Zindos Worm Analysis

• URL: http://www.secureworks.com/research/threats/zindos
• Date: July 28, 2004
• Author: Joe Stewart

Zindos is a worm that piggybacks on MyDoom.M/O infections in order to launch a DDoS attack against www.microsoft.com. In order to understand how Zindos is able to spread, it is necessary to understand the distributed architecture of the latest MyDoom email virus.

Stage 1 - MyDoom

MyDoom.M/O spreads through conventional mass-mailer techniques, usually disguised as an SMTP delivery failure message. It carries an encrypted logfile of up to 256 hosts that have been infected by the virus before it reached this point (256 is not a hard limit, but after reaching 256 hosts in the log, new hosts are only appended 5% of the time, keeping the logfile from growing too large). This logfile is extracted and saved to the user's temp directory as "zincite.log" when MyDoom runs.

Stage 2 - Zincite

A second file is extracted, which is the backdoor component known as Zincite.A. This file reads the zincite.log and attempts to connect to each host listed in the logfile in order to keep the list current. It also listens on TCP port 1034 for inbound connections. When MyDoom sends copies of itself from the infected machine via email, the sending computer's IP address is added to the log which is appended to the MyDoom executable. When a new victim runs the executable, the backdoor component connects back to the IP address of the computer that sent it the virus along with all the other IP addresses in the log, reporting that it too is now infected. In this way the logfile is updated, keeping track of new infections as well as the infection history.

Early on this connect-back activity was believed to be random IP address scanning; however this has proven not to be the case. Neither Zincite nor Zindos perform random scans; all connections are to hosts listed in the zincite.log file.

Stage 3 - Zindos

At some point, Zindos was introduced into some host on this makeshift peer-to-peer network. Zindos reads the zincite.log file from the local host and attempts to send itself to all hosts found inside, using the file upload protocol built in to the Zincite.A listener. The listener decrypts and verifies the key used to encrypt the file upload, and if it is valid, executes the uploaded file, at which point Zindos runs and repeats the process.

Most viruses and worms create a unique "mutex" in memory in order to detect when the program is already running on a host. Zindos does not have such a check, so multiple copies can be uploaded and run on the host, causing the operating system to become excessively slow. This is likely due to a programming omission, as MyDoom does contain such a check.

DDoS Attack Description

After 3 minutes, Zindos launches a thread to make an HTTP request to www.microsoft.com. It then sleeps for 1 second before creating a second HTTP request thread, then begins adding additional threads at increasing intervals of 250 ms, in a loop. Each thread will request the page from Microsoft, sleep for 50 ms, then loop. Since there is no end to the number of threads Zindos will try to create, it will progressively decrease performance on the affected machine even if no other copies of Zindos are run.

Zincite.log File Format

Copies of the zincite.log file are sometimes emailed as the virus attachment instead of being appended to the executable and sent. The encrypted logfile is created in 32-byte chunks. The first 4 bytes are a key used to decrypt the rest of the chunk. The chunk can be decrypted by taking the one's compliment of the key and XORing each following dword in the chunk with it. If an address decrypts to 255.x.x.x or 0.x.x.x it is a "filler" address and it and all trailing addresses in the chunk can be discarded. What is left is a list of addresses known to be infected by the host that sent the attachment.

Removal

Many antivirus companies provide free utilities to remove MyDoom from an infected computer. Although not recommended, manual removal is possible, and can be accomplished by the following steps:

Use the task manager to locate and kill:

%Windir%\services.exe
%Windir%\java.exe
%Temp%\[random filename].exe

Note that there is also "services.exe" that runs from the system (%Windir%\system32) directory that is a legitimate and necessary Windows file.

Remove the following registry keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run:

"Services" => "%Windir%\services.exe"
"JavaVM" => "%Windir%\java.exe"
"Tray" => "[random filename].exe"

Snort Signatures

The following Snort signature can be used to detect when a host on your network is infected with MyDoom.M/O:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Mailto domain search (possible MyDoom.M/O)"; content:"GET /search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+"; depth:45; content:"Host|3a| www.google.com"; reference:url,www.secureworks.com/research/threats/zindos; classtype:trojan-activity; sid:1000116; rev:1;)