‹‹ 上一主题 | 下一主题 ››
发新话题
打印

[转载]BlackWorm Summary

EvilOctal

团队执行官

Rank: 8Rank: 8

E.S.T社区执行帐号

帖子
9869 
精华
771 
积分
40986 
阅读权限
200 
性别
男 
在线时间
3986 小时 
注册时间
2004-7-4 
最后登录
2008-12-3 
楼主 发表于 2006-2-3 21:26  只看该作者

[转载]BlackWorm Summary

原始连接:http://isc.sans.org/diary.php?storyid=1067

About BlackWorm

Over the last week, "Blackworm" infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This worm is different and more serious than other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures. Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can't be expected to clean up the infection for you.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').

We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm

Naming

As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be 'CME-24'. cme.mitre.org should shortly list this number.

How would I get infected?

The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.

What will BlackWorm do to my system?

It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.

Removal

Anti virus vendors offer removal tools. Microsoft providesdetailed instructions for manual removal. However, there are two important reasons to rebuild "from scratch":


  1. BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
  2. BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.

Snort Signatures

Joe Stewart (Lurhq.com) provided the following snort signatures based on his analysis of the worm:
(for up to date rules, see bleedingsnort.org.

  1. This sig alerts if someone visits any counter at webstats.web.rcn.net without a Referrer: header in their URL. Could be an infected user, could be one of us checking out the counter stats:
    #by Joe Stewart at LURHQ, tweaks by Matt Jonkman
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
      (msg:"BLEEDING-EDGE VIRUS webstats.web.rcn.net count.cgi request 
            without referrer (possible BlackWorm/Nyxem infection)"; 
    content:"GET /cgi-bin/Count.cgi?"; depth:23; content:"df="; within:20; 
    content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|"; 
    classtype:misc-activity; sid:2002788; rev:2;)


  2. This sig alerts on the specific pattern BlackWorm uses to test connectivity to www.microsoft.com. It's unique in that the request doesn't have a User-agent: header. So this will catch BlackWorm and possibly other automated requests to microsoft (which could happen if someone codes a sloppy app that uses the exact same pattern - but they should probably be flogged anyway)
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
       (msg:"BLEEDING-EDGE VIRUS Agentless HTTP request to www.microsoft.com 
             (possible BlackWorm/Nyxem infection)"; dsize:92; 
    content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|
    Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";
    classtype:misc-activity; sid:2002789; rev:1;)


  3. These signatures detect the payload of Nyxem_D aka CME-24. Same sig is swapped for outbound vs. inbound detection. Robert Danford

#Submitted 2006-01-17 by Mark Tombaugh
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 
   (msg:"BLEEDING-EDGE VIRUS W32.Nyxem-D SMTP inbound"; 
flow:established,to_server; content:"YmVnaW4gNjY0I"; 
content:"ICAgICAgICAgICAgICAgICAgICAgICA"; distance:31; 
within:31; classtype:trojan-activity; 
reference:url,www.sophos.com/virusinfo/analyses/w32nyxemd.html; 
sid: 2002779; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 
   (msg:"BLEEDING-EDGE VIRUS W32.Nyxem-D SMTP outbound"; 
flow:established,to_server; content:"YmVnaW4gNjY0I"; 
content:"ICAgICAgICAgICAgICAgICAgICAgICA"; distance:31; 
within:31; classtype:trojan-activity; 
reference:url,www.sophos.com/virusinfo/analyses/w32nyxemd.html; 
sid: 2002778; rev:1;)

Inital days

The worm did hit a counter on the web as noted above. We took those logs, removed the attempted DoS attack from it and plotted both total hits per hour (blue line) and the first hit from each IP address per hour as well (red line). It's interesting to note the spread had slowed before the DoS attack on the counter had started.


the format of the x axis is date.hour



Credits

We would like to thank the members of the TISF BlackWorm task force for analysis and coordination.

The task force emerged from the MWP/DA groups. This task force is now known as the TISF BlackWorm task force. It involves many in the security (anti spam, CERTs, anti virus, academia, ISP's, etc.) community and industry, working together to combat threats to the security of the Internet in cooperation with law enforcement globally.

Links

Update: http://www.lurhq.com/blackworm.html
www.f-secure.com
http://blogs.securiteam.com
Symantec
Trend Micro
Update:
Excellent Stats From LURHQ: http://www.lurhq.com/blackworm-stats.html

Note: some of these links will offer removal tools. We have not tested any of these tools thoroughly enough to recommend them. They should be used as a "first try" tool, but do not substitute for a full analysis and possible rebuild of the infected system. BlackWorm includes the ability to install additional components. These additional components, if installed, will likely be missed. In addition, a virus like BlackWorm is likely an indication of a more fundamental problem in your security posture and multiple infections are likely.


BlackWorm FAQ



Q. What is CME-24?
A. A mass emailing worm with a destructive payload.
Please see <http://cme.mitre.org/data/list.html#24>
for pointers to antivirus vendor descriptions and analyses relating to this malware.


Q. I hear about new viruses all the time--what makes this one a "big deal?"
A. This destructive virus will delete files from a number of popular programs on February 3rd, and on the 3rd day of the month thereafter.


Files which may be deleted by the malware include files ending with the extension of DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP


Another factor that potentially makes this virus particularly noteworthy is that it has seen broad distribution, with the estimated infected machines in the hundreds of thousands. <http://www.lurhq.com/blackworm-stats.html>

Another factor that potentially makes this virus noteworthy is it's self defense mechanism. It closes windows if the 
caption has any of the following strings in it. SYMANTEC, 
SCAN, KASPERSKY, VIRUS, MCAFEE, TREND MICRO, NORTON, REMOVAL, 
or FIX. So many antivirus programs, scanners etc... can not be 
updated or used on a system that is infected with cme-24.
                            
Q. You refer to this  virus/worm as CME-24 -- that's not what *my* antivirus vendor calls it. What  other names does CME-24 use? 
                                                                                                                                                                                                                              
A. Vendor  Malware Name
Authentium W32/Kapser.A@mm
AntiVir  Worm/KillAV.GR
Avast!  Win32:VB-CD [Wrm]
AVG  Worm/Generic.FX
BitDefender  Win32.Worm.P2P.ABM
ClamAV  Worm.VB-8
Command  W32/Kapser.A@mm (exact)
Dr Web  Win32.HLLM.Generic.391
eSafe  Win32.VB.bi
eTrust-INO  Win32/Blackmal.F!Worm
eTrust-VET  Win32/Blackmal.F
Ewido  Worm.VB.bi
F-Prot  W32/Kapser.A@mm (exact)
F-Secure  Email-Worm.Win32.Nyxem.e
Fortinet  W32/Grew.A!wm
Ikarus  Email-Worm.Win32.VB.BI
Kaspersky  Email-Worm.Win32.Nyxem.e
McAfee  W32/MyWife.d@MM
Nod32  Win32/VB.NEI worm
Norman  W32/Small.KI (W32/Small.KI@mm)
Panda  W32/Tearec.A.worm  (W32/MyWife.E.Worm)
QuickHeal  I-Worm.Nyxem.e
Sophos  W32/Nyxem-D
Symantec  W32.Blackmal.E@mm
Trend Micro  WORM_GREW.A (Worm_BLUEWORM.E)
VBA32  Email-Worm.Win32.VB.b
VirusBuster  Worm.P2P.VB.CIL 
      
(source: AV-Test.org)
      

                                                                    
Q. What is CME?
A. http://cme.mitre.org/ CME provides single,  common identifiers to new virus threats to reduce public confusions during  malware outbreaks. CME is not an attempt to solve the challenges involved with  naming schemes for viruses and other forms of malware, but instead aims to  facilitate the adoption of a shared, neutral indexing capability for malware.

Q. How do people get  infected with CME-24?
A. Known methods for  infection include infected email attachments and network shares, however other  mechanisms are also possible.
                            
While some areas of the  world appear to be more prone toward infection
than others, it appears that  infected systems may be found in virtually
all countries.
                                            
Q. What should I do to  protect myself from getting infected with CME-24?
A. There is a number of  things you can do: 
                    
Email attachments can  contain viruses
                                                        
If your Internet Service  Provider provides an email scanning service subscribe to it. 
Do not open attachments  without first verifying that a trusted sender intentionally sent it to you by  asking them if they sent you an attachment.
            
Scan email attachments  before opening them.
              
Do not open emails that  claim to have naughty content. This is a common trick used by email based  viruses.
                                  
Backup your system!
You should be routinely  making backups of your system. If you've been putting it off, do it now.  Backups will be a foundation that will help you recover if your system does get  infected. Backups are the most reliable way to recover your data in the event  of any data corruption event, virus, malware, or hardware failure. 
                    
Note that your backup should  be taken to non-rewritable media and/or stored offline. If you do not make your  backup to non-rewritable or offline media, depending on the format you use;  your backups might be at risk from the malware's destructive payload. This is  particularly true if you currently backup important files into a zipped  archive, use mirrored hard drives, or file shares none of those will protect you  from the destructive potential of this worm.
                                            
On new systems create  recovery CDs. Many systems sold today do not come with recovery CDs. The person  purchasing the system is expected to create them. Consult manufactures  documentation for details.
              
Insure that you have  antivirus software installed, and that you have up-to-date antivirus  definitions covering this particular malware. Do a full system scan and confirm  that you are not infected with CME-24 or other malware. If you are infected,  seek professional assistance to fix the problem at once.
                                              
Do not unnecessarily share  or mount shareable filesystems. Filesystems should never be made available via  weak or non-existant passwords.

Q. Help, I think I have been  infected with CME-24. What should I do now?
A. If you have anti-virus  software installed verify that it is up to date. Check with your anti-virus  vendor if you are unsure of how to do this. If you had anti-virus software that  you believe was disabled by CME-24 you may have to uninstall it before re-installing  it. 
                            
If you do not have  anti-virus software installed there are several
anti-virus products that  offer free or trial tools. 
                                        
Av-test.org maintains a list  of antivirus products.
< http://www.av-test.org/sites/lin ... extra=viren&sort=1>
and West Coast labs at 
<http://www.westcoastlabs.org/cm-av-list.asp?Cat_ID=2>
and ICSA 
<https://www.icsalabs.com/icsa/product.php?tid=dfgdf$gdhkkjk-kkkk>.
                        
Some of these vendors offer  free online scans as well. Be aware online scanners usually require activex or  java be enabled, may take a long time and probably require admin privileges.  Online scanners also do not provide any long term protection against  reinfection
                            
If you've already been  infected, you should seek professional help to deal with that infection at  once. Failure to deal with this malware prior to the 3rd day of the month can  result in data loss.
                            
Q. Some very important file  was trashed by the worm. I really need to get the information that was in that  file. I don't have a clean backup. What can I do? Can I get back at least part  of that file?
A. Possibly, some file  recovery tools might recover all or part of the missing data. A data recovery service  may be your be able to assist.
                                        
Q. Why would someone do  something so tremendously stupid and destructive?
A. Unless the author comes  out and tells us we may never know why. 
                                          
Q. I run Windows Media  Center Edition, Mac OS X, Linux, have a Treo, etc. Is my system at risk? Or is  this just a Windows XP thing? 
A. This virus only affects  Windows operating systems. It affects nearly every version of windows.
From: <http://www.microsoft.com/securit ... ife.E@mm&view=en-us>
Windows NT 3.x/4.0, 95, 2000,  XP, Server 2003, ME and 98 are all potentially affected.

                
NETWORK ADMINISTRATORS  PORTION
                                        
Q. I'm a mail server  administrator. How can I protect my customers
from CME-24 and other  malware?
A. There are several things  you may want to do:
                            
You may want to run a  server-side antivirus program, or software to strip or defang potentially  dangerous attachments. Under Unix, ClamAV >  is one example of a free antivirus program that you can run on your mail server;  Procmail Email Sanitizer <http://www.impsec.org/email-tools/procmail-security.html>
is an example of a program  that you can run to remove or defang potentially hostile attachments. Under  Windows there are several email scanning antivirus programs available.
                                    
You should also endeavor to  accept, process and resolve notifications
you may receive about  infected customers. Confirm that you have a
working abuse@ address, a  working postmaster@ address, and current
whois contact information  for your domain(s). See <http://www.faqs.org/rfcs/rfc2142.html>  for clarification.
                                        
If you have netblock(s) that  have been assigned to you via SWIP or whois, or an autonomous system number  (ASN), please make sure that you have current abuse reporting contact  information defined in whois for those resources as well.
                
If you operate an intrusion  detection system, consider running
the Bleeding Snort rules  that may help you to identify potentially
infected customers. 
<http://www.bleedingsnort.com/cgi ... S/WORM_Nyxem#rev1.6>
                        
Educate your customers about  security effective practices. 
                        
Site license an antivirus  product and distribute it to your customers.
                        
Encourage customers to  routinely apply patches.
                        
Encourage customers to use a  software and/or hardware firewall. 
                                        
Encourage customers to routinely  backup their systems. 
                
Where terms of service and  applicable law permits, scan customer systems for vulnerabilities and insure that  customers get fixed or removed from the network. 

This document was prepared  by the TISF BlackWorm task force which includes many elements in the security  communities including: anti spam groups, CERTs, anti-virus teams, academia, law  enforcement, and ISP's.
                      
The TISF BlackWorm task  force would like to thank all the contributors to this FAQ including: Members  of the DA/MWP groups and The Internet Storm Center handlers.
                        
Original can be found at:
<http://isc.sans.org/blackworm>
曾几何时,有人对我说:装B遭雷劈。我说:去你妈的。于是,这个人又对我说:如果再说脏话,上帝会惩罚你的。我说:我操上帝。结论:彪悍的人生不需要上帝。

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题