myNetWatchman   KnowledgeBase

Pooling knowledge to
secure the internet.

Date: 2002-05-21
Author: Lawrence Baldwin, myNetWatchman.com
Title: Updated threat assessment of Newbiero worm

Summary:

• Newbiero (avp.ch)
• Acebot (Computer Associates)
• BKDR_FLY.A (Trend Micro)
• ABN Backdoor (McAfee)

Most classified Newbiero as a 'backdoor' trojan, and alluded to *potential* worm distributed denial-of-service (DDoS) capabilities.

The purpose of this document is to clarify the worm and DDoS features of Newbiero and to justify a more serious threat assignment.

Our key observations are as follows:

• Newbiero definitely has worm capabilities and is propagating through open file shares and hosts with blank Administrator passwords
• A 300-500% increase in sources of Netbios probes starting March 1 coincides with the Newbiero discovery
• 2,000 - 3,000 unique source IPs are currently being detected per day by myNetWatchman
• Scan patterns are slow (< 1/second) and isolated (1 Class C at a time, non-contiguous address targets)
• Utilizes IRC connections for command/control by a remote attacker
• Successful backtrace to hostile IRC channel identified approximately 30 hosts awaiting DDoS commands
• Observed actual DDoS attack (2GB) while monitoring channel

Infection status messages posted into IRC channel by scanning bots:

:eompiv!~EIPO@enc48-243.enc.csupomona.edu PRIVMSG #h0tm4|l :Computer on IP: 209.181.109.208 is already infected.
:bolarcg!ULNCSF@adsl-208-191-144-77.dsl.hstntx.swbell.net PRIVMSG #h0tm4|l :Computer on IP: 203.106.139.30 is already infected.
:ujjacug!EJJUTH@80-200-64-151.adsl.powered-by.skynet.be JOIN :#h0tm4|l
:tfikscno!QW12534@d44-228.webster1.ucdavis.edu JOIN :#h0tm4|l
:FHDCHEA!VDMEUC@adsl-208-191-144-32.dsl.hstntx.swbell.net JOIN :#h0tm4|l
:FSENFR!KEBR@1Cust144.tnt18.krk1.da.uu.net JOIN :#h0tm4|l
:oinov!~OFOAGR@202.87.125.120 JOIN :#h0tm4|l
:hlpcn!RPBP@adsl-64-108-41-76.dsl.rcfril.ameritech.net JOIN :#h0tm4|l
:EJIESC!~ECEP@63.149.76.214 JOIN :#h0tm4|l
:OVQNM!CQOGI@1Cust158.tnt2.minneapolis3.mn.da.uu.net JOIN :#h0tm4|l
:bolarcg!ULNCSF@adsl-208-191-144-77.dsl.hstntx.swbell.net PRIVMSG #h0tm4|l :Computer on IP: 66.206.37.217 is already infected.
:OVQNM!CQOGI@1Cust158.tnt2.minneapolis3.mn.da.uu.net PRIVMSG #h0tm4|l :Computer on IP: 67.251.130.37 is already infected.
:eompiv!~EIPO@enc48-243.enc.csupomona.edu PRIVMSG #h0tm4|l :Computer on IP: 203.173.130.139 is already infected.
:GQMDFUR!werd@h227-233.adirondack.albany.edu PRIVMSG #h0tm4|l :Computer on IP: 212.98.134.21 is already infected.
:NTBSO!~NDSHCQ@132.161.142.98 JOIN :#h0tm4|l
:trbddj!OBBJE@63.149.76.214 JOIN :#h0tm4|l
:girqbe!VRAEC@1Cust131.tnt2.minneapolis3.mn.da.uu.net JOIN :#h0tm4|l

Worm targetting pattern:

Trace start time: 2002-05-17 18:53:19 UTC
65.116.94.1 - 254
166.102.255.1 - 254
38.144.87.1 - 254
209.71.249.1 - 254
211.224.129.1 - 254
202.71.97.1 - 254
195.116.108.1 - 254
213.93.192.1 - 254
134.58.253.1 - 254
217.157.138.1 - 254
205.205.30.1 - 254
207.202.19.1 - 254
217.157.210.1 - 254
80.247.205.1 - 254
Trace end time: 2002-05-17 19:36:07 UTC

The targetting pattern appears to select no more than 255 contiguous addresses and skips around through mostly unrelated netblocks. This is possibly an attempt avoid detection. In examining udp/137 probes reported to myNetWatchman in May 2002, there were surprisingly few times that multiple sensors detected probes from the same source: 70% of probes were detected by one sensor, another 15% by 2 sensors, and less than 15% were detected by 3 or more sensors. This suggests that the target selections may be controlled centrally and is purposely preventing the same IP from being targeted by multiple bot instances...it almost seems like *coordinated* and *distributed* scanning is at play here. Unfortunately the packet traces we collected did not capture any possible instructions regarding which addresses to scan, so this is just conjecture at this point.

[15:11] <my_nick> !ping 64.1.1.1 65500 10
[15:11] <INVKSII> Type: PING. Target: 64.1.1.1, Size: 65500, Packets: 10.
[15:11] <juqastu> Type: PING. Target: 64.1.1.1, Size: 65500, Packets: 10.
[15:11] <BUKIMUTA> Type: PING. Target: 64.1.1.1, Size: 65500, Packets: 10.
[15:11] <rtico> Type: PING. Target: 64.1.1.1, Size: 65500, Packets: 10.
[15:11] <RUPTSL> Type: PING. Target: 64.1.1.1, Size: 65500, Packets: 10.
[15:11] <MCQBURJ> Type: PING. Target: 64.1.1.1, Size: 65500, Packets: 10.
[15:11] <qdqcn> Type: PING. Target: 64.1.1.1, Size: 65500, Packets: 10.
[15:11] <RFRFDR> Type: PING. Target: 64.1.1.1, Size: 65500, Packets: 10.
[15:11] <RMQMDIG> Type: PING. Target: 64.1.1.1, Size: 65500, Packets: 10.
[15:11] <GUPNHUK> Type: PING. Target: 64.1.1.1, Size: 65500, Packets: 10.

Syntax is: !ping victim_ip ICMP_size count

Note: there are other commands for IGMP and UDP flooding as well

Conclusion:

Newbiero appears to be much more dangerous that was originally reported. Any worm that enables automated assimilation of DDoS zombies, has centralized IRC command and control, and stealthly propagation is a serious threat to Internet infrastructure. The IRC mechanism also enables accumulation and tracking of zombies even if they have dynamic IP addresses. Quantifying the extent of Newbiero infections is difficult--we certainly can't say that all of the Netbios probes we're detecting are Newbiero generated, however, the discovery of Newbiero at nearly the same time as the dramatic increase in Netbios probes, suggests that there is likely a relationship.

Credits:

Kudos to the many participants in the DSLreports security forum who noticed this activity and triggered me to investigate further.

The 1300+ myNetWatchman participants whose firewall data was essential to analyzing and tracking this issue.

Most importantly, Jason Tinsly from the University of Kansas who tracked down the compromised host and gathered most of the forensic data used in this analysis.