Malware Up Close

On August 15, Security UPDATE subscribers received the Security Alert "Exploits Attack Windows Server Service," regarding new exploits that install bots onto unprotected systems. You can also find the Alert at the URL below.

http://www.windowsitpro.com/Article/ArticleID/93190/93190.html

The exploits were reported by LURHQ, a provider of threat and vulnerability management services. A few days after its initial report, LURHQ posted a detailed analysis of one of the exploits, which installs a variant of Mocbot. The analysis goes far beyond the typical level of detail you might expect to see from your antivirus or anti-malware vendor, which makes it both interesting and valuable as an educational expose.

LURHQ captured and installed the exploit and set up a small forensics network to investigate the inner workings of the bot and its related botnet. The test network consisted of two systems: One to infect with the bot and one to simulate the Internet in order to gather forensic data. One goal was to discover the command and control center for the botnet. Another goal was to discover logon information for the command and control center so that when the data-collecting system made a manual connection to the center, the connector would appear to be just another bot in the network and not a forensics investigator.

Building these two systems required some specialized tools. LURHQ used a Windows system for the client to infect. The second system acted as a "sandnet"--that is, a server in an isolated environment. The sandnet software LURHQ used is a toolkit called The Reusable Unknown Malware Analysis Net (Truman), which you can download at the URL below. Truman is based on a bootable Linux image and includes a collection of scripts that help provide the required interactivity with malware to gather data.

http://www.lurhq.com/truman

With the two systems working together, LURHQ discovered that the botnet instructs the bot to join certain Internet Relay Chat (IRC) channels and then download a Trojan horse program that serves as a proxy for sending spam. In this case, the spammers are helping to sell porn, wrist watches, and other popular items.

LURHQ's description is a good step-by-step example of what's involved in malware analysis, so be sure to read it if you're interested in doing this sort of thing yourself or are just curious about how experts do it.

http://lurhq.com/mocbot-spam.html

LURHQ credits myNetWatchman with assisting in its analysis process. In a nutshell, myNetWatchman collects security log information from participants and analyzes malicious activity so that it can report that activity to the proper ISP in the hope that the ISP will take action. The goal is to minimize the amount of time a compromised system is exposed to the Internet. To learn more about myNetWatchman, including how you can participate, go the URL below.

http://www.mynetwatchman.com/faq.asp