other behavior? Does PE show hidden processes with it?
    Just to ask: how do you know if nothing is showing up?
    Love to hear of course!
     
  10. Caliban

    Caliban Registered Member

    Joined:
    Dec 17, 2003
    Posts:
    42
    Hi Jooske,
    It's my hobby to find the stuff. I can tell by file name, size, place found, looking for the winsock32 dll with PEView and finally hearing back from the vendor, BOClean and KAV in this instance, that yes it is a new nasty. I know everyone goes home on the weekend at DCS, but Gavin always adds the stuff I send the next day. I believe Monday is a holiday in Oz?
    I forgot to add that I also cautiously execute the real undetecteds to see what they do, that is the real clincher. Application control with Kerio and registry control with RegistryProt allow me to do this with relative impunity, but I do get nicked on occassion. That's how I know what a trojan shutting down my security software looks like. ;)
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sounds nice as a hobby, as you help the internet community a lot with keeping clean -- hope you can locate the nasty you found now and see it being added soon.
    Yes monday is Australia Day, but we do know ourselves rather well protected with Gavin covering detection and protection in advance as long as we do check all scan options :)

    Let's see what your new nasty ends up to be.
    With knowing your system so well and finding all kinds of suspicious stuff in time and safe computing you must be rather secure to the sounds of it.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Caliban, Have you played with Process Guard & rootkits yet? You may find that quite interesting ;)
     
  13. Caliban

    Caliban Registered Member

    Joined:
    Dec 17, 2003
    Posts:
    42
    Hi Pilli,
    Not with rootkits, but I did try all the firewall test programs and was suitably impressed by PG's performance. Since I found Process Guard I would never be without it.
     
  14. Caliban

    Caliban Registered Member

    Joined:
    Dec 17, 2003
    Posts:
    42
    KAV was the first in with signature and name, Backdoor.Thredsys.51.
     
  15. Longthing

    Longthing Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    40
    I already forgot about that one. Almost a month ago I submitted a file called britney_spears.scr wich KAV detected as Backdoor.Hackarmy. I and Norton as Backdoor.IRC.Bot (after i submitted it to Symantec).

    TDS-3 still doesn't detect this one.
     
  16. jhietter

    jhietter Registered Member

    Joined:
    Jan 25, 2004
    Posts:
    4
    Like I said, I'm probably just expecting way too much of any program. I know TDS is a great thing. I guess I just had a tiny bit of a false sense of protection & I wanted to get rid of that. I'm glad this thread started an even more interesting conversation because I've learned a lot today. That inspires me to start learning some more & you guys have provided some great ideas (programs) to start with.
    - John
     
  17. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    how to evaluate a degree of protection from a single missed threat ?

    every AV misses viruses, every AT misses viruses.

    Even if in my opinion TDS is one of the best, the fact that it has missed one won't decrease my faith on it :)
    I know TDS can detect trojans undetectable by many others AT/AV like polymorphic trojans, so i don't worry about a single missed threat.
    BTW if you are sure about it, just send it to DCS and all will be fine.
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Longthing,
    hackarmy.I is in the primaries since some time.
    Maybe another variant? Didn't you never get a confirmation?
    In your scanning do you check all possible scanoptions?

    To make you guys happy i found a few months ago a spybot which was infected itself by a virus which all packet was again infected by another virus, where the whole online virus check at KAV said it was all clean and safe, while at the incoming packet in PE i had seen already specific malicious code.
    Gavin confirmed the determination with the three nasties at a time in one.
    I've more samples tried in that online scanner for which only TDS gives positive identifications with name so they are in the primaries list.
    One can expect some code parts to be included in more trojans, call it recycling :) f.e. one thinks to have a spybot or weird or kuang thing, sees wuaumg.exe and the kind and after it might be a hackarmy variaty -- anyway the detection code can cover more while the exact name will show up for that sample.
    So keep sending them in.
     
  19. Longthing

    Longthing Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    40
    I performed a rightclick scan. But you are right. TDS-3 does detect it. When i scanned the file last night it was still packed in a zipfile.

    When i unpack the file and perform a right click scan TDS-3 does detect it as hackarmy.i
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again, if you check the "scan inside archives and compressed files" options it should be detected in normal ways too, without unzipping it ourselves!
    Glad you found out the detection, so you can be suer theer are no other copies on your system!
     
  21. Longthing

    Longthing Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    40
    That option is checked. I received a couple of e-mails infected with W32.dumaru.y. yesterday. This virus comes in a file called myphote.jpg .exe wich is packed in a zipfile. When scanning the zipfile with TDS, TDS gave a warning for a possible keylogger.

    I was not afraid that my pc was infected with hackarmy.i. Found it in a couple of newsgroups but did not exe it.
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Glad the dumary.Y was detected, it is new since this weekend i think, and is a keylogger indeed, while it opens a few backdoors for attackers on ports 10000 and 2223 (?) passwordstealing, especially from e-gold accounts etc etc.
    I'm not sure if it uses harvested senders names or from real computers so you could be able to alert people who sent it to you.
     
Thread Status:
Not open for further replies.