« Tech Tip: SQL Injection Attacks by Example | Main | Win32 CRITICAL_SECTION efficiency and overhead »

January 08, 2005

Malware analysis: Troj/Winser-A

Earlier this week, Lawrence Baldwin of myNetWatchman provided me with a malware binary, and it was later identified as Troj/Winser-A by Sophos. I dug into it with my usual tools, and the result is a paper:

Unixwiz.net Research: Analysis of the Troj/Winser-A Malware

I've done reverse engineering before, but have never waded into the world of IRC - this one joined a botnet - and the process was quite an eye opener for me. I had long believed that IRC is nothing but a sewer, and this recent experience has done nothing but confirm it.

Ultimately, the DNS name that the bots "phoned home" to was removed - for unknown reasons - and because it not a worm, it didn't spread very far as far as we know.

Posted by steve at January 8, 2005 02:12 PM

Trackback Pings

TrackBack URL for this entry:
http://www.unixwiz.net/mt/trackback/20

Comments

Hi Steve;

Nice BLOG. This triggered a memory that I thought you would find interesting. It will run long, sorry.

A few years ago (circa 1999) an ISP, who shall remain nameless, called me in because their news server was 'acting funny'.

Poking around in the machine (Linux box) turned up a root kit. I decided that I wanted a piece of the person who cracked that server so I plugged it into a hub next to another Linux box and sniffed about eight hours of traffic.

The machine was being used as an IRC server and there were a dozen or so script kiddies using it for warez and as a place to store their toolz.

I read the raw text being sent on the IRC channels and I discovered that there were two levels of conversation going on. One level was a bunch of script kiddies talking in the open on an IRC channel, but the IRC server had been modified to allow a 'subliminal' channel. The real cracker and a couple of other more skillful blackhats were communicating in the background. The purpose of letting all those kiddies use that IRC server? Yep, you got it in one. :)

I then killed their IRC server and managed to catch the cracker coming back to reinstall the root kit. It took his script less than fifteen seconds to make the transfer and replace the existing binaries.

I got the IP address and account information on the server whence he moved his toolz. 'Nuther linux box of course. I logged on and pulled the root kit and studied it a day or so but left that machine alone otherwise. After I studied the kit and the kiddies for a couple of days I rebuilt that news server, called Qwest (yep, QWest) and talked to their chief of security. I was telling him how I thought he should go about tracking the kiddie back one more hop when he told me his wife was an employee at a federal intelligence agency... ;) Small world.

They took the ball and I got as much revenge as you ever get when chasing crackers, I took one of his boxes from him.

Posted by: Mike Erskine at January 30, 2005 03:16 PM

In reply to "Watching children at play" in:
http://www.unixwiz.net/archives/2005/01/malware_analysi.html
you say "Almost all residential cable services include terms of service that forbid running of servers (though I have never figured out why this is the case, because DSL providers generally allow it).".

I can only guess, but my guess is that cable providers are required to provide residential customers better (faster etc.) service, but the deal is limited to non-business use. That makes sense a little, but we both know that a server can be used for totally non-commercial use.

Another possibility might be security; an ISP might need to provide additional services to protect a customer with a server. Right? Or am I toatlly wrong that most ISPs don't care about protecting a customer's server?

Posted by: Sam Hobbs at June 25, 2005 06:40 PM