Stronger social engineering in e-mail worms with free
                        antivirus mail scanner circumvention


    Hi kids, it has been some time ago since I wrote an article, but well,
    I'm back finally. Lot of things happened: since a year or so I started
    to consider myself as retired; I mutated from an angry teenager that
    wanted to code evil things into a hard working student whose main goal
    is to get the best grades and make his profs happy. Yeah, my life sucks.
    But well, some days I miss my old hobby and jack into the Metaverse, talk
    with old friends and yes: sometimes I even write an article, like the one
    you are reading now. A small disclaimer: I wrote a bit about this concept
    already on some forum, so it isn't 100% new, but well, it might be fun.

    Enough stupid introduction stuff, let's get to the point: this time I de-
    cided to write something about worms. Some people still call themselves
    virus writers, but in my opinion this era is closed, looking at the wild
    list and other statistics. Worms dominate the malware landscape, and often
    many versions of a worm appear; av'ers even run out of characters to give
    them unique names. However, worms are becoming less successful: most people
    finally remember "not to click on the paperclip" and especially not if the
    "sender" is someone you know but starts mailing in a totally different
    language (assuming you aren't a native english speaker) about "100% pr0n
    check attachment" or other totally ridiculous "social engineering" messages.
    Besides the user-awereness, the fact that many coorporations and ISPs use a
    mail scanner is also a major worm suspressing factor.

    However, as I stated before, worms are still quite succesful, despite the
    fact that really nothing changed in their way of spreading: sending a copy
    of the body as attachment to as many people as possible together with some
    tempting text. Now, time for something different:

    Instead of mailing a copy as attachment, we only send a specially crafted
    HTTP URL that points to the box we are running from. In the meanwhile, we
    run on the box a little webserver, simply providing always our executable
    on all requests (why doing more than needed?).

    First the advantages (yeah, I want to convince you to code this) :

     - Stronger social engineering: it is something people are not used to
       distrust; people get often links mailed and "there is no paperclip";
     - AV e-mail scanners won't catch it; there is no attachment.

    And now the disadvantages (will be dealt with later) :

    Reliability problems:
      - the web server can go down;
      - the web server can be unconnectable due to network problems as routers
        and firewalls;
      - getting an outside accessible IP address can be hard inside a network;
      - the message body with the URL can be eliminated by spam filters.

    Regarding the web server: many people leave their boxes running all night
    long, and more and more people have a broadband always on connection. When
    we consider this statistically, we may assume that at least a few boxes we
    infect will stay up for a longer period, providing a safe web server.
    Besides that, the worm should also be able to have a list of web servers:
    when it passes a host and runs a server on it, it can add its IP to the
    list. When the worm lands on a next box (hop), it can check the lists and
    verify which of the servers are up. In addition, the worm might even linger
    on the host for some predefined period, and check the behaviour of the box
    and check in the meanwhile the other boxes too for reliability. Also, it
    can check the uptime of the box it landed on using GetTickCount(), if we
    are running already for 20 days why wouldn't we run for another few days?

    Combining all the information about host behaviour and behaviour of its
    preceding web servers as parameters, one can deduce an equation that can
    be used to select the most reliable server and advertise it in next e-mail
    messages. Even better: since a lot of malware incorporates all kinds of
    network facilities to set up a DDoS or spam boxes network, this network
    can also be used to communicate between instances of the worm and advertise
    reliable worm web servers. As a final addition we have some naturual
    selection too: worms that advertice an unreliable server will die, the
    right worms will survive. Darwin would have been proud of us.

    Regarding network problems: when we are behind a router, it can be hard
    to connect to the worm web server we are running. However, in more recent
    windows versions there is support for dynamic addition of NAT ports. Some
    games and other network alike programs add ports. Same applies for the
    firewall in SP2, which should be taken in account too. At the moment I
    can't recall the name of the API, I investigated it and all I remember was
    that it was COM based which resulted in messy C++ code. Well, just fire
    the exact keywords into google ;) Getting an outside IP can be tricky, but
    one can get the outside IP for example by calling back to another worm
    server, just some extra functionality you'll need to code.

    Now some social engineering: simply sending a line like:
    http://123.123.123.123/x.exe
    in a message doesn't really work I presume. A trick that has been used
    since ages to fool people is to abuse 1. the login:password@host formatting
    feature, 2. the other freaky notation of ip addresses which has a name that
    I can't remember at the moment but which looks simply like a number and 3.
    the usage of idiot long URLs which is something that people are used with.

    Putting these things together would look like this:

    http://username:password@hostname/file.exe

    the username and password can be anything, just put something there that
    people trust. People have some odd behaviour of trusting famous brands and
    even when there is completely no connection between the topic of the mail and
    the company, people trust it. Trust me :). So the username could contain
    something like microsoft.com/very/deep/url with some asp and session id
    alike bogus stuff that make people stop reading. The hostname can be the
    IP in freaky notation, that is just placing the octets of the IP in a dword
    and getting it as an 32 bit decimal number, which doesn't look like an IP
    at all, especially not for the average viewer and also when it is hidden
    very deep in your crafted nasty looking URL with all kind of codes.

    Now add some text, either abuse the trust of people in famous brands as
    written above, or abuse their curiousity, like:

    ---
    Someone sent you an interactive love e-card! You can view it on:

    http://ecards-r-us.com:ecards.php.424DAS@#23123AD12313andaverylongstringwithallkindofinformationthatdiscouragespeopletoreadit@123123123/123123.exe

    ---

    Besides that, you can abuse the special character in %HEX notation to
    obscure the url even more. Just use your imagnation. And besides that, you
    can use HTML formatting in your mail, making the link actually point to a
    different location than you promise. Wouldn't you click on that link? I
    would, for sure. Until I'd have seen that I was about to download an
    .exe file, but "what the hack?", says average joe, "it is from ecards-r-us!"

    Ofcourse you can use many different ways to build up the text in the
    message, in order to confuse scanners. And preferable use a standard ecard
    company text too, it will look authentic.

    Conclusion

    Enough spoken, go code it! I'm curious if it works, what the weak points
    are and how it can be improved learning from results in the wild. I'd
    rather have implemented this concept myself, but well, as I said, I don't
    code malware anymore. Many thanks to malfunction for checking this crappy
    article before submitting it.

    PS. oh my god! What have I done?! I wrote an article for RRLF, now my
    soul is eternally doomed and now I'm not allowed to join #virus anymore,
    as it applies to RRLF members :] hell, my life is wasted.


    If you have anything to tell me, don't hesitate to contact me.

    :lifewire / ikx -          lifewire$mail.ru            -  ikx.cjb.net: