Internet Worm Aquarium
Thursday, 21. February 2008, 02:22:13
I have always been a fan of replicating and self-distributing malware, not because of the bad which is done with them, but because their resemblance of artificial life.
There is not that much difference between a real virus and a computervirus, and i always liked to read articles and sourcecodes in the ezine of a great virus writing group called 29a (hexadecimal for 666, oh what a pun) virus labs. Nowadays there is not much action left around them, but back in their good days they had many achievements like the first Windows 2000 Virus, the first cellphone virus, and the first .net virus. As you may notice, it was more being the first, than being the most malevolent one, back then viruses seemed to me more like pushing the frontier than causing as much harm as possible. If anyone knows a good ezine about stuff like that which is worth reading and still being published feel free to comment below
.
That about my relation to viruses and worms, apart from the biggest collection i could download from the internet, i now have catched myself some worms, directly from the wilderness. When i saw how much traffic was hitting my machine after i redirected all incomming internet traffic to it, i got a bit interested again and of course, there are still worms around which are trying to exploit several vulnerabilities.
Analyzing the code they sent and downloading them by hand seemed a bit troubling, but i found a wonderful tool just for stuff like that: nepenthes.
Quickly installed on my ubuntu with
Downloaded binaries are safed in "/var/lib/nepenthes/binaries" , while unknown exploitcode is safed to "/var/lib/nepenthes/hexdumps".
So far i have catched 60 different executables, most of them are (accordingly to clamav) variants of W32.Virut-9, as you can see in the report below:
As you can see, there are 8 files in it, which are currently not recognized by clamav, i think they are recognized by atleast some available virus scanners (try for example: http://scanner.virus.org), but the naming is absolutely random between the different scanners, so i did not bother myself with them so far.
If you are interested in malware analyzation you can download them as collection there: http://rapidshare.com/files/93562611/Do_21._Feb_01-53-58_CET_2008.tar.bz2.html . Their size varies from 33 kb to 800 kb, be careful with those, do not just run them on your pc, if you do not know exactly what you are doing.
If you want to mess around with them in your debugger make sure you are running in a virtual machine, or at least in a sandbox like sandboxie.
Observing the binaries directory is a bit tiring, so i added the following line to my ~/.bashrc , which allows me to have a small console window on top, which shows the current count of worms, after using the command "wurm":
Maybe you can spot the small console window in the following screenshot:
Clamav is a great project, though it still lacks in speed and recognition compared to commercial virus scanners.
Thats it for now, happy hunting
There is not that much difference between a real virus and a computervirus, and i always liked to read articles and sourcecodes in the ezine of a great virus writing group called 29a (hexadecimal for 666, oh what a pun) virus labs. Nowadays there is not much action left around them, but back in their good days they had many achievements like the first Windows 2000 Virus, the first cellphone virus, and the first .net virus. As you may notice, it was more being the first, than being the most malevolent one, back then viruses seemed to me more like pushing the frontier than causing as much harm as possible. If anyone knows a good ezine about stuff like that which is worth reading and still being published feel free to comment below
.That about my relation to viruses and worms, apart from the biggest collection i could download from the internet, i now have catched myself some worms, directly from the wilderness. When i saw how much traffic was hitting my machine after i redirected all incomming internet traffic to it, i got a bit interested again and of course, there are still worms around which are trying to exploit several vulnerabilities.
Analyzing the code they sent and downloading them by hand seemed a bit troubling, but i found a wonderful tool just for stuff like that: nepenthes.
Quickly installed on my ubuntu with
sudo apt-get install nepenthesi had my malware collection utility running in a matter of seconds. nepenthes simulates several vulnerabilities and and collects the malware which wants to get hold of your system in a central directory, with their checksum as filenames, so you won't get any dublettes.
Downloaded binaries are safed in "/var/lib/nepenthes/binaries" , while unknown exploitcode is safed to "/var/lib/nepenthes/hexdumps".
So far i have catched 60 different executables, most of them are (accordingly to clamav) variants of W32.Virut-9, as you can see in the report below:
/var/lib/nepenthes/binaries/4101de55d7e31fc540d4d7a451df06ab: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/65162aca3938f907c2222b0ed4343ee3: OK /var/lib/nepenthes/binaries/bec892aaf3a5d697da7db26bb3d32028: Trojan.Vanbot-89 FOUND /var/lib/nepenthes/binaries/6f485878487dd6c866845736c4977429: Trojan.Agent-7006 FOUND /var/lib/nepenthes/binaries/da965f76fc2ff71cae30d9921280cc2d: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/ca055a474e4045d43a017e536e6b4662: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/b9bca66994dd253ed374a0a35edca768: OK /var/lib/nepenthes/binaries/5e974a71090f92bd28423018191981fa: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/eab499a0b5d392f006be30bcd3806ed9: W32.Virut-17 FOUND /var/lib/nepenthes/binaries/f0254148424d24f43c28567f5916446b: W32.Virut.da FOUND /var/lib/nepenthes/binaries/41dc5c6b73439ad73c9b512c4292b6f3: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/e0d35579ef892259370a08dd938a15e3: Trojan.SdBot-5825 FOUND /var/lib/nepenthes/binaries/168bb93e99cd46d318d1a39656ebd246: W32.Virut.da FOUND /var/lib/nepenthes/binaries/355cabe10f6a72a23e0d5ada2bfe26e2: Trojan.Agent-11146 FOUND /var/lib/nepenthes/binaries/709832ca3e811bd39ee1ef7d64e50e20: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/954a98c971fda498f9d1211f18e75cd7: Trojan.Vanbot-166 FOUND /var/lib/nepenthes/binaries/bebecadb67ca232adf1b6ca7052f9d04: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/175dffd2f768887fbd0b156383cf3b05: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/61081640b1f491ef216d79cf73557687: Exploit.DCOM.Gen FOUND /var/lib/nepenthes/binaries/569451904630e3789cae508968f314ad: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/51f1b126d36ebdb254de90d1e66051fc: OK /var/lib/nepenthes/binaries/601c184ee7a12c909a951523e0c28771: W32.Virut.di FOUND /var/lib/nepenthes/binaries/044bfda21be6cb1f85f4bccc8e59c2e2: Trojan.SdBot-4693 FOUND /var/lib/nepenthes/binaries/b35dc60319fcc5ba7e1297af35e27aeb: Trojan.Agent-11228 FOUND /var/lib/nepenthes/binaries/cb032b12af742555e60124f6d7d2d2ea: Trojan.Vanbot-164 FOUND /var/lib/nepenthes/binaries/82867cef683fb9afe67148666e457378: W32.Virut.ii FOUND /var/lib/nepenthes/binaries/27e671d98573f23216bfa805fb033e8f: W32.Virut.ia FOUND /var/lib/nepenthes/binaries/0ad37e3619d665689715e8a14ce3ddad: W32.Virut.da FOUND /var/lib/nepenthes/binaries/8c61fb1efd1d3814827d2dc0536498e5: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/b9ea7398f0a7e08005948389afe9e800: OK /var/lib/nepenthes/binaries/0c22f6dc09641566e42984323b869136: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/f338c0457e5f76c211cb0374b28d5c01: OK /var/lib/nepenthes/binaries/a6c6fc5ba124846c21436ab8ae9014a6: W32.Virut.da FOUND /var/lib/nepenthes/binaries/e3fd5ec95e34a0c1316f04b35570ca55: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/cae70081fc45d43abb514286340d0abe: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/703113254d84fb29834fa036a6f3ffd4: Exploit.DCOM.Gen FOUND /var/lib/nepenthes/binaries/ea9a59d23ec7fef461e503b6cd52255e: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/6406d70ff7f80489646c408f69d4cdc0: W32.Virut.ci FOUND /var/lib/nepenthes/binaries/1b5142b84df948cf431d01930ec3a304: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/b63fda0c3a49437656b320eb064ad715: W32.Virut.da FOUND /var/lib/nepenthes/binaries/694501b5f23d21fd366ca28df269c2dd: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/3b1468d81152a7de3d8e28bef5a57312: Trojan.Agent-4938 FOUND /var/lib/nepenthes/binaries/42362321edb5e912ebffdb2ee3a4047a: W32.Virut.sa FOUND /var/lib/nepenthes/binaries/2aa59ba4251795deda72738d1c67be7c: Trojan.SdBot-5909 FOUND /var/lib/nepenthes/binaries/5865e732663d75b501ffd7d98bc49005: OK /var/lib/nepenthes/binaries/e0093d6226892ab17f569342ea564241: Trojan.SdBot-4763 FOUND /var/lib/nepenthes/binaries/7a774ba6f0060bd8c7c1ce57679c18f8: W32.Virut.di FOUND /var/lib/nepenthes/binaries/3228f8bc721572422c268f244476dbb8: Trojan.SdBot-4763 FOUND /var/lib/nepenthes/binaries/459578aad7b8d71bc897ab7f31ec80c0: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/97ac56e1ebbfcafadea1623b085c86bf: OK /var/lib/nepenthes/binaries/39bbd8b26805043e93e73ba51f270132: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/086fa42fcb26ff4d28288ac131469d62: Trojan.Mybot-9300 FOUND /var/lib/nepenthes/binaries/d63834d6446f75abe5dc0b8d68040f15: Trojan.Agent-11228 FOUND /var/lib/nepenthes/binaries/25f80e1419cb7dba68b3ce873204760e: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/ce2d730e0012280cb8bef5fce4c2f7c2: W32.Virut.ca FOUND /var/lib/nepenthes/binaries/e07ba34fd0c0d66b17f04d344173a031: W32.Virut.ci FOUND /var/lib/nepenthes/binaries/364389256ea74bb06d6825e7ee1689d9: OK /var/lib/nepenthes/binaries/ec1df9c1ec1c261b850eeab86a26f255: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/eb2e0377b24d63760fd83ddd90d44911: W32.Virut-9 FOUND /var/lib/nepenthes/binaries/df7653c26f72d1cdabc5f9f9454b2fc1: W32.Virut.ba FOUND ----------- SCAN SUMMARY ----------- Known viruses: 216346 Engine version: 0.91.2 Scanned directories: 1 Scanned files: 60 Infected files: 52 Data scanned: 11.19 MB Time: 9.035 sec (0 m 9 s)
As you can see, there are 8 files in it, which are currently not recognized by clamav, i think they are recognized by atleast some available virus scanners (try for example: http://scanner.virus.org), but the naming is absolutely random between the different scanners, so i did not bother myself with them so far.
If you are interested in malware analyzation you can download them as collection there: http://rapidshare.com/files/93562611/Do_21._Feb_01-53-58_CET_2008.tar.bz2.html . Their size varies from 33 kb to 800 kb, be careful with those, do not just run them on your pc, if you do not know exactly what you are doing.
If you want to mess around with them in your debugger make sure you are running in a virtual machine, or at least in a sandbox like sandboxie.
Observing the binaries directory is a bit tiring, so i added the following line to my ~/.bashrc , which allows me to have a small console window on top, which shows the current count of worms, after using the command "wurm":
alias wurm="cd /var/lib/nepenthes/binaries && while ( true ); do ls -l|wc|sed 's/ *\([0-9]*\).*/\1 -1/'|bc|sed 's/\(.*\)/\1 Würmer/' && sleep 1; done"
Maybe you can spot the small console window in the following screenshot:
Clamav is a great project, though it still lacks in speed and recognition compared to commercial virus scanners.
Thats it for now, happy hunting
WIDGETIZE