New Virus Evolves

A new worm called Hybris has been spread­ing across com­put­ers in Europe, the United States and South America.

While it cur­rently car­ries a non-destructive pay­load, some Anti Virus devel­op­ers are wor­ried that its plug-in archi­tec­ture could turn it into a much more dan­ger­ous virus, open­ing back­doors in com­puter sys­tems and esca­lat­ing the war between virus mak­ers and anti-virus developers.

First dis­cov­ered in South Amer­ica by Kaper­sky Labs, a Russ­ian anti-virus devel­oper, the worm has spread through email to Europe and the United States at an increas­ing pace.

“Hybris is one of the more com­mon virus we’re see­ing right now,” said Brian Kinj, a mem­ber of the tech­ni­cal staff at the CERT coör­di­na­tion cen­ter.

Because it car­ries a non-destructive pay­load, the anti-virus com­mu­nity has been split over the threat level the virus rep­re­sents. In the United States, the Joint Task Force Com­puter Net­work Defense, a divi­sion of the US depart­ment of defense, has upgraded the virus to a high-risk sta­tus. Mean­while, Euro­pean virus tracker Peter Kruse, of virus112.com, has announced on Usenet that his com­pany was upgrad­ing the virus threat to a medium risk sta­tus, due to the recent spread of the virus in Europe.

Com­pa­nies like Syman­tec and Sophos, how­ever, have given the virus a low risk sta­tus since it is car­ry­ing a non-destructive pay­load. McAfee, on the other hand has upgraded the virus to a medium risk sta­tus based on “its preva­lence and commonality.”

In its orig­i­nal ver­sion, the virus was spread­ing as an email attach­ment but recent reports indi­cate that it can also prop­a­gate itself using ICQ, an instant mes­sag­ing plat­form used by over 30 mil­lion peo­ple. It infects WSOCK32.DLL so it can con­trol the inter­net con­nec­tion and inter­cept email addresses of incom­ing mes­sages using a method sim­i­lar to that of the MTX virus. Once it has obtained an address, the virus auto­mat­i­cally sends itself to the next computer.

The virus can also mod­ify the winsock DLL if it has been write-protected. What the virus does in this case is make a copy of wsock32.dll, infects the copy and then writes the name of the infected copy in WINIT.INI, there­fore replac­ing wsock32 with an infected ver­sion the next time the sys­tem is rebooted. The virus also makes a copy of itself with a ran­dom name and cre­ates an entry in the Run_Once win­dows reg­istry key, ensur­ing that it can recopy itself if erased.

Its orig­i­nal­ity, how­ever, lies in its plug-in archi­tec­ture. Using this new model, the virus can con­nect to either to the alt.comp.virus Usenet news­group or to a series of web sites and down­load new updates, in a way sim­i­lar to tro­jan horse pro­grams. By upgrad­ing this com­po­nent the author is able to com­pletely change the appear­ance of the worm in unpre­dictable ways in an attempt to defeat anti-virus prod­ucts detect­ing it. Not only is the virus pay­load updat­a­ble but so are the meth­ods for updat­ing in that they are also upgrade­able com­po­nents. To date, all the plug-ins included in the virus have been using a very strong encryp­tion algorithm.

One of the com­po­nents of the virus searches the PC for .ZIP and .RAR archive files. When it find one, it searches inside it for a .EXE file, which it renames to .EX$, and then adds a copy of itself to the archive using the orig­i­nal filename.

Another com­po­nent takes the infected files on your sys­tem and uploads them to the alt.comp.virus news­group. That com­po­nent also grabs email addresses from news­groups the user is sub­scribed to and sends itself to those email addresses. Over the past few weeks, this seems to have increas­ingly become the way by which the virus is propagating.

The only exist­ing dan­ger is a pay­load com­po­nent, which on the 24th of Sep­tem­ber of any year, or at 1 minute to the hour at any day in the year 2001, dis­plays a large ani­mated spi­ral in the mid­dle of the screen which is dif­fi­cult to close. Due to the fact that most of the plug-ins are non destruc­tive, anti-virus com­pa­nies see Hybris as a low to medium risk virus.

Given its abil­ity to become mali­cious, it’s up there but there are more mali­cious viruses out there said Jeremy Pac­quette, vul­ner­a­bil­ity ana­lyst for securityfocus.com. How­ever, writ­ing code like this is prob­a­bly more chal­leng­ing than writ­ing code to stop it.

As medium risks go this is on the higher end of the spec­trum, said Patrick Nolan, virus researcher for McAffee.

It illus­trates that virus writ­ers are not lazy that a few of them have taken it upon them­selves cer­tain skills in order to enhance the cat and mouse games they’re play­ing with virus software.

Apart from the stan­dard prac­tice of updat­ing your virus file on a daily or weekly basis, Pac­quette also rec­om­mends that IT man­ager edu­cate their users about safe ex, the prac­tice of being care­ful about who you com­mu­ni­cate with and not open­ing plug-ins com­ing from unfa­mil­iar sources. Kinj added that sys­tem admin­is­tra­tors should con­sider installing a cen­tral­ized email fil­ter­ing sys­tem to pro­tect their users. Nolan adds that peo­ple who share their hard drive either through a cable modem, a DSL line or a direct con­nec­tion to the Inter­net should pass­word pro­tect that share to ensure that it doesn’t get accessed by the virus writers.

Kasper­sky warns that the replace­ment of cer­tain com­po­nents could turn it from harm­less to haz­ardous. What we have here is per­haps the most com­plex and refined mali­cious code in the his­tory of virus writ­ing, said Eugene Kasper­sky, Head of Kaper­sky Labs’ Anti-Virus Research Cen­ter, in a state­ment on the company’s site. It is defined by an extremely com­plex style of pro­gram­ming and all the plu­g­ins are encrypted with very strong RSA 128-bit crypto-algorithm key. The com­po­nents them­selves give the virus writer the pos­si­bil­ity to mod­ify his cre­ation “in real time,” and in fact allow him to con­trol infected com­put­ers worldwide.

Those plu­g­ins are pos­si­bly encrypted with a PGP key or sim­i­lar scheme used by virus writ­ers, adds Nolan.

The archi­tec­ture of the plug in approach is inter­est­ing and it makes it achiev­able for a pro­gram­mer to turn it into a dan­ger­ous virus said Pac­quette. New threats like this are going to pro­mote changes in the work to fight viruses. These kinds of threats are an evo­lu­tion­ary pres­sure on AV technology.

How­ever, Kinj said that once a virus has been dis­cov­ered and ana­lyzed, those sources are dis­abled and that lim­its the impact of the virus. Nolan adds that the plug-ins can’t work with­out the base exe­cutable and we now know how to stop the base exe­cutable file.

On the other hand, the mor­ph­ing nature of the virus could spawn sev­eral new ver­sions. Already, older anti-virus can’t rec­og­nize Hybris because it evades CRC checks. When you’re deal­ing with some­thing that changes, you can’t use CRC checks but our algo­rithms go beyond that and can iden­tify threats like Hybris based on other fac­tors said Nolan.

Accord­ing to warn­ings on the web sites of sev­eral anti-virus devel­op­ers, the infected mes­sage reads:

Today, Snowhite was turn­ing 18.

The 7 Dwarfs always where very edu­cated and polite with
Snowhite. When they go out work at mornign, they promissed
a *huge* surprise.

Snowhite was anxious.

Sud­dlently, the door open, and the Seven Dwarfs enter…

and has been spot­ted as com­ing from the address hahaha@sexyfun.net. New vari­ants are also send­ing emails with no sub­ject and no user name but includ­ing attach­ments car­ry­ing Hybris.

The virus only attacks windows-based sys­tems and most anti virus pack­ages have released a patch to their soft­ware to deal with it. Pami Katcho, spokesper­son for Microsoft, said that Microsoft is not cur­rently plan­ning to release a fix, but that users should down­load the lat­est virus def­i­n­i­tions from their AV vendor.

Sources in both the virus and anti-virus com­mu­nity have con­firmed that the virus has emerged from Brazil. It’s a cousin of Baby­lo­nia, which was touted as the first of its kind in 1999, and it looks like it was writ­ten by the same author, said Nolan.

As to whether Hybris is the begin­ning of a new trend, there is some dis­agree­ment. It’s more a proof of con­cept than any­thing, says Nolan. It’s phase 2 of the exist­ing tech­nol­ogy and has the poten­tial to really be some­thing else. Sys­tem admin­is­tra­tors should not be overly con­cerned about it right now. I doubt there will be a phase 3 because the writer has proven his point. But in virus writ­ing cir­cles, Hybris is pro­vid­ing a roadmap. This is a great tool to learn new ways to prop­a­gate a pay­load, said a virus writer who prefers to be uniden­ti­fied. New vari­ants of this will come out and I think that within 6 months, Hybris and its kids could be the most wide­spread tro­jans mak­ing the rounds.

Related Terms

More in Analysis,Business,Media,Politics,Technology (5 of 5 articles)