[Intrusions] Interesting little piece of malware...

[Timothy Chase]

On Wed, 22 Sep 2004 21:01:55 -0400, don murdoch <djmurd at cox.net> wrote:

> We are continuing to take prudent steps to deal, and seeing IRC
> traffic on non standard ports from +1024 ports ... and seeing that
> the executable name is changing (randomizing), but the MD5s are the
> same (interesting wrinkle, eh)?

Sounds like the "poor man's" (perhaps someone else might supply a
better description of the possessor) approach to viral "polymorphism."
 Actually, no suprise.  The binary -- obviously -- remains the same
while the file name changes to make "harder" to detect.  Maybe the bot
writer never heard of hashes.  Then again, I think most of those guys
either don't know how to get a binary to rewrite itself, or don't care
to take the time.  Additionally, the more capacities you write into
bots, the bigger they become and the slower they are to infect, and 
many of those bots are pretty bloated as it is.

(Within the last few weeks, I have seen bots as small as 78,952 bytes,
but one came in at 472,532, and at present, the most common is 305,435
bytes.  By comparison, witty worm -- which infected 95% of all
computers connected to the net running vulnerable versions of the
Black Ice firewall in 30 minutes weighed in at a hefty 660 bytes --
but that was written in assembly, by someone who apparently knew
exactly what he was doing, reading from the patch which was made
available the previous day.)

Bots are becoming increasingly common -- for the first half of the 70%
of all spam was being sent by zombie computers, and in June alone,
80%.

> Also - we are at a < 5% threshold ...

Congratulations!  Since you know exactly what you are looking for,
knocking out the last few percent shouldn't take long...

Take care,
Tim