Open Malicious Source
Symantec Security ResponseKaoru Hayashi
Agenda
What is Open Malicious Source
Characteristics
Protection
Conclusion
What is Open Malicious Source
Open Source qualities– Free redistribution
– Ready access to source code
– Modifiable by anyone
– Designed for evolution
For malicious purposes
For example…
Beagle, Mydoom, Netsky and Sasser– Not open malicious source
– Created by an author, closed group, or individuals who can obtain source code
Gaobot, Randex and Spybot– Open malicious source
– Source codes are distributed widely
– Updated / released by many
Is this topic new?
NO, but …
Programs developed from open malicious source are on the rise
Impact is intensifying
Number of Submissions:Worms
0
10000
20000
30000
40000
50000
60000
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Beagle Mydoom Netsky Sasser
Number of Submissions:Worms from open malicious source
0
5000
10000
15000
20000
25000
30000
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Gaobot Spybot Randex
Number of new variants:Worms
0
5
10
15
20
25
30
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Beagle Mydoom Netsky Sasser
0
100
200
300
400
500
600
700
Apr-03
May-03
Jun-03
Jul-03
Aug-03
Sep-03
Oct-03
Nov-03
Dec-03
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Gaobot Spybot Randex
Number of new variants:Worms from open malicious source
Characteristics
Easy to create
Purpose-oriented
Difficult to recognize
Characteristics: Easy to create
Easy to obtain from the Internet– Whole project files
– New codes, samples,or tools
– Free compiler
No special knowledge, tool, or code required
A wide range of people are creating their own bot
Characteristics: Easy to createEasy to obtain
Characteristics: Easy to create Sample: Spybot
Characteristics: Easy to create Sample: Spybot
Case: SpybotW32.Spybot.A
Discovered on 2003/04/16
Backdoor– Based on backdoor “Sdbot”– Supports 22 commands including:
Key logging Killing processes Stealing cached password DoS attacks
Worm– Copies itself to C$, ADMIN$, and IPC$ shares– Dictionary attack (17 keywords)
123456, admin, root, server….– Schedules a job to run
Worm
Backdoor
Case: SpybotW32.Spybot.DNC
Discovered on 2004/09/13 as the 3071st variant
Backdoor– Supports over 90 commands including:
Upload / Download / Execute files Run as HTTP server / SOCKS4 proxy Steal 42 Game CD-KEYs Access CMD.exe Sniff packets Access Web Camera
Worm
Backdoor
Additional Code
Case: SpybotW32.Spybot.DNC
Worm– Dictionary attack
139 keywords per password
– Uses other worms or Trojans Beagle, Mydoom, Optix, Sub7,
NetDevil
Worm
Additional Code
Backdoor
Additional Code
Case: SpybotW32.Spybot.DNC
Vulnerability Attack– MS01-059 (UPnP)
– MS02-061 (SQL)
– MS03-007 (WebDAV)
– MS03-026 (DCOM RPC)
– MS03-049 (Workstation)
– MS04-011 (LSASS)
Packed with Runtime Packer
Worm
Additional Code
Backdoor
Additional Code
Vulnerability Attack
Polymorphic / Packer
Case: Randex and Gaobot
Worm
W32.Randex (discovered on 2003/06/04)
Worm
Backdoor
W32.Gaobot (discovered on 2002/10/22)
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
Over 1600 variants
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
Over 1600 variants
Case: Randex, Gaobot and Spybot
Now they look very similar– Backdoor layer usually based on “Sdbot”
– Same codes / concepts implemented in each layer
– Further similar worms / backdoors exist: i.e., Kwbot, IRCBot
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
0
100
200
300
400
500
600
700
Apr-03
May-03
Jun-03
Jul-03
Aug-03
Sep-03
Oct-03
Nov-03
Dec-03
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Gaobot Spybot Randex
Characteristics: Easy to create By a lot of people
May: Gaobot author arrested in Germany
May: Randex author arrested in Canada
June, July, August: New
variants created
Characteristics: Purpose
Not only for fun– Propagation
– Proof of concept
For profit– Information theft
– System control
– DDoS zombies
– Financial gain
Characteristics: Purpose
W32.Netsky.P@mm– Propagation
Mass mailing P2P or share networks
– Payload Removes Beagle,
Mydoom, Deadhat, and Welchia worms
W32.Gaobot.BIA– Propagation
Dictionary attack Vulnerability attack
– Payload Logs keystrokes Sniffs packets Steals CD-KEYs Steals cached password Obtains system / network
information Gains full system control SOCKS proxy DDoS attack and more….
Characteristics: Difficult to recognize
Slow and limited propagation– Differs from mass mailers, Blaster, and Code Red– Little public interest
Automatic copy / execution on remote computers - By using a scheduler or by exploiting vulnerabilities
Many new variants released over a short time period– Over 600 variants a month
New variants are target-specific – You may be the only infected one, worldwide.
How to stop
Stopping the development of new threats is almost impossible
– Source codes are distributed widely
– Authors are located around the globe
– New codes, samples, and tools are released every day
How to protect
Anti-virus tools– Definitions, Heuristics, Behavior blocking ….
Firewall
IDS
Patch management
Password management
Security policy
Learning, Studying, Educating …
Nothing new, nothing special.But we know maintaining all is not easy.
Conclusion
Malicious source is distributed widely
A lot of people are creating their own bot
Sharing source code results in more powerful threats
Main purpose is profit
No magic trick to secure protection
Thank You!
Kaoru [email protected]