Polska wersja

Marcin Sochacki (Wanted) Blog, Internet, Technology

» Virus attack

For almost a year now one of the servers I take care of is under a constant attack by viruses. To be exact – a series of mutations of Bagle worm. I thought that the basic mechanism looks like this: a new virus shows up, quickly spreads out, people install fixes and after a couple of weeks the virus no longer exists in the wild. The truth is, that the epidemic doesn't subside that quickly and many users have no idea that their computers were infected all year long.

It all started in the beginning of June 2006 when I had a look into the web server's statistics and initially I thought it was a target for DDoS attack. When I checked the logs I could see thousands of requests for nonexisting file /nul.php coming from many different machines.

pool-70-19-217-150.bos.east.verizon.net - - [04/Jun/2006:08:18:24 +0200] "GET /nul.php HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)"
lns-bzn-20-82-250-5-184.adsl.proxad.net - - [04/Jun/2006:08:18:46 +0200] "GET /nul.php HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
host140-90.pool8255.interbusiness.it - - [04/Jun/2006:08:19:04 +0200] "GET /nul.php HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
host71-78.pool8255.interbusiness.it - - [04/Jun/2006:08:19:06 +0200] "GET /nul.php HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
host71-78.pool8255.interbusiness.it - - [04/Jun/2006:08:19:06 +0200] "GET /nul.php HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
host140-90.pool8255.interbusiness.it - - [04/Jun/2006:08:19:07 +0200] "GET /nul.php HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
85-53-79-85.mad1.adsl.uni2.es - - [04/Jun/2006:08:19:55 +0200] "GET /nul.php HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
85-53-79-85.mad1.adsl.uni2.es - - [04/Jun/2006:08:19:55 +0200] "GET /nul.php HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
anancy-152-1-97-93.w86-213.abo.wanadoo.fr - - [04/Jun/2006:08:20:03 +0200] "GET /nul.php HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
anancy-152-1-97-93.w86-213.abo.wanadoo.fr - - [04/Jun/2006:08:20:03 +0200] "GET /nul.php HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

A quick Google search helped to identify the cause – viruses. It turned out that the authors of some Bagle variants, for reasons unknown to me, wanted to use, among others, my server as the source for updates. The list of checked URLs has several dozen hosts; check the following antivirus databases: Bagle.FY, Bagle.GS.

The target platform for the virus is obviously the most popular one – Microsoft Windows. The attack mechanism is also typical: users get a spam e-mail with compressed and encrypted ZIP file and a second attachment – image with the password. Thanks to encryption its much more difficult to create a unique signature of the virus (this could potentially be used on the e-mail gateway) because the archive content is changing with passwords generated at random. Although it would seem impossible, the virus which needs a lot of manual user intervention, can spread very effectively. How can one open a ZIP file sent without any previous arrangement, protected with a random password and then run the .exe file inside the archive? Doesn't it really look suspicious? Unfortunately those are rhethorical question – computer security education is so poor that many people will happily infect their own systems. After running the .exe it will add itself to all the important places in the system, including start up list in the Registry. Then it starts sending out copies of itself, naturally using the address book of the leading e-mail client – Outlook. The full circle is complete.

Some Bagle variants, including the ones mentioned here, can download updates via WWW. They query hosts from the embedded list and if they found something, they probably run the code. Suppose the attacker has an access to at least one of the servers from the list, he can build quite a stable and efficient network of zombie machines, which then can be used for DDoS attacks or spamming.

After some time other URLs also showed up, e.g. /777.gif, /999.gif, /mul2.php etc. To avoid the garbage in logs and lessen the load on the server I quickly wrote a set of rules for Apache:

# the following rules block unwanted queries at the very start
# and return 403 Forbidden status instead of 404 Not Found
<LocationMatch "/([mn]ul2?\.php|mu2l\.php|(777|999)\.gif)">
Order Deny,Allow
Deny from All
</LocationMatch>

# turn off logging of certain requests in access.log
SetEnvIf Request_URI "/([mn]ul2?\.php|mu2l\.php|(777|999)\.gif)" nolog
CustomLog /var/log/apache/access.log combined env=!nolog

That basically ended the virus case. Today, when almost a year passed since its creation I decided to check how many users are still infected. There is a chart below showing the number of requests to Bagle files; each bar corresponds to one week.

Bagle virus activity between June 2006 and May 2007

Bagle virus activity between June 2006 and May 2007


It's clear that a big growth of popularity happened at the very beginning of epidemic. During the most active week the server received almost 3.4 million requests, which correspond to 5.5 requests per second on average. Quite impressive, huh? Later you can observe the falling trend. There's also a big drop of activity during Christmas holidays, when many computers are not switched on at all. On the other hand people also have more free time and probably they're more likely to fix their computers, which includes removing viruses.

Currently the server still gets 400000 stupid file requests per week. Taking the slow falling trend into account I can expect there will still be a significant number of them for the next two years. If a server owner had to pay for traffic, putting his URL in virus code might generate significant costs for him. What's worse, the administrator has no control over incoming traffic, and it's not easy to block it on TCP/IP layer because of dynamic IPs. Unless… he would be willing to fight the virus with its own weapon :-)

One could put an executable file in one of the locations mentioned above and check how the virus behaves in this situation. Maybe it would be possible to uninstall the viruses remotely. In June last year I checked all the embedded URLs. None of them served anything interesting. If I find some time, maybe I'll try this method someday.

2007/06/06 08:20 | computers/microsoft/

» Comments









My blog

Categories

/ (69)
  computers/ (40)
    apple/ (1)
    google/ (14)
    linux/ (3)
    microsoft/ (9)
    other/ (4)
    spam/ (1)
    wikipedia/ (3)
    www/ (5)
  i_like_it/ (15)
    film/ (6)
    fun/ (1)
    photo/ (2)
    sport/ (6)
  info/ (4)
  media/ (5)
    ad/ (5)
  places/ (5)
    aconcagua/ (1)
    dublin/ (2)
    tricity/ (2)

Archives


Links


Color free zone

This site is Wit 2.0™ compliant!