[Dshield] Is Mytob that bad?!?

Eric Kedrosky ekk at nortel.com
Mon Jun 6 19:55:41 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

After reading this post I felt that it was time to throw my hat into the
ring.

"... told me about the symantec definition update ... i applied it and
nailed the virus."

I wouldn't be too confident that you nailed the virus 100%.

The latest variants of MyTob, circulating for almost 3 weeks ... or more
... all have had BotNet backdoors associated with them.  This means that
when the virus is executed on your system it connects to an IRC server
<somewhere> on the Internet and checks in.  After that, the first thing
that it usually does is download a *virus upgrade* and, in most of the
MyTob variants that I have researched recently, downloads Spyware and
Adware ... all of which your AV scanner doesn't detect.

Furthermore, the virus will update itself as often as possible ... along
with more spyware/adware .. from the BotNet.  Thus, it is actively
staying one or two steps ahead of your AV scanner.

Speaking of AV scanners, they can only detect what they know about.
Thus, if the virus gets an update that your AV scanner doesn't know
about then it won't find anything.  In one day I have submitted up to 5
unique samples from one single infection point, all of which were
unknown to a plethora of AV scanners.

I honestly don't mean to single you out, that is not my purpose.  I
would just like inform you, and anyone else, about how dangerous Bots
really are.  I see this all the time, ppl get infected and use clean up
tools from <an AV vendor> (insert the one you use here) but there
infection doesn't go away.  They think it is gone b/c they don't see any
outward sign of infection and then forget about it after a few days.  In
 95% of the time, there is a Bot still lurking on the system, reporting
home, getting updates, taking orders, fetching spyware/adware and who
knows what else ... all under the nose of the AV software.

All of that said, I am not sure what variant of MyTob that you were
infected with, but a deeper inspection of your system might be worth
while.  This can be easily done with programs like TcpView and/or
Ethereal.  Shut down all apps the talk via the network and look for
processes and/or traffic flows that are attempting to make connections.
Ethereal is really good b/c you can view the TCP conversation instead of
the raw packets.  If you still have a Bot you'll see it talking to the
BotNet Controller ... look for "PING and "PONG", "JOIN #" and other IRC
messages as well.

If anyone has any questions, please feel free to contact me at the email
address below.

Eric Kedrosky
Security Analyst - Malware
ekk at nortel dot com

David Vincent wrote:
> hehe, funny story.
> 
> i run my own mail server and have for years. it started out as an
> exercise in setting up smtp, but now hosts my main accounts.  over the
> years i've added layers of protection and one of them is blocking a long
> list of attachment types.
> 
> my home machine got infected with this virus becuse my wife opened up an
> email with the attachment, not one that went through my mailserver, but
> from her hotmail account.  they declared the file as virus free (mcafee
> engine) and allowed her to download it.  it passed our anti-virus
> (symantec engine) and allowed her to execute the .scr inside.
> 
> after she double-clicked it and went "huh, no picture" i asked what she
> was doing.
> 
> the next three emails i read were on this list and told me about the
> symantec definition update.  i applied it and nailed the virus.
> 
> thanks list for your awesome help, just when i needed it.
> 
> it's *always* the vectors you don't handle which will get you.  :) 
> tongue firmly in cheek.
> 
> since hotmail seems to have finally removed support for account access
> through outlook and outlook express, we'll be dumping those account real
> soon.
> 
> cheers.
> 
> -d
> 
> 
> 
> Tom wrote:
> 
>> Stef,
>>
>> Symantec says:
>>
>> Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or
>> .zip file extension.
>>
>> Now why would anyone any more accept naked .bat, .cmd, .exe, .pif,
>> .scr files as attachments or even those files in a zip?
>>
>> We routinely block all those and more either standalone or
>> encapsulated in a zip or a rar. Therefore, we never see nor have to
>> deal with outbreaks like these and yet blocking as we do, we have
>> never had any issues that would cause us to even consider shutting
>> down mail.
>>
>> Although I find UPS' position of shutting down mail as an IT
>> department in over-reactive mode, it does point out that solely
>> relying on running AV systems on your incoming mail is bound to be
>> problematic as the virus can always get to you before a detection
>> fingerprint can be built and then distributed and then finally
>> deployed.  Plugging the vectors (eg .pif, .scr, etc.) is much safer.
>>
>> Tom
>>
>>
>>
>>> Here below is a message my company has received from an UPS employee,
>>> asking us to fax all orders, until further notice. Assuming a lot of
>>> UPS business rely in exchange of information, potentially using
>>> attachments, the measure they took implies a level of threat from
>>> Mytob much higher than what the regular anti-virus lists seem to
>>> associate with this ... is anybody facing a similar issue?!?
>>>
>>> TIA,
>>> Stef
>>>
>>> ===== UPS message ========================
>>>
>>> Subject: Attachments Are now being Blocked due to new Virus
>>> Variants:
>>>       Please inform Users
>>>       Importance: High
>>>
>>>       Stakeholders,
>>>
>>>       Due to multiple Mytob virus variants being released one after the
>>> other
>>>       UPS INET and Data Security have placed a block on all email
>>> attachments
>>>       as of 6/2 4:00pm EST.
>>>
>>>       This will stop the new variants from spreading. 5 variants in the
>>> past
>>>       48 hours have been released. Now at Mytob DB, extended version
>>> 6/2/2005
>>>       rev. 22 or greater are required to detect this threat.
>>>
>>>       We will let you know when the attachments are allowed again.
>>>
>>> -------------- Sponsor Message ------------------------------------
>>> Join us at SANSFIRE 2005 in Atlanta!
>>> The Internet Storm Center Conference.
>>> Details: http://www.sans.org/sansfire2005
>>>
>>> _______________________________________________
>>> send all posts to list at lists.dshield.org
>>> To change your subscription options (or unsubscribe), see:
>>> http://www.dshield.org/mailman/listinfo/list
>>
>>
>>
>>
>> -------------- Sponsor Message ------------------------------------
>> Join us at SANSFIRE 2005 in Atlanta!
>> The Internet Storm Center Conference.
>> Details: http://www.sans.org/sansfire2005
>>
>> _______________________________________________
>> send all posts to list at lists.dshield.org
>> To change your subscription options (or unsubscribe), see:
>> http://www.dshield.org/mailman/listinfo/list
>>
>>
> 
> 
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCpKo9zarw7+pQTZ0RAmv3AJ46qj4i9FBK/cx3HSoxP/Urfr5arwCgsNRl
Fgy0JLUcXDphY+ijByVZkV4=
=9L22
-----END PGP SIGNATURE-----



More information about the list mailing list