HOME > VIRUS ALERTS


VIRUS ALERTS

Spybot

Original issue date: November 30, 2006

It has been observed that a bot called Spybot is circulating in the wild exploiting some common buffer overflow vulnerabilities in Microsoft Windows and Symantec Antivirus.

The vulnerabilities exploiting this Spybot are CIAD-2003-09 ( Buffer Overrun In RPC Interface Could Allow Code Execution and Denial of Service) , CIVN-2005-38 ( Vulnerability in Message Queuing Could Allow Code Execution ), CIAD-2004-05 ( ASN.1 Vulnerability Could Allow Code Execution), ) CIVN-2005-73 ( Microsoft Plug and Play service Buffer Overflow Vulnerability , CIVN-2006-75 ( Microsoft Windows Server Service Buffer Overrun Vulnerability) and CIVN-2006-41 ( Symantec AntiVirus and Client Security Remote Buffer Overflow Vulnerability) .

This bot is propagating through mIRC and network shares weak passwords.

Upon execution it

  • Copies itself as w32svc.exe in Windows folder

  • Creates a service with “Windows Network Firewall”

  • Disable windows file protection by modifying the value

    • "SFCDisable" = "0x9DFFFFFF" in
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
      \WindowsNT\CurrentVersion\Winlogon

  • Creates a value

    • "SFCScan" = "0" to the registry subkey:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
      Windows NT\CurrentVersion\Winlogon

    so that it executes whenever Windows starts.

  • Creates the following registry subkey

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
      \Services\firewall

  • Modifies the following files tftp.exe, ftp.exe located in %system%

  • Modifies the files located in %System%\dllcache\tcpip.sys, %System%\drivers\tcpip.sys to disable half open connections limit.

  • It opens a backdoor and connects to IRC server www.flackware.info on port 6667 and listens for commands which may allow a remote attacker to perform some of the following actions on the compromised computer:

    • Copy, delete, and download files
    • Show status and IP address
    • Portscan the network for vulnerable computers
    • Scan vulnerabilities
    • Start ftpd, Internet Explorer
    • End and list processes
    • Stop other worms, security-related services
    • Use a network sniffer

In view of high damage potential of the Spybot users are advised to implement following countermeasures:

  • Keep update your antivirus signatures.
  • Apply appropriate patches for the above vulnerabilities.
  • Enable advanced TCP/IP filtering on systems.
  • Block TCP port 2967 at the firewall. Allow only required port at the firewall.
  • Disable the services not required.
  • Monitor outgoing traffic to specified TCP port of the IRC command and control (C&C) server mentioned above.

Removal Tool

http://www.symantec.com/enterprise/security_response/
writeup.jsp?docid=2006-112910-5729-99

References

http://www.securityfocus.com/news/11426
http://www.symantec.com/security_response/writeup.jsp?
docid=2006-112810-5302-99

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003