Win32/Nirbot
Win32/Nirbot FamilyThreat Assessment
Overall Risk: Low
Wild: Low
Destructiveness: Medium
Pervasiveness: Medium
Characteristics
Type: Worm
Category: Win32
Also known as W32/Delbot (Sophos), W32.Rinbot (Symantec), Backdoor.Win32.VanBot (Kaspersky)
Description
Win32/Nirbot is a family of IRC-controlled backdoors that can be used to gain unauthorized access to a victim's machine. They can also exhibit worm-like functionality by exploiting many different software vulnerabilities, including SYM06-010 and MS06-040.
Method of Infection
When executed, Win32/Nirbot copies itself to the %System% directory using filenames such as:
arman.exe
atievx.exe
crcss.exe
lemsrv.exe
msync.exe
navscnr.exe
netadp.exe
prevx.exe
rinsv.exe
symmec.exe
It then makes the following registry modification to ensure this copy is executed at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
where
ATI Active Graphics Card Monitor
JW Manager
LEMSRV
Network Bridge
Random Interface Network Manager
Symmetrical Network
Syncronization
Nirbot continuously checks for and sets the above registry entry.
The worm also creates a mutex to avoid running multiple instances of itself.
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Method of Distribution
Via Exploit
Win32/Nirbot spreads by exploiting a number of vulnerabilities in Windows operating systems and third party applications. Nirbot's spreading routine starts with scanning for vulnerable target machines. The worm can generate random values for all or part of each IP address it targets.
Nirbot variants can spread by exploiting the following vulnerabilites: Symantec Client Security and Symantec AntiVirus Elevation of Privilege (SYM06-010)
The worm opens a configurable port on the compromised machine and runs a TFTP server. The worm probes remote machines on port 2967 to determine if they are prone to the SYM06-010 vulnerability. If successful, the worm executes a small amount of code on the target machine that instructs it to connect back to the running TFTP server and retrieve a copy of the worm.
For more information on this vulnerability, please visit the following:
http://www.symantec.com/avcenter/security/Content/2006.05.25.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2630
Microsoft Windows Server service buffer overflow vulnerability (TCP port 139)
The worm creates an HTTP server on the system on a random port. The worm also checks if the IP address of the local machine partially matches a list of IPs contained in its code, for example:
192.168.*.*
10.*.*.*
111.*.*.*
15.*.*.*
16.*.*.*
101.*.*.*
110.*.*.*
112.*.*.*
170.65.*.*
If the IP does not match, the worm instructs the machine vulnerable to this exploit to connect back to the HTTP server running on the system and retrieve a copy of the worm. If the IPs do match, the worm executes a small amount of code on the targeted machine that instructs it to download a copy of the worm from a specific domain. The following is a list of domains and IPs that Nirbot variants have been observed to download from:
66.29.116.82
58.20.109.39
digiflex.info
t3arj3rk.com
sw1tchbck.net
pennysheet.com
jimmybuttons.com
For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34486
http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx
Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities (TCP port 135)
If the worm finds a machine vulnerable to this exploit, it executes a small amount of code on the targeted machine that instructs it to retrieve a copy of the worm. This is also done through a TFTP server the worm creates on the compromised system on a configurable port.
For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=25975
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Exploiting weak passwords on MS SQL servers, including the Microsoft SQL Server Desktop Engine blank 'sa' password vulnerability (TCP port 1433)
If Win32/Nirbot finds an exploitable machine, it attempts to log into SQL server accounts 'sa', 'root' and 'admin'. It attempts to authenticate these accounts using several passwords stored in its code. If the worm successfully logs into an account, it sends code to the remote machine instructing it to retrieve a copy of itself.
For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=5705
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321081
Payload: Backdoor Functionality
Nirbot is an IRC-controlled backdoor. Variants of the worm usually attempt to connect to between two to four IRC servers before joining a specific channel. The following is a list of some known IRC servers Nirbot variants have attempted connection to (generally on port 8080, however this differs between variants):
crusade.godhatesfags.com
is.wayne.brady.gonna.have.to.chokeabitch.us
lol.godhatesfags.com
phatcamp.org
x.anti-viral.us
x.pennysheet.com
x.rofflewaffles.us
When the worm connects to one of these servers and joins a channel, it then has control of the compromised machine. Once the victim's computer is under control, the overseer is able to instruct Nirbot to attempt to perform malicious operations such as spreading.
Via its backdoor, the trojan can also be instructed to:
- Retrieve system information such as operating system details
- Download and execute files from the Internet
- Run a SOCKS proxy on the affected host
- Perform a Denial of Service attack
- Execute commands on the affected host
- Update itself
- Remove itself
- Steal CD keys
- Downloads and Executes Arbitrary Files
When first run, some Nirbot variants download and execute a file. The file is downloaded from a specific domain and is usually executed from the C:\ directory. Downloaded files are usually Win32/Amahkey trojan variants - for example, Win32/Amahkey.F.
Analysis by Amir Fouda
Labels: Anti-Virus, Microsoft, Virus, Worm
<< Home