[unisog] Info on Gaobot.AFJ

Brian Eckman eckman at umn.edu
Thu Apr 29 21:14:24 GMT 2004


I know some Universities are seeing hosts infected with Gaobot.AFJ, and 
more with variants just like it. I have analyzed what Symantec detects 
as Gaobot.AFJ, and have some details that people might find helpful.

First off, it really should be called Polybot/Phatbot and not 
Gaobot/Agobot. Second, it is mostly like what McAfee is calling 
W32/Gaobot.worm.ali. I'll outline differences below:

McAfee URL (I've posted it here before, recently :)
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125006

I've seen it as
%SystemRoot%\System32\WMIPSVSC.EXE
and
%SystemRoot%\System32\WMIPRVSC.EXE

Both files are essentially the same, but the MD5s are different. This is 
probably because Polybot is polymorphic. The registry keys are just like 
McAfee's writeup, except they will be like:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Microsoft Update" = wmipsvsc.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices "Microsoft Update" = wmipsvsc.exe

It tries to connect to three different DNS names to find its DNS 
controller. It tries:

ph4tbackupz4.alt-bin.com:7000/tcp   (131.96.173.146, status: host down)
ph4tbitch4.no-ip.info:7000/tcp    (10.10.10.10)
ph4tbackupz4.no-ip.info:7000/tcp    (63.215.241.236, status: host up, no 
IRC server present)

It is possible that 7000/tcp will actually be stunnel, pointing to 
6667/tcp on the same host. This is presumably to encrypt the IRC traffic 
to make the botnet harder to find. Variants of Gaobot/Polybot have been 
doing this for some time, often using 1331/tcp for stunnel.

If Gaobot.AFJ can connect to it's IRC server, it will be fully active. 
It will look for a huge list of running processes, and terminate them if 
they are running. Processes include AntiVirus software, Ethereal, 
MSconfig, Regedit, etc. (some or all of these processes might be 
terminated even before it connects to the IRC server). However, it 
searches for active processes by name, so if you make a copy of 
regedit.exe and call it something different, it should run. You can then 
remove the keys for wmipsvsc.exe and reboot. Then, the file will no 
longer be hidden from Windows (it hides itself, but cannot do that if it 
is not running), and you can delete it from a command prompt, Explorer, 
et. al.

Note that the above paragraph is likely relevant for any modern variant 
of Polybot. Replace wmipsvsc.exe with whatever name your variant is 
using, and it will often work.

Note that all variants of Gaobot/Polybot allow the IRC channel op to 
download and install additional software on infected computers, so the 
above might not be all that is needed to make a computer "clean". 
Remember also that these newer variants are sniffing and sending screen 
captures back to the IRC channel op, so users should change passwords on 
a clean computer ASAP after infection is noticed.

There are several variants of this same type of worm out there, and they 
are successfully exploiting the LSASS flaw in MS04-011 as one method of 
spreading. We all likely have hundreds or even thousands of unpatched 
hosts on our network, so prevention is ideal, but early detection of 
infected hosts on your network is an absolute *must* if you want to 
contain this. Polybot variants may try to spread via various exploits 
over TCP ports 80, 135, 139, 445, 1434, 2745, 3127, 3410, 5000, 6129, 
and others I've forgotten or just missed. Note it is almost always a 
subset of those ports/vulnerabilities, and not every single one. Fully 
patched machines are not necessarily safe, as it throws a laundry list 
of username/password combos at hosts trying to get in via "weak" 
passwords. Some of the passwords it tries are not ones some admins would 
call "weak".

You absolutely cannot count on antivirus software to protect you from 
gaobot/polybot. New variants are coming out daily. McAfee reports that 
there have been over 900 variants so far, and most of which have likely 
come in the last six months.

If you don't think you have or have had a gaobot problem, I fear you 
might be dead wrong. This is one of the most successful worms in history 
that nobody has heard of. Check for flows to bogon hosts such as 
1.3.3.7, 10.0.1.128 and 31.3.3.7. Common TCP ports used for the IRC 
communication have been 1331, 6667 and 7000, but each variant can use 
whatever it chooses.

If you suspect a host has Gaobot/Polybot, you might want to nMap it (use 
-p 1-65535 of course). It most likely has two or more "odd" ports open. 
If you telnet to those odd ports, and one of the following happens, 
changes are good that you have 'bot:

1. If it replies "220 Welcome to Bot FTP Service", you have Gaobot
2. If it replies "220 Bot Server (Win32)", you have Polybot
3. If it throws a ton of garbage at you, you probably have Gaobot. Try 
other ports to see if any match #1 or #2 above.

If you use netcat to connect to the port that causes #3 to happen, and 
pipe the output to a file, you will have a copy of the binary with four 
extra bytes at the front of it. If you delete the first four bytes in a 
hex editor and save it, you should have an actual copy of the virus 
binary. However, modern Polybot variants no longer send themselves 
automatically upon connection, so this won't always work for you.

Good luck out there,
Brian

-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota




More information about the unisog mailing list