The wonderful world of worm traps

Document Sample
The wonderful world of worm traps Powered By Docstoc
					                 The wonderful world of worm traps

Antivirus products suffer the problem of lagging behind virus authors. While significant
improvements were made in order to provide proactive solutions, in certain cases it is
essential to grab a malware sample, for several reasons.
First proactive methods are not sufficient in all cases. Malware authors keep changing
their creations to avoid detection and they keep searching for new exepackers and
cryptors to obfuscate their code so that the antivirus scanners do not recognize it.
Another reason is that even if a sample is recognized by a generic detection, the actual
sample is necessary to provide proper removal and satisfying description for the users.
Normally, new samples are submitted by users. But it takes several hours if not days for
an average user to recognize that something unusual is happening on his computer
(unfortunately, contemporary operating systems trained users to tolerate system crashes
or unexpected network traffic).
It would be very beneficial to eliminate the user factor, and collect the samples directly.
This way AV labs can roll out detection and removal before the user population can even
notice the presence of a new worms. Thus the need for utilizing different malware traps
As the different types of malware use different propagation methods, many types of
worm traps are in use, each type has its advantages (and disadvantages), and can collect a
certain subset of malware.
A rather useful side effect of the worm traps is that it gives as a better understanding on
what is really spreading in the wild, what are the malware specimen that are really
threatening our users. Otherwise, we would be lured into the position that e-mail worms
are the single most important dangers nowadays.

Port listeners
These are the most simple traps, consisting of simple scripts or applications, that capture
the traffic of a single or multiple ports. These can be used in situation when the entire
malware code is sent out in a single TCP/UDP package and no interaction from the
receiver is required – like in the case of the CodeRed variants (port 80) or the Mydoom
backdoor traffic (port 3127).
Statistics coming from our Mydoom port trap are listed below:
   2004 – malware name        2004 - pctg       2005 – malware name       2005 - pctg
 Worm.Doomjuice.A                24.60%     Worm.Doomjuice.A                  42.57%
 Worm.Doomjuice.B                15.51%     Worm.Doomjuice.B                  25.74%
 Worm.Agobot.NI                   8.42%     Worm.Vesser.B                      6.93%
 Worm.Vesser.B                    4.81%     Worm.Agobot.ZT                     4.95%
 Worm.Agobot.LU                   3.88%     Worm.Gobot.H1                      3.96%
 Worm.Agobot.WA                   3.34%     Worm.Agobot.Gen.7                  1.98%
 Worm.Rbot.DP                     3.07%     Worm.Gobot.C                       1.98%
 Worm.Agobot.WY                   2.67%     Worm.Gobot.E                       0.99%
 Other:                          33.69%     Other:                            10.89%

Interesting to note, that while the 33.69% in 2004 was combined by 64 different malware
samples (mostly Agobot and Gobot variants), in 2005 only 11 other variants were
observed, which indicates that the Mydoom backdoor port is loosing its importance in
malware distribution, and based on the absolute number of the self-replicating Doomjuice
variants, the number of infected computers is also decreasing.
Some of the worms maintained the backdoor, some removed the infection entirely, other
just replaced it or replicated via it [6]. The constant decrease in port 3127 activity
indicates that the new viruses (and hopefully the installed antivirus programs) eat up this
subset slowly, because all except some old Mydoom variants decrease (or leave
unchanged) the number of affected computers.
This means that this type of activity will slowly diminish. Slowly, as the most active
Mydoom hunters are still the Doomjuice variants, that maintain the backdoor
functionality. But it still comes as s surprise that a significant number of computers are
still infected with old viruses like the Doomjuice and Vesser variants.
Other more sophisticated port traps establish communication with the probing malware,
like the Smallpot project [13], which implements the most important protocols.
According to the Smallpot statistics, the most exploited vulnerabilities (at the time of
writing this paper) are the following:

Generated at: Wed, 12 Oct 2005 22:01:03 +0300
                        Vuln Name                              Attack Count
MS02-061 Elevation of Privilege in SQL Server                  213
Microsoft Knowledge Base Q313418 null password vulnerability   40
Microsoft SQL Server SA password brute-force guessing          33
Sasser worm FTPD server buffer overflow                        24
MS03-026 RPC Vulnerability                                     16
Mydoom.A Backdoor execute exploit                              3
Dameware remote buffer overflow                                2

E-mail traps
E-mail worms cause huge traffic in a short period of time, it is essential to collect them as
soon as possible.
Fake addresses
With this approach the AV companies set up collector e-mail addresses, which are only
used for this purpose. Then this address has to be seeded in order o be available to the
worm. This can be achieved by placing the address invisible on public web pages, or
registering the address to suspicious sites, or pushing the address to certain address
collector sites (in case of Bagle related malware).
The great advantage of this approach is that there are virtually no false positive
collections: as these addresses are fake, anything that comes in is either Trojan.worm or
spam – unwanted content anyway.
The disadvantage is that it not necessarily all e-mail worms will have access to this
address, or explicitly avoid it (Mydoom variants).

General traffic filtering
Another approach is to monitor the entire traffic on an ISP. This way recurrent elements
of e-mail worm spread or trojan seeding (even if it is not fixed always) can be easily

Top list in August on one of the monitored nodes is as follows (total infected captures):
 I-Worm.Netsky.Q1                523074
 I-Worm.Zafi.B                   501265
 I-Worm.Zafi.D                   481479
 I-Worm.Mydoom.R                 119185
 Trojan.DL.Bagle.DA               90657
 I-Worm.MyTob.H                   68801
 I-Worm.Netsky.D3                 65640
 I-Worm.Mytob.J                   63074
 I-Worm.NetSky.Z                  53729
 I-Worm.Yaha.E                    45652
 I-Worm.Netsky.P                  27017
 I-Worm.Mytob.FV                  23476
 I-Worm.Mytob.DR                  19673
 I-Worm.Netsky.R                  14991
 I-Worm.Mytob.FA                  13060
 I-Worm.Netsky.B                  12325
 I-Worm.Mytob.FC                  11312
 I-Worm.Mytob.DU                  10647
 I-Worm.Mytob.IY                  10001
 I-Worm.Klez.H                     9773

Along with the never ceasing oldtimers (Zafi, Netsky, Klez, Yaha) the most important
cases are the massively distributed Bagle variants, and the constantly updated Mytob
The advantage of this approach is that larger traffic enables more chance for early
spotting the worm.
The disadvantage is the possibility of false positives, as this is real traffic, not necessarily
all traffic is unwanted.
The false positive attacks can be largely decreased by additional logics that filter out the
insignificant events and select only those which show suspicious signs or recurrent
patterns [15]. The latter is very characteristic for e-mail worm spread or large-scale
Trojan seeding – the two major categories we want to detect in time. This way eventual
cases of single malware appearances may go unnoticed, but it is a lot easier to find the
significant incidents.

SMB traps
One common method of network worms is spreading via network shares. These worms
aim to target open network shares or shares protected with weak username/password
Typical list of these password/username combinations include (as extracted from one of
the SdBot variants):

administrator                     student1                          80
administrateur                    teacher                           81
administrador                     staff                             82
admin                             intranet                          83
passwd                            bill                              84
pass                              fred                              85
pwd                               freddy                            201
pass1234                          glen                              202
zxc123                            billgates                         203
qweasd                            billgate                          204
qazwsx                            fuckyou                           205
qwe123                            motdepass                         206
123qwe                            zaq123                            207
123qaz                            zaqxsw                            209
zxcvbnm                           123qwe123                         210
qweasdzxc                         4                                 211
666                               12                                212
ctx                               24                                213
nokia                             61                                214
lan                               62                                216
internet                          63                                217
freddy                            64                                218
glen                              65                                219
turnip                            66                                220
afro                              67                                221
user1                             68                                222
student                           69

The setup of such an SMB trap is very simple. It is usually done on a Linux/Unix
installation, with some default Windows shares created (ADMINS$, IPC$, C$, D$, etc.)
with the above users added [1].
Results from our SMB traps (operated on different ISP regions) are showed in the
following table:
               2004       2004                  2005         2005
 Worm.Opaserv.AI        19.24%    Worm.Agobot.ALF          23.36%
 Worm.Opaserv.AF         8.53%    Worm.Agobot.ALB           4.33%
 Win95.Dupator.1503      7.76%    Worm.IRCBot.CM            2.89%
 Worm.Opaserv.AA         6.29%    Worm.DR.SdBot.AWM         2.36%
 Worm.Opaserv.O          5.81%    Worm.Agobot.Gen.7         2.23%
 Worm.Opaserv.D          5.47%    DDoS.Boxed.AQ.Gen         2.23%
 Worm.Opaserv.AK         5.17%    Worm.DR.SdBot.AZD         2.10%
 Worm.Opaserv.I          4.96%    Worm.SdBot.AYP            1.84%
 Worm.Opaserv.AH         4.32%    Worm.DR.SdBot.BCI         1.57%
 Worm.Opaserv.F          4.10%    Worm.DR.SdBot.BAS         1.44%
 Other:                 26.88%    Other:                   55.64%

From these results we can see that the Opaserv variants, that dominated 2004, have
completely disappeared. It is most likely the result of ISPs successfully blocking port 135
traffic (while unfortunately keeping the 445 port open).

SMB traps, likely because of flaws in the Samba implementation, have a tendency of
capturing corrupted samples. These samples have the same size as the original
transmitted malware, but are filled with zeros at the end. This is due to the fact that
whenever a new file is copied onto the trap, the whole length is allocated, and is filled
with zeros. The real content is copied in as arrives. If the connection is broken during
transmission, the end remains filled with zeros.

Native traps
A rather dangerous, but successful approach is to use native traps, with real computers
having default OS installation without security patches, connected to the internet.
The great advantage of this approach is that it can collect the samples grabbed by the
downloaders as well. Also the dropped files are also available on these traps. This way all
samples related to an incident are present. The statistics collected from these traps give
the best estimate what the user population is infected with.
But there are disadvantages. The major concern is getting infected but not becoming
infective. A worm trap can not spread the infection further. Solutions to this problems can
be filtering outgoing traffic, monitoring outgoing traffic, and in case of a significant
increase shut own the system, or combining these with connection throttling [5].
Another disadvantage is that such a system collects only the worms that the actual
operating system is vulnerable to. But as most contemporary worms use many infection
vectors targeting many OS versions, it is not much of a drawback.
Statistics collected in a specific native trap are listed in the table below [14]:
 2005.08.                                                       2005.09
 Trojan.Poebot.B                 8.73%   Trojan.Poebot.B                  16.09%
 Trojan.Downloader.Dyfuca.Ei     3.87%   Trojan.Poebot.D                   8.91%
 Trojan.Lowzones.Hp.S02          3.85%   Trojan.Small.Hp                   7.12%
 Trojan.Downloader.Agent.Tv      3.74%   Adware.Elitetoolbar.A16           5.28%
 Adware.180search.A31            3.26%   Adware.Elitetoolbar.A04.Etb.B2    5.15%
 Trojan.Downloader.Istbar.Gen    3.18%   Trojan.Rbot.Gen                   4.75%
 Trojan.Dubar                    3.05%   Trojan.Small.Hp.A16               4.16%
 Trojan.Downloader.Agent.Fx      2.89%   Adware.Mediaticket.A16            4.16%
 Adware.Mediagtw.A5              2.65%   Trojan.Small.Hp.A01               2.18%
 Trojan.Roundstid.Hp             2.55%   Trojan.Hwclk                      1.65%
 Trojan.Downloader.Small.Asf     2.55%   Adware.Betterinternet.A1          1.65%
 Trojan.Nail.B5                  2.28%   Trojan.Nanspy.E                   1.58%
 Adware.Mediagtw.A1              2.20%   Trojan.Rbot.J18                   1.45%
 Adware.Mediaticket.S05          2.07%   Worm.Gaobot.Gen                   1.32%
 Trojan.Downloader.Small.Gr      2.04%   Trojan.Rbot                       1.19%
 Trojan.Poebot.D                 1.96%   Adware.Elitetoolbar.A01.A2        1.12%
 Trojan.Downloader.Vb.Jl         1.96%   Adware.Elitetoolbar.A01.A1        1.12%
 Adware.Elitetoolbar.S02         1.96%   Adware.Clientax.A16               1.12%
 Trojan.Rbot.Hp                  1.94%   Trojan.Rbot.Hp.A02                1.06%
 Adware.Bargainbuddy             1.80%   Adware.Toolbar.Elitebar.Am        1.06%
 Other:                         41.44%   Other:                           27.90%

It is clear from this, that the user population is targeted with a wide range of different
malware (because even the top malware has low percentage), most of which are not
normally observable on vendor top list. Surprisingly high is the number of adware, which
indicates that adware is very much underrated in vendor lists, but the users feel a quite
different situation.

Vulnerability and protocol emulators
Most of the network worms nowadays use more complex infection methods, which do
not consist of sending a single package. In the first step only a small package is sent,
which, after causing a buffer overflow, executes a connect-back code, which downloads
the worm binary itself.
In order to capture successfully these worms, the targeted vulnerabilities have to be
“emulated”. The traps worming on this principle start by capturing port traffic, after
which analyze the package, looking for shellcodes. If one is found, the connect-back code
is decoded if necessary, then the URL pointing to the worm binary extracted and the
binary is fetched.
Full-featured protocol emulator trap exist for Windows operating system (WormRadar,
iDefense Multipot, HBPot), also for x86 Linux operating system (mwcollect, nepenthes).
The success of these traps lies in extent they support the shell codes used by different
WormRadar goes beyond the simple capturing, a graphical display of worm activity
distribution around the globe is provided along with the stats.
As experiences with SMB and protocol emulator traps in different ISP regions show,
these worms can spread very badly in filtered networks (where the critical 135 and 445
ports are filtered) or in isolated networks (where these ports are allowed in small
segments, but filtered between segments).

Based on experiences with these traps, in the case of an unfiltered network, which is still
quite common, it takes only a couple of minutes for the first incoming attack, and about
two minutes for a successful infection (this time includes the time required by the
connect-back shellcode to download the worm code to the target computer).

The advantage of protocol emulator traps is that they can capture network worms without
the danger of getting infective themselves – unlike native traps.
Malware collected with MWCOLLECT in months July and August show the following
 Worm.RBot.BTW               8.33%
 Worm.RBot.BYE               8.05%
 Trojan.DR.Juntador.N        7.26%
 Worm.Codbot.Y               5.72%
 Worm.RBot.BWY               4.84%
 Worm.RBot.BZQ               4.56%
 Worm.RBot.BXS               4.51%
 Worm.RBot.BWL               3.96%
 Worm.RBot.BYD               3.58%
 Worm.RBot.BZV               2.93%
 Trojan.DR.Juntador.M        2.79%
 Worm.RBot.BXR               2.70%
 Worm.RBot.CCC               2.23%
 Worm.RBot.BZM               2.23%
 Trojan.DR.Juntador.D        2.14%
 Other                      34.16%

Mostly RBot variants are observed, which due to their self-updating do not remain in
spread for a long time, they are replaced by the new variants. Also interesting to notice
the appearance of the Juntador droppers, which are a self-spreading package, usually
consisting of an RBot variant (responsible for expanding to other hosts), and an adware
installer. Clear intention is to use the botnets to install on them adware packages.
Operation experiences with the nepenthes trap show that in a selected 37 hour period
(2005. September 17-18: Saturday and Sunday) 6699 attempts were made, of them 3057
were successful (partly because of worm trap or transmission errors not all attempts are
successful), all this belonging to 73 different malware samples. So it takes about 1.3
minutes for an average user to get infected. I should mention that it was a completely
unfiltered ISP network. On another node, where the Windows networking ports are
filtered (except for the IP address used by our trap), we observer only about 4-5 hits a
week. These belong to probes originating from other IP ranges hitting accidentally our
trap. As most worms prefer local subnets for spread, it is a rare occasion. Consequently, it
is very advised for ISPs to specifically filter out ports 42, 137, 445 and the likes.

IRC traps
Many malware uses IRC channels as communication media. The botnets and recent
Mytob samples specifically use IRC to transmit commands, including the download
locations for updates or programs to execute. It makes sense to monitor these channels, to
grab the samples the same time as they arrive at users computers.

P2P traps
Peer-to-peer networks can be used to distribute new malware to a large user population.
In addition to that, a large number of known P2P worms copy themselves to the transfer
directory of file exchange programs, and spread further.
Most of the malware distributed on these networks are different trojans, but some self-
spreading worms are also observable [7].
Distributing malware via P2P is may not be as effective as a network worms, but using
deluding filenames may increase the chance to spread. And malware authors can make up
deluding filename. However, due to the nature of these networks, malware distribution
follows a pull model (as opposed to the push model of network or e-mail worms), and the
spread cycle is consequently much slower.

Download traps
We have seen many cases where malware has been hosted in Internet sites, and in the
first step only a downloader code (either script, binary downloader or only a HTML
message with a link was sent to the target users. In these cases, the actual content of these
sites may change from time to time, giving a chance for the malware author to plant new
versions or different bugs.
Good examples of this web hosted seeding are the recent Bagle incidents [3,4]
In case of Bagle incidents, where the seeding of the new variants happens at an
alarmingly fast rate (due to the extensive use of the Baglenet) every minute that can be
earned by early spotting of the new variant on the download website is precious. The
entire Bagle malware family (downloaders, worms, spam tools, proxies) was observable
in the download locations.

USENET traps
Usenet has been used for malware distribution for many years [2]. Although the Usenet
lots its privileged role in Internet communication, but not lost its role as a malware
distribution media. The Virus Patrol project monitors it for years. While in the late 90s
mostly replicating malware was seeded in newsgroups, nowadays more non-replicating
trojan downloaders and backdoors are observable, along with the very popular IRC bots

Geographical distribution
The operation of identical traps even on different ISPs in the same country, moreover in
different countries shows significantly different malware spectra. This is mainly caused
by the facts that worms usually prefer target addresses within the same subnet, and that
subnets or ISP regions are usually isolated.
This means for us that it is necessary to set up traps on as many locations as possible, or
to cooperate between vendors to setup global trapnet.

Antivirus labs are always one step behind the malware authors. Clever usage of malware
traps can take them a half step closer to them, by eliminating the overhead involved with
the infected user between them. Even this half step is valuable enough and can save many
troubles for the end users.

[1] M.Overton: Worm charming: taking SMB Lure to the next level, Virus Bulletin
Conference, 2003. Toronto
[2] Dmitry O. Gryaznov: Virus patrol: five years of scanning the USENET, Virus
Bulletin Conference, 2002. New Orleans
[3] G. Szappanos: In Limited distribution Only, Virus Bulettin, May 2005.
[4] Scott Molenkamp, Hamish O’Dea: Solving the Bagle jigsaw, Virus Bulletin
Conference, 2005, Dublin
[5] The Honeynet Project,
[6] G. Szappanos: Doomquest, Virus Bulletin
[7] Dmitry O. Gryaznov: Malware in popular networks, Virus Bulletin Conference, 2005.
[10] O. Auerbach: Evolution from a honeypot to a distributed honey net , Virus Bulletin,
August 2005.
[11] The Malware collector project:
[12] The Nepenthes project:
[13] C.Raiu: malware in a small pot, Virus Bulletin Conference, 2002. New Orleans
[14] Statistics obtained from worm traps operated at ArcaBit (Poland), personal
[15] RPD technology, white paper, Commtouch® Software Ltd.