image n/a

Crossbreeding Mytob -&- Hellbot

Mytob is a mass mailing worm that has a built-in SMTP engine and spreads through social engineering and common Windows vulnerabilities. Hellbot is an Open Source IRC bot written in C - it supports SSL, HTTP proxy, telnet administration, and of course distributed coordinated attacks. Somehow this combination doesn't give me the warm and fuzzies.

This is just a reminder to not open attachments in email:

  1. even when you think you know what it is
  2. even if the sender is someone you know
  3. even if you have patched software and up to date a/v signatures
  4. even if the body of the email promises physical harm if you don't
  5. even if the body promises financial loss if you don't

This incident started when someone received a message stating that without immediate action, their email account would be disabled. So, in order to react and keep the email account, you have to download this attachment and open it, right? After all, its not an executable, its a pif. When are people going to learn?

With some devlish behavior on it's mind, HCETSE.PIF made it as far as IE's Temporary Internet Files directory and was quarantined by CA. It never executed; remind me that we owe CA a favor.

[time 5/11/2005 1:19:08 PM: ID 14: machine [sanitized]: \
response 5/11/2005 1:23:58 PM] The Win32/Mytob.33792!Worm was detected in
C:\DOCUMENTS AND SETTINGS\[sanitized]\LOCAL SETTINGS\TEMPORARY ...\
HCETSE[1].PIF. Machine: [sanitized]. File Status: Moved

HCETSE.PIF is 33792 bytes long and you can bet that every bit of it would turn ownership of your PC over to its authors within a matter of seconds (is your email account really that important now?). Its not packed with any known compression algorithm so we can't unpack it. Its not a Win32 PE and the import tables are corrupt so we can't load it into a disassembler. Its only got 3 interpretable strings and those are the basic 3 you would find in pretty much any program.

The only choice left is to load it up in a dubugger, set a breakpoint right after it decompresses itself into memory and then dump a pristine copy of the freshly unraveled code from RAM. The first time I did that I completely set the wrong breakpoint and the code executed all the way through (that's why you do this in VMware). HCETSE.PIF made a copy of itself named internet.exe and wrote it to the C:\WINDOWS\System32 directory. It wreaked havoc on the HOSTS file and tried connecting to port 7000 of an IRC server on a Lycos network in Sweden.

The nice thing is that now we have a legitimate PE with repaired import tables, 1200+ human readable strings, and a size that has more than tripled since it was decompressed from HCETSE.PIF. Hang on, this file is about to spill it's guts...

It has a list that consists of 38 names, which it uses to derive email addresses (you know, the ones that will be terminated if you don't open the attachment):

brenda
claudia
debby
helen
jerry
jimmy

For one reason or another, the worm won't try spreading to domains which match contain a certain pattern, possibly out of fear of getting detected quicker:

panda
sopho
berkeley
mit.e
ibm.com
iana
ietf
isc.
secur

Yep, these authors are scared. They won't go near you if you work or go to school at MIT or Berkeley. No way, the worm wouldn't last a minute before someone has it all figured out.

It has a list of gestures to reveal in the message body, which it chooses from during run time:

Once you have completed the form in the attached file , your account records will \
not be interrupted and will continue as normal.
To unblock your email account acces, please see the attachment.
Follow the instructions in the attachment.
We have suspended some of your email services, to resolve the problem you should \
read the attached document.
To safeguard your email account from possible termination, please see the \
attached file.

It has a list of prefixes for hostnames. Since it has a built in SMTP engine, it connects directly to the other MX servers:

mx.%s
mail.%s
smtp.%s
mx1.%s
mxs.%s
mail1.%s
relay.%s

This is incentive to not name your mail servers 'mail' or 'smtp.' Name them something most worms won't have hard coded.

It cripples your ability to investigate with existing Windows tools and sacrifices known Antivirus programs and firewalls to process hell:

regedit.exe
msconfig.exe
cmd.exe
taskmgr.exe
netstat.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe

It stomps all over the HOSTS file to prevent further updating of any other Antivirus engines it might not have been able to terminate:

127.0.0.1       mcafee.com
127.0.0.1       liveupdate.symantecliveupdate.com
127.0.0.1       www.viruslist.com
127.0.0.1       viruslist.com
127.0.0.1       viruslist.com
127.0.0.1       f-secure.com
127.0.0.1       www.f-secure.com
127.0.0.1       kaspersky.com

It connects to irc.blackcarder.net, joins a channel named #31337, logs on with '3l1t3' and awaits further instruction from its peers. It's name is hellbot:

H-e-l-l-B-o-t-3!!
[x] starting HellBot::v3 beta1
-=Copyright (C) 2005-2006 HellBot3 Team All Rights Reserved.=-
References:
Symantec's Mytob
Freshmeat.net's Hellbot
Symantec's Mydoom.BO
Art of Memory Forensics

Malware Analyst's Cookbook

Site design and layout with umm...a bash shell. Graphic by (Aaron Bieber)
Unless otherwise noted, this work is licensed with (Creative Commons Attribution License).