Stronger social engineering in e-mail worms with free antivirus mail scanner circumvention Hi kids, it has been some time ago since I wrote an article, but well, I'm back finally. Lot of things happened: since a year or so I started to consider myself as retired; I mutated from an angry teenager that wanted to code evil things into a hard working student whose main goal is to get the best grades and make his profs happy. Yeah, my life sucks. But well, some days I miss my old hobby and jack into the Metaverse, talk with old friends and yes: sometimes I even write an article, like the one you are reading now. A small disclaimer: I wrote a bit about this concept already on some forum, so it isn't 100% new, but well, it might be fun. Enough stupid introduction stuff, let's get to the point: this time I de- cided to write something about worms. Some people still call themselves virus writers, but in my opinion this era is closed, looking at the wild list and other statistics. Worms dominate the malware landscape, and often many versions of a worm appear; av'ers even run out of characters to give them unique names. However, worms are becoming less successful: most people finally remember "not to click on the paperclip" and especially not if the "sender" is someone you know but starts mailing in a totally different language (assuming you aren't a native english speaker) about "100% pr0n check attachment" or other totally ridiculous "social engineering" messages. Besides the user-awereness, the fact that many coorporations and ISPs use a mail scanner is also a major worm suspressing factor. However, as I stated before, worms are still quite succesful, despite the fact that really nothing changed in their way of spreading: sending a copy of the body as attachment to as many people as possible together with some tempting text. Now, time for something different: Instead of mailing a copy as attachment, we only send a specially crafted HTTP URL that points to the box we are running from. In the meanwhile, we run on the box a little webserver, simply providing always our executable on all requests (why doing more than needed?). First the advantages (yeah, I want to convince you to code this) : - Stronger social engineering: it is something people are not used to distrust; people get often links mailed and "there is no paperclip"; - AV e-mail scanners won't catch it; there is no attachment. And now the disadvantages (will be dealt with later) : Reliability problems: - the web server can go down; - the web server can be unconnectable due to network problems as routers and firewalls; - getting an outside accessible IP address can be hard inside a network; - the message body with the URL can be eliminated by spam filters. Regarding the web server: many people leave their boxes running all night long, and more and more people have a broadband always on connection. When we consider this statistically, we may assume that at least a few boxes we infect will stay up for a longer period, providing a safe web server. Besides that, the worm should also be able to have a list of web servers: when it passes a host and runs a server on it, it can add its IP to the list. When the worm lands on a next box (hop), it can check the lists and verify which of the servers are up. In addition, the worm might even linger on the host for some predefined period, and check the behaviour of the box and check in the meanwhile the other boxes too for reliability. Also, it can check the uptime of the box it landed on using GetTickCount(), if we are running already for 20 days why wouldn't we run for another few days? Combining all the information about host behaviour and behaviour of its preceding web servers as parameters, one can deduce an equation that can be used to select the most reliable server and advertise it in next e-mail messages. Even better: since a lot of malware incorporates all kinds of network facilities to set up a DDoS or spam boxes network, this network can also be used to communicate between instances of the worm and advertise reliable worm web servers. As a final addition we have some naturual selection too: worms that advertice an unreliable server will die, the right worms will survive. Darwin would have been proud of us. Regarding network problems: when we are behind a router, it can be hard to connect to the worm web server we are running. However, in more recent windows versions there is support for dynamic addition of NAT ports. Some games and other network alike programs add ports. Same applies for the firewall in SP2, which should be taken in account too. At the moment I can't recall the name of the API, I investigated it and all I remember was that it was COM based which resulted in messy C++ code. Well, just fire the exact keywords into google ;) Getting an outside IP can be tricky, but one can get the outside IP for example by calling back to another worm server, just some extra functionality you'll need to code. Now some social engineering: simply sending a line like: http://123.123.123.123/x.exe in a message doesn't really work I presume. A trick that has been used since ages to fool people is to abuse 1. the login:password@host formatting feature, 2. the other freaky notation of ip addresses which has a name that I can't remember at the moment but which looks simply like a number and 3. the usage of idiot long URLs which is something that people are used with. Putting these things together would look like this: http://username:password@hostname/file.exe the username and password can be anything, just put something there that people trust. People have some odd behaviour of trusting famous brands and even when there is completely no connection between the topic of the mail and the company, people trust it. Trust me :). So the username could contain something like microsoft.com/very/deep/url with some asp and session id alike bogus stuff that make people stop reading. The hostname can be the IP in freaky notation, that is just placing the octets of the IP in a dword and getting it as an 32 bit decimal number, which doesn't look like an IP at all, especially not for the average viewer and also when it is hidden very deep in your crafted nasty looking URL with all kind of codes. Now add some text, either abuse the trust of people in famous brands as written above, or abuse their curiousity, like: --- Someone sent you an interactive love e-card! You can view it on: http://ecards-r-us.com:ecards.php.424DAS@#23123AD12313andaverylongstringwithallkindofinformationthatdiscouragespeopletoreadit@123123123/123123.exe --- Besides that, you can abuse the special character in %HEX notation to obscure the url even more. Just use your imagnation. And besides that, you can use HTML formatting in your mail, making the link actually point to a different location than you promise. Wouldn't you click on that link? I would, for sure. Until I'd have seen that I was about to download an .exe file, but "what the hack?", says average joe, "it is from ecards-r-us!" Ofcourse you can use many different ways to build up the text in the message, in order to confuse scanners. And preferable use a standard ecard company text too, it will look authentic. Conclusion Enough spoken, go code it! I'm curious if it works, what the weak points are and how it can be improved learning from results in the wild. I'd rather have implemented this concept myself, but well, as I said, I don't code malware anymore. Many thanks to malfunction for checking this crappy article before submitting it. PS. oh my god! What have I done?! I wrote an article for RRLF, now my soul is eternally doomed and now I'm not allowed to join #virus anymore, as it applies to RRLF members :] hell, my life is wasted. If you have anything to tell me, don't hesitate to contact me. :lifewire / ikx - lifewire$mail.ru - ikx.cjb.net: