17 Dec 2007

Googbot- worm

Original issue date: 24th September 2007

It has been observed that a mass-mailing worm named Googbot is circulating in the wild. It propagates by exploiting software vulnerabilities. The worm is exploiting Trend Micro ServerProtect multiple stack-based buffer overflow vulnerability described in CIVN-2007-80 and Windows LSA (Local Security Authority) Service Stack-Based Buffer Overflow vulnerability described in CVE-2003-0533 . Further it opens a backdoor on the infected system on TCP port 7001 to connect to domain io.phatnet.biz and listen for malicious commands from the remote attacker.

The worm has its own SMTP engine to send mass e-mails. It harvests the e-mail addresses from the infected system and sends malicious e-mails to the collected addresses. The e-mail body contains a malicious link which entice the users to click upon using social engineering technique.

Aliases : WORM_AGENT.AAWD [Trend], W32 Duce.a@mm [McAfee], Backdoor.W32.GoogBot.A [Kaspersky]

The e-mail contains the following :

Subject : (any of the following)

  • Someone has sent you a Private Message!
  • You have just recieved a NEW message!
  • You have (1) NEW messages!

Body : (any of the following)

  • You have just recieved a new Google Message!
  • You can view your message here: http://www.google.com/gmsgid=4289472
  • Note: If you do not already have Google Message Viewer installed, you will be prompted to install it.


Upon execution, the worm :

  • Copies itself to the following location:
    %System%\sysboot32.exe
  • Creates the following registry entry to ensure its execution
    at every system startup
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run\"System Boot Loader" = "%System%\sysboot32.exe"
  • Modifies the hosts file for effectively disabling the access to security related websites by adding the following lines like:
    • 127.0.0.1 securityresponse.symantec.com
    • 127.0.0.1 symantec.com
    • 127.0.0.1 www.sophos.com
    • 127.0.0.1 sophos.com
    • 127.0.0.1 www.mcafee.com
    • 127.0.0.1 mcafee.com
    • 127.0.0.1 liveupdate.symanteclive
      update.com
  • Obtains e-mail addresses from the Windows Address Book and also searches for email addresses in files which have the following extensions:
    wab, .adb, .tbb, .dbx, .asp, .php, .sht,.htm,.txt
  • Opens a backdoor on the infected system on TCP port 7001 to connect to domain io.phatnet.biz

In view of rapid propagation of the Googbot worm, users are advised to implement the following countermeasures:

  • Install and maintain a updated anti-virus software at gateway and desktop level.
  • Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities.
  • Monitor outgoing traffic to specified TCP port of the IRC command and control (C&C) server mentioned above.
  • Enable advanced TCP/IP filtering on systems.
  • Do not follow links embedded in unsolicited emails.

References:

http://www.symantec.com/enterprise/security_response/writeup
.jsp?docid=2007-091707-2115-99&tabid=1

Disclaimer:

The information provided herein is on "as is" basis, without warranty of any kind.


Disqus

comments powered by Disqus