Skip navigation.
Home

win_dasher

First of all, huge thanks to tebodell for lots of contributions on this one.

So my first impressions of dasher are that its a poorly designed worm.




- The MSDTC exploit is not reliable which is strike one.
Alot of vulnerable hosts won't actually be exploited by this worm.

- The next thing is that the address randomizaion on the scanner sucks.
My sample begain immediatly and loudly scanning reserved IP
addresses, wasting lots of time basically achiveing nothing.

- The worm is loud on your system, it creates a bunch of
obviously nefarious files in an all too obvious location and does
nothing to hide them. (sqlscan.exe? windows/system32/wins ??)

- Just glancing through the disassembly I suspect the worm itself
might have a vulnerability. (overflow, more on this later).

- On the plus side it used a packer I couldn't unpack (yet). This
isn't saying much however as I am not proficient at unpacking.
However I just got right around it dynamically. (thanks lordpe!)

There will be alot more analysis posted up here soon as its
completed.

Threat: W32.Dasher.D
File: C:\malware\dasher\vscan\1.exe
Date found: Tuesday, December 20, 2005 10:06:42 PM
info: 35484 Dec 17 19:56 1.exe

md5sum: 988032f831a49f3cf4ebba1c8d69b1b0
sha1sum: 150a5f175ef656e75eb741bacd60ad7acca07fc9
sha256sum: 43686af27570d2f7a7a480d0f51cc1fd95fe57fd055c7495ff0b950ba8022a71

packer: Scanning -> C:\malware\dasher\1.exe
File Type : Exe, Size : 35484 (08A9Ch) Bytes
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.953 Seconds

Files added:

C:\WINDOWS\system32\wins\Result.txt 1KB A 12/20/2005 9:52:52 PM
C:\WINDOWS\system32\wins\SqlExp.exe 9KB A 12/20/2005 9:52:52 PM
C:\WINDOWS\system32\wins\SqlExp1.exe 5KB A 12/20/2005 9:52:52 PM
C:\WINDOWS\system32\wins\SqlExp2.exe 8KB A 12/20/2005 9:52:52 PM
C:\WINDOWS\system32\wins\SqlExp3.exe 17KB A 12/20/2005 9:52:52 PM
C:\WINDOWS\system32\wins\SqlScan.exe 8KB A 12/20/2005 9:52:52 PM
C:\WINDOWS\system32\wins\Sqltob.exe 10KB A 12/20/2005 9:52:52 PM

3182 9:52:52 PM 1.exe:816 CREATE C:\WINDOWS\System32\wins\Sqltob.exe SUCCESS Options: OverwriteIf Access: All
3188 9:52:52 PM 1.exe:816 CREATE C:\WINDOWS\System32\wins\SqlScan.exe SUCCESS Options: OverwriteIf Access: All
3194 9:52:52 PM 1.exe:816 CREATE C:\WINDOWS\System32\wins\SqlExp.exe SUCCESS Options: OverwriteIf Access: All
3200 9:52:52 PM 1.exe:816 CREATE C:\WINDOWS\System32\wins\SqlExp1.exe SUCCESS Options: OverwriteIf Access: All
3206 9:52:52 PM 1.exe:816 CREATE C:\WINDOWS\System32\wins\SqlExp2.exe SUCCESS Options: OverwriteIf Access: All
3212 9:52:52 PM 1.exe:816 CREATE C:\WINDOWS\System32\wins\SqlExp3.exe SUCCESS Options: OverwriteIf Access: All

It does some writing but I couldn't find where it actually created that file.

3930 9:56:19 PM SqlScan.exe:392 WRITE C:\WINDOWS\system32\wins\Result.txt SUCCESS Offset: 0 Length: 81
3934 9:56:19 PM SqlScan.exe:392 WRITE C:\WINDOWS\system32\wins\Result.txt SUCCESS Offset: 81 Length: 41
3938 9:56:19 PM SqlScan.exe:392 WRITE C:\WINDOWS\system32\wins\Result.txt SUCCESS Offset: 122 Length: 62
3949 9:57:28 PM SqlScan.exe:392 WRITE C:\WINDOWS\system32\wins\Result.txt SUCCESS Offset: 184 Length: 71
3953 9:57:28 PM SqlScan.exe:392 WRITE C:\WINDOWS\system32\wins\Result.txt SUCCESS Offset: 255 Length: 83
4125 9:58:10 PM SqlScan.exe:184 WRITE C:\WINDOWS\system32\wins\Result.txt SUCCESS Offset: 0 Length: 81
4129 9:58:10 PM SqlScan.exe:184 WRITE C:\WINDOWS\system32\wins\Result.txt SUCCESS Offset: 81 Length: 41
4133 9:58:10 PM SqlScan.exe:184 WRITE C:\WINDOWS\system32\wins\Result.txt SUCCESS Offset: 122 Length: 62

Network:

TCP connections with SRC Port 6000 DST port 1025 across
99.94.0.0/24 which is a reserved address range. So basically this
worm scans very rapidly and linerally on a psuedo-randomly chosen
subnet which can even me semi-invalid ip's.

This might be a bug in the scanners randomizaion algorithm.

0000 00 06 25 62 de 56 00 0c 29 7e 41 d5 08 00 45 00 ..%b.V..)~A...E.
0010 00 28 01 00 00 00 78 06 2e 92 c0 a8 01 66 63 63 .(....x......fcc
0020 ed cc 17 70 00 2a 14 9a 00 00 00 00 00 00 50 02 ...p.*........P.
0030 40 00 30 70 00 00 @.0p..

more graphs

disassembly analysis

so the sqlscan.exe file has a function called aTcpPortScanner.

Start() calls sub_40124C.

snip . . . .

loc_401255: ; CODE XREF: sub_40124C+11j
.text:00401255 dec ecx
.text:00401256 mov [esp+ecx*4+4+var_4], 0FFFA5A5Ah
.text:0040125D jnz short loc_401255
.text:0040125F push esi
.text:00401260 push edi
.text:00401261 push offset aTcpPortScanner ; "TCP Port Scanner V1.1 By WinEggDrop\n\n"
.text:00401266 call sub_404600

snip . . .

This port scanner by wineggdrop seems to be a chinese tool for port scanning specifically related mssql stuff.
I was able to find it at http://3800cc.com/Soft/smgj/9845.html and symantec classifies it as a hacktool.

C:\Documents and Settings\167648\Desktop>s.exe --help
TCP Port Scanner V1.1 By WinEggDrop

Usage: s.exe TCP/SYN StartIP [EndIP] Ports [Threads] [/Banner] [/Save]
Example: s.exe TCP 12.12.12.12 12.12.12.254 80 512
Example: s.exe TCP 12.12.12.12 1-65535 512
Example: s.exe TCP 12.12.12.12 12.12.12.254 21,3389,5631 512
Example: s.exe TCP 12.12.12.12 21,3389,5631 512
Example: s.exe SYN 12.12.12.12 12.12.12.254 80
Example: s.exe SYN 12.12.12.12 1-65535
Example: s.exe SYN 12.12.12.12 12.12.12.254 21,80,3389
Example: s.exe SYN 12.12.12.12 21,80,3389

So that coincides well with the strings in that binary.

Reverse

Usage (char* szParam)
{
printf ("Usage: %s TCP/SYN StartIP [EndIP] Ports [Threads] [/Banner] [/Save]\n", szParam );
printf ("Example: %s TCP 12.12.12.12 12.12.12.254 80 512", szParam );
printf ("Example: %s TCP 12.12.12.12 1-65535 512", szParam );
printf ("Example: %s TCP 12.12.12.12 12.12.12.254 21,3389,5631 512", szParam );
printf ("Example: %s TCP 12.12.12.12 21,3389,5631 512", szParam );
printf ("Example: %s SYN 12.12.12.12 12.12.12.254 80", szParam );
printf ("Example: %s SYN 12.12.12.12 1-65535", szParam );
printf ("Example: %s SYN 12.12.12.12 12.12.12.254 21,80,3389", szParam );
printf ("Example: %s SYN 12.12.12.12 21,80,3389", szParam );
return ;
}

main (int argc,char**argv){
printf ("TCP Port Scanner V1.1 By WinEggDrop\n\n") ;
int ebp4 ;
if ( argc == 4 || argc == 5 || argc == 6 || argc == 7 || argc == 8)
{
if ( !SetConsoleCtrlHandler ( Handle,1) )
{
printf("Could Not Set Up Control Handler\n");
return 0 ;
}
if (!InitializeCriticalSectionAndSpinCount (&cs , 0x80000400) )
.....

TCP connections with SRC

TCP connections with SRC Port 6000 DST port 1025 across
99.94.0.0/24 which is a reserved address range. So basically this
worm scans very rapidly and linerally on a psuedo-randomly chosen
subnet which can even me semi-invalid ip's.

This should be picked up by existing bogus address use rules in snort, but I'm not sure if anything will pick up 99.94.0.0/24. I'll have to check that out. Aside from that the rest is pretty obvious. I'll try to crank something out tonight.

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior