â ïžâ ïž Allaple.A â ïžâ ïž
Allaple worm family has been discovered in late 2006. The Allaple worm is a polymorphic malware designed to spread over Local Area Network and Internet.
After the worm's file is run it goes through the polymorphic decryptor and then proceeds to the static part of the code that allocates a memory buffer and extracts the main worm's code into it. Then the control is passed directly to the extracted worm's code.
After getting control, the worm creates a few threads. One thread scans for vulnerable computers (on TCP ports 139 and 445) and sends exploits there in order to infect them.
The other thread scans for .HTM and .HTML files on all local hard disks and infects them by prepending a reference to worm's CLSID there.
đ Infection:
The worm copies itself multiple times to a hard drive and also affects HTML files.
The worm's file is polymorphically encrypted, which means every copy of the worm is different. The only constant aspect of the worm's code is the size of its executable file - 57856 bytes.
The worm creates a different CLSID for every copy of itself that it creates on the hard drive. The number of these copies can be quite large. The names of the worm's files are random. For example:
bzehxvnz.exe
hwexrtne.exe
jbnshhqj.exe
jjlenkbt.exe
tsbjbtvn.exe đ TYPE:
Net-Worm:W32/Allaple.A đ Modus Operandi:
After getting control, the worm creates a few threads. One thread scans for vulnerable computers (on TCP ports 139 and 445) and sends exploits there in order to infect them. The other thread scans for .HTM and .HTML files on all local hard disks and infects them by prepending a reference to worm's CLSID there. One of the remaining threads performs a DoS attack on three websites located in Estonia. The worm also tries to brute-force network share passwords by performing a dictionary attack on them. The following TCP ports used during the DoS attack:
22,
80,
97,
443 The following is the dictionary used to bruteforce networks:
00
000
0000
00000
000000
0000000
00000000 1
12
123
1234
12345
123456
1234567
12345678
123456789
abc123 access adm Admin alpha anon anonymous asdfgh backdoor backup beta bin coffee computer crew database debug default demo go guest hello install internet login mail manager money monitor network new newpass nick nobody nopass oracle pass passwd password poiuytre private public qwerty random real remote root ruler secret secure security server setup shadow shit sql super sys system telnet temp test test1 test2 visitor windows www Xđ PLATFORM:
WIN32 đ Key Points and Mitigation:.
âŁïžAliz worm is relatively easy to disinfect.âŁïž
đBased on the settings of your AV (tested against windows defender), it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.đ©ș đCompanies can take steps to prevent infection, with software and AV updates being most important.
Conclusion
Subscribe to receive notifications of similar posts đ where we will be reverse engineering malware and the technical aspect of vulnerabilities as well as how an attacker may use this vulnerability as an attack vector and other Infosec stuff...đThank you for your time, Like and leave a comment/review and as always, stay awesome! đđ đȘ
