"Ian.H [dS]" <ian@WINDOZEdigiserv.net> wrote:

Hmmmmmm -- odd, they should have had samples pretty close to this
"event" starting...

From memory though it was the same day Sobig.E was released and,
IIRC, also a new Yaha variant. Maybe they were just all tired out
and couldn't handle yet another new malware... 8-)

<<snip>>
Hex-editing is not how all these SDBot variants are made (in fact, may
not be responsible for any of them...).

The C source for several "official" SDBot variants has been publicly
released and there is a loose "community" of "hackers" who conbtribute
patches and functionality "enhancements" that are usually posted not as
complete source distros but as commented code snippets ("insert this
line at...", "replace the XYZ function with this one", "insert this
function ..." "use the -withfoo option to compile in", etc).

Thus, "mix'n'match" SDBot variants are pretty much the order of the day.

But CAP (or is it Wazzu?) will still leave it for dead, eh? 8-)

Jerusalem is such a moving target as it has been redefined too often
now for there to be any significant agreement on its boundaries.

8-)

What you and the The Register fail to note is the specific exploit the
distribution mechanism of this thing depends on. The Register mentions
that JavaScript code in the downloaded HTML file is called, but the
important thing is that the distribution method really depends on a
local system secureity zone flaw that has been long known but only
patched in the most recent IE cumulative patch (the "call local code
via a munged codebase trick" was fixed for all (I think) security zones
_except_ the local system (technically "My Computer") security zone
months ago. Why MS did not initially fix it for "My Computer" as well
is unknown.

Of course, unpacking the HTML file from the d/l'ed ZIP to the local
system means the HTML file is _NOT_ contained in the TIF (as it would
be if posted as an HTML and normally activated by clicking the link
the virus/worm posts to chat channels) and thus "opening" the HTML file
is dangerous as it basically runs with all the privileges of the local
user...


--
Nick FitzGerald

"Ian.H [dS]" <ian@WINDOZEdigiserv.net> to me:

Well, some folk at F-PROT had notification and samples by Email at
the same time I sent the samples to all the other big AV'ers...

Well, the NAI and KAV engines miss exceedingly few of the "new" bots
I've found recently that seem to be (mainly) based on the SDBot
sources, so either they can or their spies find all that stuff and
get it processed and detection updates posted before I ever see any
of it....

Correct, but in cases like this the question always comes down to "how
much time are we willing to spend on this". The more chunks of code
or "behaviour patterns" or whatever it is a particular engine looks
for the longer it will take to scan each file, so there is always a
performance/potential detection of new variants trade-off somewhere...

That may be true of "bot nets in general" (though I doubt it now). It
is true of the "pubstro"-style warez nets where the IRC bot is mainly
used to "advertise" and control the owned FTP servers (which were not
necessarily FTP servers before the bot net agents and their associated
paraphenalia were installed). But, as I said, several "official" SDBot
versions have been released in source form so it's probably easier for
someone with a little C skill to "hack" a new and largely undetected
variant by messing with the source, choice of compiler and linker (and
their options), etc, etc than dealing with the pubstro-style kits.

Sure. Many of them were simple -- trivial in fact -- op-code changes
relative to an existing variant (swap an XOR AX, AX for a MOV AX, 0,
etc, etc, etc), text string (only) changes and so on. Prior to the
common use of emulators, generic decryption, more complex behaviour
analyzers and other more complex automated analysis techniques that
were subsequently necessary to reliably and/or efficiently detect
viruses using more complex code obfuscations, this myriad of small
changes required that such "trivial" code changes be terated as
variants (and, theoretically that was reasonable, at least if any
active code was changed between samples). Whether a scanner then
bothered to detect each variant precisely or would run the increased
false positive risk by trying to cover several variable (between
variants but invariant within replicants of a variant) code areas in
a common "base" strain was a decision up to each engine designer, their
virus analysts and detection lab folk (often all the same person back
then).

8-)

I just made a _very_ short search for recent W97M/Marker variant
announcements and found Marker.KY announced about a week ago. "KY"
makes 311 Marker variants by my reckoning and I'm sure there are macro
virus families with considerably more variants than that...

<<snip "My Computer" security zone traversal "trick">>
Do you know anything more about this suggestion there are multiple
forms/variants??

As it is wrong to do what was proposed with Fizzer anyway, I see that
issue as moot...


--
Nick FitzGerald

"Ian.H [dS]" <ian@WINDOZEdigiserv.net> to me:

If you hear anything useful, I'd appreciate you passing it on...

That was the bit I was referring to.

I understand why this is one of the grey areas, but the bottom line is
that no matter how much anyone defends it, it is wrong. It is also
illegal in many countries (and probably all that have "computer misuse"
like laws, such as those of the UK, US, Canada, Australia, NZ, etc,
etc). And, the reason it is "wrong" happens to be the same reason it
has been made illegal in those countries -- you (the person delibeately
and in a fairly targeted fashion) are knowingly modifying the (runtime)
contents (data) of a computer you do not have authority so to modify
_in that way_.

If your bot did the same identification against the machines apparently
sourcing incoming communications directed to you/your IRC client and
then send some kind of warning message to the _people_ whose machines
seemed likely to be infected, then you would fairly arguably not be on
the wrong side of the issue (but I can imagine in some jurisdications
you would still be in breach of "computer trespass" type laws, depending
on their views on port scanning and such...).

Taking that step of deciding to run the code branch that kills and/or
uninstalls a bot you suspect of being unknowingly (to the host machine's
admin/owner) installed definitely crosses the line from checking whether
the door is unlocked to opening it and having a look around -- the former
is, at worst, seriously antisocial while the latter is morally wrong (and
thus often also illegal). No matter that you may be completely correct
in your suspicion that such bots are running without the machine's admin
or owner knowing/approving/etc, you are outside your rights to actively
utilize that code _for any purpose_. (Of course, this does not apply if
you really do have, or are subsequently given, authority to try to shut
the bot down via this method. Say you message the machine's current IRC
user to warn them, they say "what can I do to get rid of it?", you
explain that it has a "backdoor command" that allows it to be disabled by
you sending a special message, you carefully explain the pros and cons of
trying this (like you have not actually disassembled the thing and
closely studied its code for handling such messages, you do not know what
else may happen by trying this method but you heard about it from another
geek who claimed it worked in his tests but it is possible that after a
certain date/time/length of execution or any manner of other trigger
events that, instead of shutting itself down in response to such messages
the bot will reformat the users hard drive, and so on), the hosting
"victim" accepts that and says "give it a try..." -- then you may just be
covered enough to try it and not be liable.) Of course, if the "kill
thyself" command triggers on something as simple as, say "Hey you!" _and_
that just happens to be what you always hail your buddies with when they
enter one of your channels then you are covered because of (pre-)existing
practice _and_ the grievous stupidity of the bot's design _and_ that
someone was unwary/stupid enough to run such a stupidly designed bot.

Intentionally using what you know is a pre-existing vuln or a backdoor
that you "just know" was not deliberately run/enabled by the host's admin
or owner so you can "fix" a problem with some part of the Internet is not
"good" or "acceptable" or "moral" behaviour. It doesn't matter that you
may be that especially attached to that part of the Internet or not --
the fact is that such unauthorized use of _any_ system is wrong, and the
"but I'm fixing an existing, bigger wrong" is just the same lame excuse
used to "justify" all manner of undesirable vested interests throughout
the course of history.

Or did I miss something mega like that IRC users have been collectively
appointed as the official "net cops" by whoever it is that actually owns
and runs the Internet??


--
Nick FitzGerald