Phlogiston Blue - Anatomy of a Malware Program

Anatomy of a Malware Program

I'm always hassling readers to make sure they have up to date anti-virus software, but just for a change I thought I'd tell you in a bit more detail exactly what the latest nasty is doing. The latest piece of malware is a worm called 'I-Worm.Baba'.

The first hint I had of it was a posting to the North American Network Operators (nanog) mailing list last Monday, when one of the operators reported a massive rise in the load on certain ports on their proxy servers. This sort of thing is often the first indication of a new virus, and that's what it later proved to be.

Baba is a multi-stage mass-mailer worm that affects Microsoft Windows computers. It does a number of things to your computer, and keeps a record of what it's done so far in a file called C:\csrss.exe. The file name caused a bit of confusion at first, because it's the same file name that the Netsky worm uses.

The first thing that happens is that the virus component reads the executable file into memory and writes an entry into the registry to make sure that it runs after the next reset. Next, it checks to see that another version of the program isn't running. If there is already a version running, it exits.

After this it checks to see if it can send mail out via the hotmail.com servers. If it isn't successful after five minutes, it will terminate. Presumably that's so that the user of the computer won't notice all the extra traffic being generated. It will try again after the next reboot.

If it succeeds it will search your computer for mail address by looking for any files of type dbx, wab, mbx, eml, mdb, tbb, inbox, dat and any files in folders called 'mail'. Once it's got a list of all the e-mail addresses on your computer it will mail out infected e-mails to each of them.

So that's the virus part of Baba...

Remember I said it was a multi-stage piece of malware? Well the second part is a trojan component that starts running after the next reboot.

The first thing it does, when the reboot starts it running, is to check that it's the only version running. If there is already a copy running (i.e. the machine was infected multiple times) the program closes itself.

It then checks for a specific registry key. If the key is not there it creates the key and exits, waiting until the next reboot to run again.

If it finds the key, it goes about collecting information from your computer, such as version information and command and control IP addresses. It then attempt to contact one of a number of addresses. Most of the addresses are believed to be decoys so that it's not clear to anyone watching what the real address it wants to contact is. It picks the addresses at random, but since it's going to run each time you reboot, sooner or later it will pick the real address and contact its 'home' server.

Once it contacts the home server it uploads all the information stored when it was nosing around earlier. Then it downloads a program from the server. At the time I'm writing we don't know what the program it will download does, because no one has been able to find the correct server for the download. You can bet your bottom dollar that it won't be nice though!

Possibilities include software that uses your computer to send out porn or spam, key logging software that attempts to ascertain your credit card details, or even software that causes your computer to participate in distributed denial of service attacks. Computers infected in these ways are known as 'zombie' computers.

Whatever the program is, it's your computer that's being used to carry out activities that are essentially illegal, and for which you might end up taking the rap.

These programs are like vile malignant, cancerous growths crawling through your computer, stealing your information, using your computer to commit crimes and blackening your good name.

Don't let them.

You can beat them. You can stop them even getting started if you keep up to date anti-virus software running on your computer. They can only thrive on ignorance and denial of what is going on. Don't fall into the trap of saying, 'It can't happen to me.' It can, but only if you don't take care of your computer.

http://www.lurhq.com/baba.html

Alan Lenton
23 January 2005

Read other articles about computers and society

Back to the Phlogiston Blue top page