Entry: Some more info about MyDoom Feb 4, 2004



Just after posting my previous post, Cass from Security-forums linked me to other articles and here is some more analysed info on My.Doom. Could not find the direct link, might be it is dead allready, so had to find a cached copy on Google, here is goes.

Refuting tall-tales and stories about the Mydoom.A and the Mydoom.B worms
-------------------------------------------------------------------------
30th of January, 2004.


Contents:
---------

- Preface.
- Does Mydoom infect the BIOS?
- The author signed his name - AU.
- Key-logger.
- Hackers are en masse looking for the infected systems!
- The creators of Mydoom MUST be spammers!
- The DoS attack against SCO never happens, it's a PR trick against the
open-source community!
[including a time table for the attack]
- Email message from Joe Stewart about the DoS component of the worm.


Preface
-------

There are several tall-tales, claims and rumors regarding the Mydoom
worms which are simply not true.

This document is a summary of information about the Mydoom worms, and
it updates http://www.math.org.il/newworm-digest1.txt.

Here's what we have to say about them.

You can find this document at:
http://www.math.org.il/mydoom-facts.txt.


Does Mydoom infect the BIOS?
----------------------------

No. It doesn't.


The author signed his name - AU
-------------------------------

In a HEX editor, it might look like the author signed his name.

It is not true.

Example:

00 08 87 77 77 78 80 00 00 78 FF FF 88 87 70 00 ...wwx...x....p.
00 78 F7 8F FF FF 78 00 00 78 FF FF FF FF 78 00 .x....x..x....x.
00 78 F7 77 78 FF 78 00 00 78 FF FF FF FF 78 00 .x.wx.x..x....x.
00 78 F7 77 78 FF 78 00 00 78 FF FF FF FF 78 00 .x.wx.x..x....x.
00 78 F7 77 8F FF 78 00 00 78 FF FF FF FF 78 00 .x.w..x..x....x.
00 78 FF FF FF FF 78 00 00 78 7F 7F 7F 7F 78 00 .x....x..x....x.
00 87 73 87 87 87 80 00 00 07 B3 3B 7B 77 80 00 ..s........;{w..

We believe this is the NotePad look-alike ICON of the worm.

This only works if your HEX editor uses 16-byte rows. For instance,
if you use 24 byte rows, its:

00 08 87 77 77 78 80 00 00 78 FF FF 88 87 70 00 00 78 F7 8F FF FF 78 00 ...wwx...x....p..x....x.
00 78 FF FF FF FF 78 00 00 78 F7 77 78 FF 78 00 00 78 FF FF FF FF 78 00 .x....x..x.wx.x..x....x.
00 78 F7 77 78 FF 78 00 00 78 FF FF FF FF 78 00 00 78 F7 77 8F FF 78 00 .x.wx.x..x....x..x.w..x.
00 78 FF FF FF FF 78 00 00 78 FF FF FF FF 78 00 00 78 7F 7F 7F 7F 78 00 .x....x..x....x..x....x.


Key-logger
----------

For some unknown reason, people seem to believe that either Mydoom.A
or Mydoom.B have a key-logger component embedded in them.

That is simply not true. We can not provide with proof or evidence of
this because one simply does not exist that we could find.

There is an option with Mydoom.A and Mydoom.B to upload and execute
files through the backdoor in the worm.

With Mydoom.A you can upload and execute whatever you like, even a tool
to remove the worm itself from the infected machine, as Rolf Rolles
proved.

In Mydoom.B you can upload only two files, which are then verified by
file size and an MD5 checksum to make sure the file you are uploading
is one of the two.

There can be many reasons as to why this was done, but basically -
leave control of the worm in the creator's hands.

It is more than plausible to believe that the author saw this failing
in Mydoom.A and released Mydoom.B, which scans for and updates Mydoom.A.

This works much like the Borg, like someone I know said:
"We are the Borg. You will be assimilated".

What are the two files?

Your guess is as good as mine, but we believe that they are probably
two of the three:
1. A backdoor Trojan horse designed to be uploaded through the port the
worm opens.
2. The next version of the worm - Mydoom.C.
3. A removal tool that can be uploaded and executed if anything went
wrong.


Hackers are en masse looking for the infected systems!
------------------------------------------------------

It is true that script-kiddies would be interested in finding infected
machines, but -
1. There is usually a lag-time between when a new security issue appears
and the kiddies start mass-scanning the Internet for it.
2. Hackers can find infected users just looking at their incoming emails.
3. Mydoom.B scans for Mydoom.A, so if anyone reports seeing thousands of
scans for Mydoom.A, it is probably mostly Mydoom.B doing what it was
programmed to do.


The creators of Mydoom MUST be spammers!
----------------------------------------

Is it possible? Yes.

Is it true? Is it a statement of fact?

No!

Although spammers take a significantly higher role with Trojan horses
and worms these days (which is a fact), there is _no_ *proof* as to
their involvement with this worm.

Mass-mailing worms can help spammers in different ways to accomplish
their own nefarious purposes. This worm performs a denial of service
attack on sco.com and microsoft.com, which makes no real sense if you
are a spammer.

One could claim the attack only lasts 12 days and that maybe it is
there to draw attention away from their objectives, but that would
be a plain and simple conspiracy theory.

Conspiracy theories arise when you do not have enough proof to say
something is happening for real.

We have absolutely no proof spammers are involved. It is quite
*possible* that they are.


The DoS attack against SCO never happens, it's a PR trick against the
open-source community!
---------------------------------------------------------------------

We have no idea what SCO's PR is or if there is a conspiracy against
the open-source community.

Let me tell you what we do know.

1. The DoS attack does happen (see email message from Joe Stewart
below).
2. It takes a few reboots of the machine to *make* it happen.
3. 100% of computers can perform the DoS attack, but
must be started within a window that spans only 25% of the time.

The timeline is approximately 2 minutes on, 5 minutes off; lather,
rinse, repeat.

You can find a time table for when the DDoS attack will happen, as
calculated by a C program Joe Stewart wrote at:
http://www.math.org.il/mydoom-a-timeline.txt

Mydoom.B has a timeline too, but it can't be predicted as definitely
because of an extra random check.

-----

Information from Joe Stewart with answers about the DoS attack:

-----
Here's why people have been getting inconsistent results when
setting the system date forward and looking for the DoS attack to
start:

Beginning of DDoS date check subroutine:

4A3DB0 PUSH EBP







; callCreateSCOddos
4A3DB1 MOV EBP,ESP
4A3DB3 SUB ESP,10


Get the current system time as a FILETIME struct:

4A3DB6 LEA EAX,DWORD PTR SS:[EBP-8]
4A3DB9 PUSH EAX
4A3DBA CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>]


Convert the stored DoS start date from SystemTime to FileTime:

4A3DC0 LEA EAX,DWORD PTR SS:[EBP-10]
4A3DC3 PUSH EAX
4A3DC4 MOV EAX,DWORD PTR SS:[EBP+8]
4A3DC7 ADD EAX,214







4A3DCC PUSH EAX







; Feb 1, 2004
4A3DCD CALL DWORD PTR DS:[<&KERNEL32.SystemTimeToFileTime>]


Compare high-order dword dwHighDateTime:

4A3DD3 MOV EAX,DWORD PTR SS:[EBP-4]
4A3DD6 CMP EAX,DWORD PTR SS:[EBP-C]
4A3DD9 JB SHORT



Compare low-order dword wLowDateTime:

4A3DDB MOV EAX,DWORD PTR SS:[EBP-8]
4A3DDE CMP EAX,DWORD PTR SS:[EBP-10]
4A3DE1 JB SHORT


Start the DoS:

4A3DE3 CALL


; DoS_Loop
4A3DE8 PUSH 400
4A3DED CALL DWORD PTR DS:[<&KERNEL32.Sleep>]
4A3DF3 JMP SHORT
4A3DF5 LEAVE








; skipDos
4A3DF6 RETN

>From MSDN:
The FILETIME structure is a 64-bit value representing the
number of 100-nanosecond intervals since January 1, 1601 (UTC).

typedef struct _FILETIME {
DWORD dwLowDateTime;
DWORD dwHighDateTime;
} FILETIME,
*PFILETIME;

The stored starttime as filetime is:
0xbe9ecb00
0x01c3e8dd

Because the dwords are compared independently, the DoS will not start
anytime the current dwLowDateTime is less than 0xbe9ecb00, no matter
what the dwHighDateTime is. Obviously, this is close to three-quarters
of the time.

-Joe

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
-----

-----
Gadi Evron - ge@warp.mx.dk

We would like to thank Joe Stewart and Rolf Rolles for their
contributions to this text.

   0 comments

Leave a Comment:

Name


Homepage (optional)


Comments