Worm Posts on SNS Sites and Wipes out Rivals

W32.Wergimog is a worm that attempts to spread through removable drives and opens a back door. When I looked into its variants, I found an interesting sample, which I named W32.Wergimog.B. Both samples are based on the same source code, but the .B variant contains even more interesting functionality that I would like to detail here.
 

For legitimate applications

W32.Wergimog.B injects itself into legitimate applications, such as Internet Explorer and Mozilla Firefox, as shown in Figure 1.
 

Figure 1. Threat injects itself into certain applications and then connects to the Internet
 

Once it confirms that the applications it has injected itself into have network connectivity, it performs the functions outlined below.
 

Posting on Social Networking Service (SNS) sites

If a user connects to any of the following SNS sites, the worm is capable of modifying a chat message, status update, or Tweet:

  • Facebook Chat
  • Facebook Wallpost
  • Hi5 Status Update
  • Hyves Status
  • Linkedin Status Update
  • Myspace Status Update
  • Omegle Chat
  • Tweet (Twitter)

Initially, the worm connects to the command-and-control (C&C) server to obtain the content that it posts to the SNS services. At present, we are unable to obtain these posts, but the posting command is called ‘spread’. It is likely, therefore, that the post contains a URL that points to a location where a user might download W32.Wergimog.B or some other malicious program.

This is not the first threat to attempt to spread through SNS sites. W32.Koobface, for example, also applied this approach. While there is an overlap in the sites that both of these worms use to spread, one distinction between the two is that unlike the Koobface family, W32.Wergimog.B does not make its own connection to the SNS servers by itself. Rather, it needs to wait for a user to make a new post and then the worm modifies it.
 

Account stealing

Another function of the worm allows it to steal user account and password information if a compromised user logs in to any of the following sites:

  • fileserve.com
  • hackforums.net
  • hotfile.com
  • megaupload.com
  • thepiratebay.org
  • uploading.com

It is interesting to note that some of the above sites are file sharing services. It is possible, therefore, that the stolen account information may be used to spread the worm through these download sites, thereby allowing it to spread even further.
 

Attack on rival threats

An interesting feature of this worm is that it also injects itself into other threats, as shown in Figure 2.
 

Figure 2. Injects itself into rival threats
 

The worm contains lists of rival threat names and signatures to determine if the threats exist on the same computer. The following threats are targeted:

  • DarkComet
  • IRCBot
  • Metus
  • RXBot
  • Warbot
  • xvisceral

The following image illustrates rival threat names and their corresponding signatures.
 

Figure 3. Threat names and corresponding signature “pairs”
 

After infection the worm hooks network communication on the computer. It then attempts to identify the signatures and end any processes of rival threats that it finds, as can be seen in the image below. This is very similar to how IPS software operates.
 

Figure 4. Wergimog.B kills processes of any rival threats that it finds
 

The targeted threats are very prevalent, so it may be that the W32.Wergimog.B author wants to avoid being removed along with these threats. This is because an increase in malicious network communications allows a user to be aware that an infection exists.

Sometimes we see a function in a threat that attempts to end the operation of rival threats, but generally speaking such functionality is very simple. For example, checking for a specific file path, process name, or registry entry. Conversely, the method employed by W32.Wergimog.B is very reliable as the signatures are very specific and thus it can be sure of stopping the rival threats.

In addition, both the original W32.Wergimog and the .B variant have three types of denial-of-service (DoS) attack vectors, which are UDP flooding, SYN flooding, and ‘Slowloris’. A DoS tool called Slowloris was released in 2009 and had a big impact on servers. It targets Apache 1.x, 2.x, and some HTTP servers. It’s a little old now but remains popular. W32.Wergimog variants use the same technique but we don’t know what the relationship is between the original tool and W32.Wergimog variants.

These two variants started to appear between April and June 2011, and both of them have continued to be reported on until April of this year. To avoid infection by the W32.Wergimog variants, keep your security products and OS updated. We are continuing to watch out for developments of the W32.Wergimog worm.

12 Million Exploit Attacks Originating from the CO.CC Domain

Symantec’s telemetry has shown over 12 million Intrusion Prevention Signature (IPS) hits on sub domains of the ‘CO.CC’ domain in the last six months. Anyone somewhat familiar with the top-level domain-naming hierarchy might be lead to believe that CO.CC is actually an official second-level domain similar to CO.UK; this, however, is not the case. .CC is the Internet country code top-level domain (ccTLD) for Cocos (Keeling) Islands, an Australian territory. "CO.CC" is not an official hierarchy; it is a domain owned by a company that offers free sub domains and other services such as URL forwarding. The terms and conditions for use of the ‘CO.CC’ Web site can be found here.

The CO.CC domain itself is legitimate and has registered over eight million legitimate website URLs on its sub domains. However, wherever a free service exists, it is susceptible to being abused by malware distributors.  A malware distributor can register several free sub domains and use the URL forwarding service to point them all to one domain hosting a crimeware exploit pack. This way an attacker can stage their attack through redirection and try to mask the final URL destination hosting the exploit pack. This in turn makes it more difficult for the black listing of malicious URLs. In our analysis, we have seen numerous exploit packs such as Black hole, Fragus, Phoenix, Crimepack, K0de, and Eleonore being associated to CO.CC sub domains.  

 

This may not sound very innovative to some readers, as in the past we have seen other free services, such as free dynamic DNS sites, being abused by malware distributors. Attacks such as Hydraq (Aurora) highlighted the use of dynamic DNS by attackers and has lead to numerous companies blocking the use of dynamic DNS sites on their network. The use of free services on sites, such as the one highlighted in this blog, has given attackers another avenue for performing their attacks.

In our research, we have also identified variants of the following threats to be communicating with CO.CC sub domains.

Threats seen using CO.CC sub domains

As always, Symantec recommends that you keep your definitions up to date to ensure protection against threats mentioned in this blog.