Sunday, 16 October 2011

Week 6 - Playin' with Sasser.b

This weeks class didn't consist of a lecture (yes!) but rather our prof just handed us the lab assignment and let us go off and get it done. The lab assignment was pretty simple - we just had to download and run a piece of malware (I chose Sasser.b) within our XP VM and monitor it's manipulation of the system.

First we had to boot up our virtual machine, download the virus onto the desktop, and disconnect all virtual NICs so our machines weren't able to spread the virus through the network.

Next we started up a program called ProcMon (download here) which allows you to monitor all changes to the file-system, registry, and monitor network activity. This program helps us get a better look at the virus and what it's doing.

Next we just ran the virus on the system by opening a file called "malware.exe" which is the executable containing the virus. As soon as we ran the virus we noticed the system become extremely slow and sluggish sometimes non-responsive and we started seeing a TON of activity on ProcMon related to malware.exe. We saw files being created and changed, registry entries being created and changed, lots of reads and writes to the filesystem, threads being created all over the place etc. It was very clear the virus had begun to infect the system. We also began getting Windows errors as early as 45 seconds after running the virus. Here's a screenshot:

This is what you see in ProcMon when you open the virus. You can see the original process being created and then the virus activity starts:

The ports that were open prior to running the virus:

Now after:

Sasser.b uses threads to scan random IP addresses. If the connection through port TCP 445 succeeds, the worm will check if the system is vulnerable. If it is, Sasser will open a shell through port TCP 9996 and will force an FTP connection through port TCP 5554 to download the worm to the vulnerable system. In the above screenshot you can see TCP port 5554 is open and the worm is attempting to spread through the network.

Further examination of the registry shows a new key created by the virus which allows it to run each time Windows boots. The key is cleverly named "avserve2.exe" to make it look like an Anti-Virus program but we obviously know it's not.

So that just about takes care of it for this week. I hope you've enjoyed my brief look into the Sasser.b worm and what it does. Please let me know if you have any questions. Thanks for reading!

No comments:

Post a Comment