Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Kibuv Worm, Bobax Trojan Try Many Methods



 By: Dennis Fisher
2004-05-18
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Kibuv uses seven mechanisms to spread itself, including exploiting five Windows vulnerabilities and connecting to the FTP server installed by the Sasser worms, while Bobax seems to focus on sending out large amounts of spam.

Security experts are tracking two new threats that have emerged in the past few days, including a worm that uses seven mechanisms to spread itself.

The worm is known as Kibuv, and researchers first noticed its presence Friday. Kibuv affects all versions of Windows from 98 through Windows Server 2003 and attempts to spread through a variety of methods, including exploiting five Windows vulnerabilities and connecting to the FTP server installed by the Sasser worms.

Once its installed on a PC, Kibuv starts its own FTP server that can be used to distribute copies of the worm. It also connects to a remote IRC chat server and listens for commands, according to an analysis done by Symantec Corp. Kibuv also listens on TCP port 420 for commands.

The worm has not spread too widely as of yet, but with its variety of infection methods, experts say the potential exists for it to infect a large number of machines.

Resource Library:
The second piece of malware that has surfaced is a Trojan that is capable of spreading semi-automatically. Known as Bobax, the Trojan can only infect machines running Windows XP and seems to exist solely for the purpose of sending out large amounts of spam, according to an analysis by LURHQ Corp., a managed security services provider.

The Trojan is dropped onto target systems via a file named Svc.exe, which then extracts a DLL and places it in the process space of Explorer.exe. Once executed, Bobax copies itself to the Windows system folder and creates two registry keys.

The Trojan then tries to connect to four Web sites, and if it gets a connection, it looks for one of four specific commands from the remote Web server.

The server, apparently controlled by the Trojans creator, can instruct the program to download and run another program, scan and infect other machines, stop scanning or send spam from a preloaded e-mail template and address list.

The interesting thing about this command sequence is that it enables the Trojans creator to send spam from remote machines without having to connect to the PCs to send each separate piece of e-mail.

Click here to read about a recent spam campaign claiming to show Osama bin Ladens capture that led to a Trojan.

When ordered to scan for new machines to infect, Bobax spawns 128 threads and begins scanning for PCs with TCP port 5000 open. If the port is open, the Trojan connects to port 445 and exploits the Windows LSASS vulnerability. Bobax then loads a copy of itself onto the new PC, and the process repeats.

This technique is an evolution of one that virus writers and spammers have been using for more than a year in which mass-mailing viruses plant spam proxies on infected machines.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Antivirus and antispam providers say they have seen just a few machines infected with Bobax as of Tuesday.

Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page



  Reader Comments: Kibuv Worm, Bobax Trojan Try Many Methods
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Dennis Fisher
 


x}r㶲s\@♵MGJɖ<45SHHbL\$e[O]'7nBKL&{Lٖnt7F; I Ӟc-Jg1;D{{}.FP|o+(rdx9%GtjY)j~,sbs:;{#|6%߽w ^{j KԜLxg&lδ es`p,FmgM d{=Bm ~5; s!%>֥qȏ} c1 ߷8|}؁䛿Q=|e3g71m))Jd/B(?cR;ǎkd| 5{a_*;U;a-r[h*v_e ۭBx1BP#"Fτ]ͻH͠L$Gd`jI:D"4Ԙ#2R!1;T*%RjQ3cmfZ35-3@ؾQ̀ ݢq/#!$f ŭ0  g?LG`B'lǦ"'ml_j| 4v9s8"sz3 wj%NXE ?q74JaHO L"S9ˑ,kFp0閩mȺu{C(jrEiνoĩq3Vo>ҿP*UUns~#GA GfmGh[N"ijQ=vN{ـ\>/.ɣ N|'k[oLZ. Jxz`I%opa鰨*ZT]jz[zOaF`%pf)CdNdВ-AoA>C,[3sP*CA-t?c;Szqsֺy\z7}rֻ&iٙ{F0pgs Z_Zrn`Kk'^3Q&ںa#jCVtMԺxr9%9Ioȿ `lDmYܾ̑\RyǛȃka(y#0ri4(-ߦAf@w[@(k:Q8<4N< EC!ɠڴb{\fS4!E&MЀ`;^h>[׏ <[ KpA}x3z&z4H۠h&r<kIMlLJ.??6 ; G`p&;xk=`DkwCGHb1LTE}vACAXz] X.s6GT[LKx GN }p (~9-RC/1tKt=JIQ mAt"AђF *4 gsX"C"'' `[7w$]\(Vpp(ݞHp&ΰP.?Kh3aGe-n^ $ d6g2+IMiG]-&DqoD6], S mo3-muk{TRURO4MhǦnfz{@ZWgޓi K0:ii`2Ґ(e`9O<sy?4ğN'}Ǻd׃ _V̚s=R] kjwtӴ٢͙iÂqjS9_Aa" eBC`9N{S^jkȓL%~K{0s k2 'yvw=g&.Q>juϙܑ-ӾȇroBoڅRT眺_dA_fMjlȌu>IVB17O wf@ntɕu.FJ~*)dz~#JC͸^`é3h{q#%IAg=U檳@d:[6X+nMEI8ʰ.@\<?Y!d[o0RXQ^JKHD@CR)Ե aY^`(ytMʆТ0iM!*cc9m | \,5))KaUEsXjgܲ&P 7C~0.m^GgVީu<|꒾ij[`r G SǏiТ0T]2agRZ!}끆_ƅ/c%|o2rl\:b暚8\, guaOlJ s<&uM8` ;DۣӜh2F ñiH5ߴiFH>LZ`!?R,b/`k@Lf2Ts`M[`R9cDzl lF CQ>BtM{ \ipf^Dj< ıLbEaT88l]p 2q͝a&?@R)Ö13gdim&{ǙXT'j/T4zxY9JoC0t.tȕ`s|eLFմlxTaj7pe&zo|ɺIXɑ1[DG`{ n5E-l~4zfy@L t@z#xؽL HMҜNHyT9֊kt)D n׃133b_@ JV,WּӪb^ څHBGdD#`P[v*6GwTk6h)7YS!RW dĞeeK3etކgQyϤn[.|zK>'g8 MGFi$]|;P rfVɍZtNd_&ȣɘT% `,fqNg epvN{69,3?t\kty{Wz&[wO4vʭ ܱ ϡRD71PUL xg4sfDcK6 VNM&zxVm"y';"#əN[h ̽~ZÄsqS)+JLH-U4qMݗ?3~]IcrѹlK^+Q\OcR@!hWHӋv:<aShmǛ&EaV8\?ֈȰR7 J_ťwj_sfjj ^k-W''27L]?ވFh6~[Sy_aY,d20. WktvcE9,׀zB:.i%DC[( `M/(+RJ)"4FL |FZu3_f| Rt<~Ur;Hעo)MJ!}J_cNfo4~ɮP6=8,rh%縍vR.0?;)}CmN9˙LҼ"w "HtSOkԛ#25 &r֚Sd[D-{t1aTwJߣd: e~=m2겨v]$L<1GN)tJȓs%E=)I IYO)eqhd*꒐~*~ j&'ءؠґ۳_5/'8{Hp.+P}sXd`\`ql)Za""|)Nr a9m^`e>%';yRb}b%&h8W&Brc?<-@s`:S<@´+G<_8̗{'R Unf=z@:M{섧q?Kl8N*tb*9,_@ݾne)ܱ?jwh{操~{Oj9Л3mA&ԢO q;f=;0 X >#q= vϓ{~\BzZTrc9nԺl3,ϲÈܳRpfi##i^ פyypja~%X@R;#|$~>xFM{uS棏G ڝ9k3rİ~imԕa4tͥoV<i?{޽Ҷ2CWq :Y+`*1$DhH򅂚W{U7} sᔤ˾ɔX^ OXd1.P2QvA Js[g̞x~K7׷bR o?X}& ~W*];RR6{ZgeQJ=,qM@k%E,qQ#{"F%t`AuUL&mq5Ox'Km㽄+ rKNt AT&Brg}mX<?f.}2/j\"(T:v8X#"` #Zo"E/*g!QLz7BARKo2E}:[);,4@ :lIHTDRauq-.P(ŷ]9w)Dhu''B=-Os˦IV J &!l&[$kşLU|w4Q%m#rRR%%GXwqC7777:Lnz iYGh^NgH|XS|e LK5ŴG 9+"ahф %yD OODHoZcKy1WtRw!u I>uPt6XEGQ#X|yybӖ ڶmUHk³0s܆j*5LQڹMTE9vK,۽H lqI0Gy:"iܲΨǩ y*xeq@L BX`i$h<ږ,z }#st_#GXH |}m^5}e>7z9䳲8˗z6âG.].y'PSªoD?mhr$`-ǹ kM(=jRd%ƺO4ۀ҅ٙK]m!5} CP~RA6h_ {\@1#;]#Jv>}Njr6˾Kx7777W0SZE8>L"nMև|Y[``#Q"g)}(qƶolhR * te[ܗN#00k< nQ jVO'b"Ʀ?96RP=zH+3;ch=xjp3>Wiag>Iix޴$vfS0i'S>5=Ӻ*\=Xu VD#"' Ɩ/i.%P\I1[7j U\ UB(?\W^KM\cVfd-{<C)8nP[X|`WLb|A.:ґO#Osz1?9]Ix*\'ZhIM% Yk Hh9F0"}}x OfTf gkmk. w7tѐ=^8gX-?. i 7%'?[^7&9FR__V=jsɗ+` 6-kw2О$L#}sFbVd@/]j }n8+X3MW}^K18{7~yʁZ;P,:?Y+ Z3 0.$o,SJ%`ͦ 0aS:6M]wi(,1@ 9s/ST#6--E7:~Rt w7DZ"ē{̮~O1Êݵ⟎KZj6^GɿKnb,.\*VM BaD0‡>qaBXEm8M=xsP=Ӓ"Z}2֑: RZ**)ۚg-Hp\\*l EL>&]F.LtxZډbLk?L~W<2ǼrE0m˖C0Ƹn5ܵ4QR+襍ڕmӞ $0k_ 㽻 1~Jګ6&KH}Ң3F;6vCW5A\N{=EJMh>#Ծ3=F+1/նWS lO1rV`LWlfmmP&d[j4K$¨ӔAJNa rٚmj6A@C"T75|G*%_Dx}%rUc&[q{Za !_ÈVR>fD9mǦNW2h? eY8SO L5& J!47\#P |8-C7ݫR<5eqb+Y!kb^:ҡf+qܖxM nZ4V|~ }^L&`Cq Ort&7ER=($W1p O? Pm¼܏HbSx;`Gd.$1'ٔk3d!z*+_!߰VIm{7R[ eꊍ\Dx56`:iY7CsA.7`о@F,9k-Cߑ7č2@AXW} Bnj ,@Nxl+Ja 37x7t'le>u`к|ɧtC[!m#!kA1H3v-^o|+J!;'ph\`sj@K$K*2&Bs85{_}&n%[ր aAJx&j IQ!%0鄿aں5g3bwt]-/uz?8 z+&(?,qE {GLƙ;fQs@b)/~H- 0b%t]\UP*@J>S|??&­!~ RF·:as+%̌S,0t<Lma`t.PufqPOnF&hf,yǥ}-AGG71<` ?v[.usx\jHVj$Ѕ:y,@#!9ω $u7úޝ/#}|AaP8Z  +z+BU)OBӡRs] xKwy }fg2Vq&JZ!劅%^Șp~;W_Ч6#&To`9ͫwM&'ՠӻ$' ¶-J-ݟN9>>u.WםAqfz0cQlB[d_T ΓQ9lvNSʙ`Q{µ,9% Ewf8l z$:G(%^َ/!bҫSi0LL7[vfS+~k! >?Bƫx]b12;ZTmx9j0C=W鳷 p!>E/ڧһlIk%wCF/PKF5_o.?m63{P(GNl.o ZS(?\~9ˠ{7wrN+2ʡsQdC?( 7_ 05w~7 >зA.ЧA. .g7?QF/32ϡ<P.w3a|/32C~.a.3Ưez_z *?UFk  ? m.1>ArS~~2w7Y7{dwɹN2!(ofY No\8'\$_Y OY射<(? }VQ<_`ekWtsf_3̭L_:WVr]!,BzQFWz^-=Lk[M2nP+ȣ_K^浽I<"xEq\+gل@CX{#uO'NW4Cya=mr-Xѧ~5_9x=* 4=}m'ނb>W;}}ټ^5߷C{>'K[8uߜ:Sw}YV&@Y8'}p)hعkjZrt=påz@$ߛ8,@ꖉ$us#RRR jZ'\#a{*YI0jE9,PK=# .=m^t f 5ϡ'!pC>fJ5G PcztbQ X ڼx[T;7i5@)8La nX8P*`)K؞9F^G$rgMߟS9ǤK4l!%bn1vKuʿ.ө,po4ǝaƹrV4@z4}z<8~3mJN)% à4WЫHWs1 lJ//ӡGxU£˗ X627\$V|sS [2FlX l)mbrс:9.c˃a.Cҗw`b9HG<0 ;VW./'"rD`a\m8ՊIwwf57wzIc:#51%|98𰙄iS#vm&Ĵ`5D㣭AֽD#[#7"9ţ:aѡ(Yc{XnD82sx 2&Q_ ˝Zܐ0bpa`O*}qKAflk8cXS1w]Ww-h~K5 D 9bH'N %e:X3!?gw|I]Id b0O|e'Wb'cey&b5b P|_|av\ϥx-79/|0DaO,|Ŷ/G㿄&E[0|FK`b?94Ǟ"0ـħ%NAa2Ş_ =6goP%n3!馃%؉G'iB Xp DN焽2‡4:WeԢԱ"tH߱=8ʯ4a`a?>N@6AՋpOaĵHzo~Ơ^T_/Y{N6 )4M뚈βRszn%()%y+L9(م7x[*HԶ'x*D=.X&"3>m?'.}N5+J "@2d̴E༟ˎƌQYɶz SO~j^O(Co݊珸66x}҄O1Su .Ыvl>cx Lw}{*C2zlz$_Oxƪ~Saxr=&= d M-IS`i"Cr:ˬ`+L\~0qGĶ2C|R4ϜUpvRv ?93_Zmrxgs]@NDqDgPv;yDt[] <v7s#k_2ҳe>vį-'_ڕ+zYL1e~}=3ӲG(q2,@P݌5`+Wei$ցi-8ǩ[mx{ uuke!.1:7fx1?c=Vqٮ7GL}ӰxaW7nvѩߩns®"vyXA\gX3' ȱgb@x=f_qxN|L/Xu!}őYX&7ę /kte(n aaXY{& W{څGSy6:|,݈bVS"Nd׊rI-9=O9N*D%la,9r3 ˌEj z.t1R04yqBaʩȩ(v}_|JѬd;ρ/($3}E.tqeaVt*N`wX{ysB(z\|>! *`gq~v>!2D!6xvhMiw#KoyI˖h,-(Zu $RV}Eg .A|>ǐy6xL M4VA$摝7yE1um*P)Պ[]jv[W셳Qbm٦d >\JRSk$5ZͦG( wm&l2)v}ml-c6C-{5R'