Robots, vile robots everywhere!

The time of the flash internet worms which were able to spread to millions of machines in less than an hour has passed. Nowadays, we are living in the days of the trojans, phishing, password stealing and backdoors. However, combinations between fast spreading worms and very cunning trojans aren’t rare at all.

Thursday, 2nd of June around 17:12 GTM, we’ve received an interesting exploit from one of the machines which are part of the grand ‘Smallpot’ honeypot network. Slowly, more packets started to arrive and it became obvious that whatever was sending them was picking up momentum. Since the simplest explanation is usually the right one, the first guess was an Internet worm attack.

Investigation of the packets revealed a Microsoft ASN.1 exploit, which tries to download and run an executable from the attacking machine via TFTP. We’ve secured a binary and took a look under the cover. The responsible worm was a Rbot variant, 121504 bytes long and is generically detected by KAV as ‘Backdoor.Win32.Rbot.gen’. It is packed with the MEW runtime executable packer and it has an MD5 of ‘7fe7a8320bbd029a87e0228ff5d23053’.

Besides the ASN.1 exploit – and this is the first worm to use it successfully on the Internet – the Rbot variant uses a multitude of other exploits, DCOM, RPC, Veritas Backup Exec, LSASS, MSSQL, password guessing and so on. It also steals registration keys from a good list of popular games, PayPal accounts logins, has an embedded backdoor and of course, DDoS capabilities. Basically, it’s a worm which tries very hard to spread while at the same time, it tries to steal as many valuable data from the victim machine as it is available. It is a highly infectious worm, written for profit. And yes, most of the other worms we’re seeing nowadays are no different.

Three years ago, the worst thing that could happen to your computer was a corrupted flash ROM or a wiped HDD. In most cases, you could even recover the data from the HDD. Nowadays, a virus infection is much worse. Your computer may easily become the pawn of an organization of cybercriminals which is blackmailing companies over the Internet. Or your e-banking accounts are suddenly missing a few hundred euros. Or your valuable items from a virtual game on the Internet are suddenly somebody else’s. There are cases when people killed each other over such things.

With that in mind, I come up with a question: aren’t we becoming too addicted to our beloved computers? Is it really worth dying for a thing which only exists as polarized atoms on a plate, between other billions, 10000Km away? Are we becoming too dependent on technology, so soon? I’m afraid the answer has more implications than we are ready to accept.

Robots, vile robots everywhere!

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox