I. BACKGROUND:
We have been receiving a few scattered cases of outbreaks from a file labeled snkb00ptz.exe or snkb0ptz.exe, but it seems to be on the rise.
It's normally considered poor troubleshooting to use the file name for any type of identification of a threat, but recent examples have made this practical. Even though these files were detected as many different threat names and families (Trojan.gen, w32.IRCBot.NG, Downloader, etc), the cases all reported the same behavior and symptoms.
After some additional investigation, Symantec Security Response has broken out detection for W32.Inabot. That's short for the Insomnia IRC bot. More information is available from the makers of this threat in their manual, here: http://pastebin.com/dvpu8Zwb
For those of you familiar with W32.Changeup, much of this threat's behavior should seem familar.
II. THREAT DETAILS: Note this section is being updated with new information as we find it. (BN)
- Creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM KEY]" =
"%UserProfile%\Application Data\[RANDOM CHARACTERS FILE NAME].exe"
- Gathers information from the compromised computer and sends it to the remote attacker.
- Perform the following actions:
- Spread itself through removable drives
- Spread itself through network shares
- Download and execute other malicious files
- Perform distributed-denial-of-service (DDoS) attacks through UDP or TCP flooding
Known Aliases:
- Win32/Dorkbot.AM [Microsoft]
How it spreads: Note this section is being updated with new information as we find it. (BN)
- W32.Inabot uses AutoPlay (autorun.inf) files to launch remotely.
- W32.Inabot copies itself to open shares, hides legitimate folders, and then imitates folders in the share.
- W32.Inabot current iteration does not appear to be also using vulnerabilities to spread.
Common file names:
- snkb00ptz.exe
- snkb0ptz.exe
Communication for the current w32.Inabot campaign:
- e.eastmoon.pl
- gigasbh.org
- gigasphere.su
- h.opennews.su
- o.dailyradio.su
- photobeat.su
- s.richlab.pl
- uranus.kei.su
- xixbh.com
- xixbh.net
Symantec Endpoint Protection:
Antivirus Signatures
Intrusion Prevention System
- TBD
Applying the 5 Steps of Virus Troubleshooting to a W32.Inabot OutbreakAKA
Inabot Battle Plan
Step 1. Identify the threat
- See above, but don't guess. Submit the files if you're not sure.
Step 2. Identify infected machines:
- Machines with Auto-Protect alerts should be scanned with up-to-date definitions.
- The entire network needs to be audited for unprotected machines, out of date machines, and infected or likely infected machines.
- Traffic on the ports or to known W32.Inabot domains is a good indicator of a potentially infected machine. See W32.Inabot
- Protecting and managing fileservers is often the key to solving any outbreak scenario. - unprotected NAS devices are at risk!
Step 3. Quarantine the infected/unprotected/under protected machines:
- Unprotected and under-protected machines need to be removed from the network until cleaned and protected.
- Unprotected machines should be returned to the network only after being protected, checked for suspect files, and scanned clean.
Step 4. Clean the infected machines:
- Infected machines need to be scanned clean. Safe Mode is not necessary, just a basic Full System Scan.
- Don’t forget file servers. This bears repeating.
- Folders may have to be manually renamed or unhidden
- These changes cannot be done as part of the automatic repair routine of Endpoint, as many users have intentionally hidden folders or disabled automatic Windows Update.
Step 5. Prevent future outbreaks:
- AutoPlay is a spreading mechanism for thousands of worms and should be disabled. Microsoft has moved to this position as well.
- An “Open Share” is any share that does not require a password to access. Password-restricting shares can slow or stop a worm like this in their tracks.
- Remove write-access on shares from users not needing this level of access.
- Maintain a strict patching regimen. Inabot and threats like it often add new capabilities in response to new vulnerabilities.
- Infected customers should block the Command and Control (C&C) servers or they quickly will become re-infected with new variants.
- Upgrade to SEP 12.1 with SONAR and Download Insight