Just an additional info for WORM_BAGLE.DA.

After the bagle storm yesterday, we were still receiving reports that new bagle variants were being seen. So we decided to again download the links found on the WORM_BAGLE, TROJ_BAGLE and TROJ_DLOADER. I didnt find a new bagle variant, although i’m still downloading from the links, what I found out is a completely different thing.

On WORM_BAGLE.DA download links, there are 8 download links which connects to a web.php, 2 links were already down while the other 6 were downloaded successfully.

http://{blocked}/web.php

Inside the file web.php, are the email addresses used by WORM_BAGLE in its FROM FIELD. This may also be the reason why I couldnt simulate the E-Mail propagation of the worm since I tested it on an environment without internet connection. Each download link contains a different domain and name.

On one web.php

• tom@atomate.com
  
• tom@atomco.com
  
• tom@atomcreation.com
  
• tom@atomdigitaldesign.co.uk
  
• tom@atomic.com.au
  
• tom@atomic4.com
  
• tom@atomicamps.com
  
• tom@atomicblender.com
  
• tom@atomicdesign.tv
  
• tom@atomicdesigninc.com
  
• tom@atomicdog.com
  
• tom@atomicmarketing.com
  
• tom@atomicspatula.com
  
• …

and on another

• shkim301@korea.com
  
• shkim303@ktsolution.co.kr
  
• shkim303@ktsolutions.co.kr
  
• shkim304@hanmail.net
  
• shkim304@samsung.co.kr
  
• shkim3057@hanmail.net
  
• shkim30@daewoo.com
  
• shkim30@famecs.co.kr
  
• shkim30@hanmail.net
  
• …

yet on another

• kathleen@kent.net
  
• kathleen@kenwoodcc.net
  
• kathleen@keogh.net.au
  
• kathleen@kephart.net
  
• kathleen@keplers.com
  
• kathleen@keromail.com
  
• kathleen@kerraisle.com
  
• kathleen@kerstondesignteam.com
  
• kathleen@kertzmanweil.com
  
• …

Also WORM_BAGLE.DA downloads a file from this link http://{blocked}/sss.php and saves it as re_file.exe. However the link is still down as of the moment.

Berend-Jan Wever, aka “Skylined”, released an exploit code for the IDN host name heap buffer overrun vulnerability in Mozilla browsers. Mozilla browsers include (Firefox, Mozilla, and Netscape). You can find the source code of the exploit here.



These two lines are worth noticing in the exploit code.



If succesful, the exploit will set up a listening port at 28876. The exploit was tested to work in Firefox 1.0.6.

Skylined is previously known for his InternetExploiter series of exploits against MS IE and the Alpha 2 alphanumeric shellcode encoder, among others.

Firefox fix

Firefox 1.0.7 has been released to address this vulnerability, and is now available for download at the Mozilla Foundation homepage. MozillaZine also issued a security bulletin announcing the release of the Firefox fix. To quote the bulletin

The tandem of a Trojan and a worm is now becoming a favorite technique of malware authors for a more successful propagation or attack of their malicious programs. The combination of a Trojan and a worm started from the Troj_Bagle downloading the Worm_Bagle. However, another example of the trojan-worm tandem technique being noticed is in this new TROJ_DROPPER.LV and WORM_MYTOB.KM.

Instead of downloading the Mytob worm, TROJ_DROPPER.LV drops a copy of WORM_MYTOB.KM and a WORM_SDBOT.CHA in the affected system. Then, WORM_MYTOB.KM mass mails an email message containing a link which points to TROJ_DROPPER.LV. Thus, when a user clicks on the link found in the email, the Trojan dropper is downloaded.

This technique can bypass the filters used in email scanning applications that scans or blocks malicious attachments. A good social engineering would then complete the intention of the malware enticing a user to click on the malicious link found in the mail.

The URL link was submitted to the web-blocking query so we have no problem when a user clicks on the malicious link of this malware since it is already blocked in the server.

At the end of my boring shift, e mails started arriving and soon I was wide awake.
The emails contained in it a copy of a WORM_MYTOB, this is easily distinguished because of the hellmsn.exe drop file and other common WORM_MYTOB traits…or so I thought. :)
After I few minutes of looking at the malware body, I realized that it is again a WORM infected with PE_BOBAX.
At first I thought this was just a technique to raise the infection rate of PE_BOBAX. Now I’m realizing a new angle on this, it may also be done to avoid detection of the Infector itself (PE_BOBAX).
This is because most AV engineers would then be fooled to detect the INFECTED WORM, thus the nasty little bugger (I’m talking about PE_BOBAX here) that is carried by the WORM gets away, free to infect other files in the user’s system.
So far the most successfull in spreading is the one infected with WORM_MYTOB.