Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Malicious Code Alert

Bobax

 
Threat Type:IntelliShield: Malicious Code Alert
IntelliShield ID:7670
Version:18
First Published:2004 May 17 17:07 GMT
Last Published:2008 April 25 11:33 GMT
Port: 13789, 25, 443, 445, 447, 5000
Urgency:Possible use
Credibility:Confirmed
Severity:Moderate Damage
 
Version Summary:The Kraken botnet has reportedly received an update and is using different command and control techniques.  McAfee has also released virus definitions to detect Spam-Mailbot.f, an alias of Backdoor.Spakrab.
 
Aliases/Variants

Variants include W32.Bobax.B (Symantec), W32.Bobax.C (Symantec), W32.Bobax.D (Symantec), W32.Bobax.N (Symantec).

Virus Name:

WORM_BOBAX.A (Aliases include Win32/Bobax.A (eSet), Bobax (F-Secure), TrojanProxy.Win32.Bobax.a (Kaspersky), Win32.Bobax.A (CA), W32/Bobax.worm.a (McAfee), Bobax.A (Panda), W32/Bobax-A (Sophos), W32.Bobax.A (Symantec), Trojan.Win32.Bobax.20480 (Hauri), Win32.Worm.Bobax.A/C (BitDefender) and W32.Bobax (Quick Heal).)

 

Description
 

WORM_BOBAX.A is a worm that acts as a proxy to allow a remote attacker to access an infected system.  The worm spreads by exploiting the Microsoft LSASS buffer overflow vulnerability reported in Microsoft bulletin MS04-011 and IntelliShield Alert 7535.

When executed, a .dll file is created in the \%Temp% folder.  This file contains the trojan component.  When the .dll file is run, the worm copies itself as a random file name to the \%System% folder and modifies the registry to ensure it runs each time Windows starts.  The worm then creates a mutex as 00:24:03:54A9D to ensure only one instance exits and registers itself as a service to hide from the Windows Task Manager.

WORM_BOBAX.A scans random IP addresses for a connection.  If successful, a copy of the worm is downloaded to a target system by sending a packet over TCP port 445.  The packet allows the remote system to connect to a HTTP server and obtain a worm copy as svc.exe.  The svc.exe file is then saved and executed on the newly infected system.

The worm opens ports at random and listens for remote connections.  The ports act as a SMTP server to allow an attacker to e-mail the infected system as a mail server.

Virus definitions are available.


Impact
 

WORM_BOBAX.A exploits the LSASS vulnerability reported in MS04-011 to allow a remote attacker access to a system.? The worm also?emulates a SMTP server?and opens numerous ports to allow remote access.? The attacker could perform such actions as the following:

  • Update the trojan
  • Download and execute programs
  • Send the trojan to?remote systems using?the Microsoft LSASS vulnerability
  • Use the system as a SMTP server to mass-mail the worm
  • Obtain sensitive system information

Warning Indicators
 

The presence of the file svc.exe may indicate an infection.

Personal firewalls may display a warning message when WORM_BOBAX.A attempts to open a port.

Host intrusion detection/prevention system software may display a notification when the worm attempts to execute or make modifications to the system.


Technical Information
 

WORM_BOBAX.A adds the value %random string% = "\%System%\%random string%.exe" to the following registry key to ensure it runs each time Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm exploits the LSASS vulnerability by sending packets over TCP port 445.


IntelliShield Analysis
 

Certain Bobax variants have exploited the LSASS vulnerability reported in Microsoft bulletin MS04-011 and IntelliShield alert 7535.  The worm also contains a mass-mailing component that sends a copy of itself to all e-mail addresses retrieved from the Windows Address Book and Windows Messenger contact list.  Other variants have communicated over HTTP, which is believed to be more difficult to detect than other forms of command-and-control traffic.

Backdoor.Spakrab is communicating over UDP port 447 and exchanging encoded data with the attacker using TCP ports 447 and 13798.  This variant is being used to build a massive network known as the Kraken botnet.  The term botnet refers to a collection of infected hosts that can be controlled for malicious purposes.  The term Kraken has also been used to describe the malicious code that infects the host.  Some antivirus vendors may refer to the malicious code that infects the host as Bobax, but others use the names Bobic, Oderoor, Cotmonger, Hacktool.Spammer, or the latest name Backdoor.Spakrab.  Once the worm infects a host system, that host is added to the botnet.  The attackers that are in control of the botnet can then use the infected systems to deliver spam advertisement messages.  Attackers may be able to use the botnet to conduct other malicious activities such as denial of service attacks.

The Kraken botnet has reportedly grown in size from approximately 20,000 infected hosts to over 400,000 infected hosts over the course of the last year.  The botnet size is expected to continue to grow in size, and researchers have estimated that it could potentially infect over 600,000 unique hosts by May 2008.

Reports indicate that the Kraken botnet has issued an update to its infected hosts.  The update consists of a new command and control mechanism that may make the detection process more difficult.  Reports state that the trojan may also be communicating over random ports and using random packet payload lengths in the new command and control communication.  The trojan may also be using HTTP via TCP ports 80 and 443 to send and receive encrypted traffic.  The traffic on TCP port 443 is encrypted; however, it is not SSL traffic.

Rule-based and application-based firewalls are likely to prevent or limit the impact of this worm.  Rule-based firewalls are typically setup by an administrator for an entire network.  These firewalls are often setup to block all traffic entering and exiting a network except traffic traveling through ports needed for production.  Application-based firewalls are often found on client systems and can be configured to allow certain services and process access to the Internet or local network.  These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network.  Both types of firewalls may prevent malicious code from downloading updates or additional files.  The firewalls may also prevent the malicious code from contacting an attacker or web site and from accessing local network resources.

Most host intrusion detection/prevention systems software can be configured to warn users when suspicious activity occurs on their systems.  This software can be configured to prevent this worm from attempting to execute its infection routines.  Host intrusion detection/prevention systems software may also be configured to prompt a user when suspicious activity occurs.  Often users can choose whether to allow or deny the activity in question.  These factors will limit the infection rate and impact on most systems.

Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network.  User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance.

The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Worm Bobax/Kraken


Safeguards
 

Administrators are advised to block or restrict access to port 445/tcp.

Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.

Block all file attachments except those specifically required for business purposes.

Use current and well-configured antivirus products at multiple levels in the environment.  Configure antivirus products to scan all files and provide full-time or auto-protect functions.  Configure antivirus products to scan three levels deep on compressed files.

Configure auto-update features to update daily or manually update antivirus signatures at least weekly.  Establish procedures for immediate antivirus updating in response to high risk malicious code outbreaks.

Conservatively configure mail perimeter servers, routers, firewalls and personal computers.  Disable all unnecessary products, features and sharing.  Install all security-relevant patches and upgrades as available.

Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to only those required for business operations.

Establish supplemental protection for remote and mobile users.  Include daily updated antivirus, personal firewalls and network address translation on corporate routers or firewalls.

Provide initial and continuing education to all levels of users throughout the organization.


Patches/Software
 

The Aladdin Virus Alert for Win32.Bobax.c is available at the following link: Virus Alert.  The latest virus definitions are available at the following link: Aladdin

The Aladdin Virus Alert for Win32.Bobax.k is available at the following link: Virus Alert.  The latest virus definitions are available at the following link: Aladdin

The Aladdin Virus Alert for Win32.Bobax.n is available at the following link: Virus Alert.  The latest virus definitions are available at the following link: Aladdin

Aladdin has also released virus definitions that detect the following: Win32.Bobax.p, Win32.Bobax.a, Win32.Bobax.af, Win32.Bobax.ae, Win32.Bobax.ag, Win32.Bobax.ah, Win32.Bobax.ak and Win32.Bobax.q

The BitDefender Virus Threat for Win32.Worm.Bobax.A/C, as well as the signature and engine information, is available at the following link: BitDefender

BullGuard has also released signatures to detect Win32.Worm.Bobax.A/C.

The CAVirus Threat for Win32.Bobax.A, as well as the signature and engine information, is available at the following link: CA

The CAVirus Threat for Win32.Bobax.B, as well as the signature and engine information, is available at the following link: CA

The CAVirus Threat for Win32.Bobax.C, as well as the signature and engine information, is available at the following link: CA

CA has also released signatures that detect the following: Win32.Bobax.AK

The Eset Virus Description for Win32/Bobax.A is available at the following link: Virus Description.  The NOD32 1.762 signature files have been available since May, 2004.  Antivirus updates can be obtained through the Update Now feature in the NOD32 Control Center.

The F-Secure Virus Description for Bobax is available at the following link: Virus Description.  Definition updates have been available since May 16, 2004, at the following link: F-Secure

F-Secure has also released definition updates that detect the following: Bobic.k

Fortinet has also released virus definitions that detect: W32/Bobax.AF-mm, W32/Bobax.AH-tr

Hauri has also released ViRobot definitions that detect the following: Trojan.Win32.Bobax.20480, Worm.Win32.Bobax.22528, Worm.Win32.Bobic.124928, Worm.Win32.Bobic.44747.B, Worm.Win32.Bobic.246784.B, Worm.Win32.Bobic.159744, and Worm.Win32.Bobic.32364

The Kaspersky virus description for TrojanProxy.Win32.Bobax.a is available at the following link: Virus Encyclopedia.  Anti-Virus Update files have been available since May 17, 2004, at the following link: Kaspersky

The McAfee Virus Description for Spam-Mailbot.f is available at the following link: Virus Description.  DAT files 5271 and later are available at the following link: McAfee

The McAfee Virus Description for W32/Bobax.worm.a is available at the following link: Virus Description.  DAT files 4361 and later are available at the following link: McAfee 

McAfee has also released DAT files that detect the following: W32/Bobax.worm.o, W32/Bobax.dr, W32/Bobax.worm.a.dll, W32/Bobax.worm.b, W32/Bobax.worm.b.dll, W32/Bobax.worm.c, W32/Bobax.worm.c.dll, W32/Bobax.worm.d, W32/Bobax.worm.d.dll, W32/Bobax.worm.dll, W32/Bobax.worm.e, W32/Bobax.worm.f, W32/Bobax.worm.g, W32/Bobax.worm.gen, W32/Bobax.worm.h, W32/Bobax.worm.i, W32/Bobax.worm.j, W32/Bobax.worm.k, W32/Bobax.worm.l, W32/Bobax.worm.l.dll, W32/Bobax.worm.m, W32/Bobax.worm.n, W32/Bobax.worm.n.dll, W32/Bobax.worm.o, W32/Bobax.worm.p, W32/Bobax.worm.q, W32/Bobax.worm.r, W32/Bobax.worm.s, W32/Bobax.worm.u and W32/Bobax.worm.v

The Panda Software Virus Alert for Bobax.A is available at the following link: Virus Alert.  Virus signature files have been available since May 17, 2004, at the following link: Panda Software

The Panda Software Virus Alert for Bobax.B is available at the following link: Virus Alert.  Virus signature files have been available since May 17, 2004, at the following link: Panda Software

The Panda Software Virus Alert for Bobax.C is available at the following link: Virus Alert.  Virus signature files have been available since May 17, 2004, at the following link: Panda Software

The Panda Software Virus Alert for Bobax.D is available at the following link: Virus Alert.  Virus signature files have been available since May 22, 2004, at the following link: Panda Software

Panda Software has also released virus signature files that detect the following: Bobax.AN, Bobax.R, Bobax.AA, Bobax.AB, Bobax.AC, Bobax.AD, Bobax.AE, Bobax.AF, bobax.AG, Bobax.AH, Bobax.AI, Bobax.AJ, Bobax.AK, Bobax.AL, Bobax.AM, Bobax.AO, Bobax.AP, Bobax.AQ, Bobax.AR, Bobax.AS, Bobax.E, Bobax.F, Bobax.G, Bobax.H, Bobax.I, Bobax.J, Bobax.L, Bobax.M, Bobax.N, Bobax.V, Bobax.W, Bobax.X, Bobax.Y,  Bobax.Z and Bobax.AU

Quick Heal has released virus definitions to detect W32.Bobax.

Proland has also released definitions that detect: W32/Bobax and Win32.Bobax.ai

The Sophos Virus Analysis for W32/Bobax-A is available at the following link: Virus Analysis.  The latest identity files are available at the following link: Sophos

The Sophos Virus Analysis for W32/Bobax-B is available at the following link: Virus Analysis.  The latest identity files are available at the following link: Sophos

The Sophos Virus Analysis for W32/Bobax-C is available at the following link: Virus Analysis.  The latest identity files are available at the following link: Sophos

The Sophos Virus Analysis for W32/Bobax-D is available at the following link: Virus Analysis.  The latest identity files are available at the following link: Sophos

The Sophos Virus Analysis for W32/Bobax-E is available at the following link: Virus Analysis.  The latest identity files are available at the following link: Sophos

The Sophos Virus Analysis for W32/Bobax-F is available at the following link: Virus Analysis.  The latest identity files are available at the following link: Sophos

The Sophos Virus Analysis for W32/Bobax-G is available at the following link: Virus Analysis.  The latest identity files are available at the following link: Sophos

The Sophos Virus Analysis for W32/Bobax-H is available at the following link: Virus Analysis.  The latest identity files are available at the following link: Sophos

Sophos has also released identity files that detect the following: W32/Bobax-I, W32/Bobax-J, W32/Bobax-K, W32/Bobax-L, W32/Bobax-M, W32/Bobax-N, W32/Bobax-R, W32/Bobax-S, W32/Bobax-Z, W32/Bobax-DB, W32/Bobax-BV, W32/Bobax-DZ, and W32/Bobax-EF

The Symantec Security Response for W32.Bobax.A is available at the following link: Security Response.  The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec

The Symantec Security Response for W32.Bobax.B is available at the following link: Security Response.  The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec

The Symantec Security Response for W32.Bobax.C is available at the following link: Security Response.  The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec

The Symantec Security Response for W32.Bobax.D is available at the following link: Security Response.  The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec

The Symantec Security Response for W32.Bobax.N is available at the following link: Security Response.  The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec 

The Symantec Security Response for Backdoor.Spakrab is available at the following link: Security Response.  The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec 

Symantec has also released virus definitions that detect the following: W32.Bobax.Z@mm and W32.Bobax.AA@mm, W32.Bobax.AF@mm, W32.Bobax.AH@mm, W32.Bobax.AJ@mm,  PE_BOBAX.AH and W32/Bobax-S  

The Trend Micro Virus Advisory for WORM_BOBAX.A is available at the following link: Virus Advisory.  Pattern files 892 and later are available at the following link: Trend Micro

The Trend Micro Virus Advisory for WORM_BOBAX.B is available at the following link: Virus Advisory.  Pattern files 892 and later are available at the following link: Trend Micro

The Trend Micro Virus Advisory for WORM_BOBAX.C is available at the following link: Virus Advisory.  Pattern files 892 and later are available at the following link: Trend Micro

The Trend Micro Virus Advisory for WORM_BOBAX.D is available at the following link: Virus Advisory.  Pattern files 895 and later are available at the following link: Trend Micro

The Trend Micro Virus Advisory for WORM_BOBAX.J is available at the following link: Virus Advisory.  Pattern files 2.393.03 and later are available at the following link: Trend Micro

The Trend Micro Virus Advisory for WORM_BOBAX.K is available at the following link: Virus Advisory.  Pattern files 2.394.00 and later are available at the following link: Trend Micro

The Trend Micro Virus Advisory for WORM_BOBAX.AA is available at the following link: Virus Advisory.  Pattern files 2.437.03 and later are available at the following link: Trend Micro

Trend Micro has also released pattern files that detect the following: WORM_BOBAX.P, PE_BOBAX.AB, PE_BOBAX.AB-O, WORM_BOBAX.I, WORM_BOBAX.L, WORM_BOBAX.M, WORM_BOBAX.F, WORM_BOBAX.M,  WORM_BOBAX.AD, PE_BOBAX.AF, PE_BOBAX.AF-O, WORM_BOBAX.AE, PE_BOBAX.AG-O ,  PE_BOBAX.AG ,PE_BOBAX.AI, PE_BOBAX.AM, PE_BOBAX.AK-O and PE_BOBAX.AK  
 


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
4151/0BOBAX Virus ActivityS2942007 Aug 02 
4151/1BOBAX Virus ActivityS2942007 Aug 02 
6537/0Kraken Botnet TrafficS4282009 Sep 02 
6537/1Kraken Botnet TrafficS4282009 Sep 02 
Cisco Small Business IPS
Signature IDSignature NameReleaseLatest Release Date
SBIPS2009-000704/BOBAX Virus ActivitySBIPS0000012010 Jan 15 
 
Alert History
 

Version 17, April 18, 2008, 4:22 PM: Cisco has released IPS signatures that detect the Kraken botnet traffic activity of Backdoor.Spakrab.

Version 16, April 10, 2008, 2:21 PM: Symantec has released virus definitions to detect Backdoor.Spakrab, a variant of Bobax.  This variant is being detected as a contributor to the Kraken botnet.

Version 15, April 9, 2008, 11:44 PM: Cisco has released an Applied Mitigation Bulletin that details mitigation techniques using Cisco devices to prohibit the network operation of this malicious software.

Version 14, April 8, 2008, 4:04 PM: Recent reports indicate that the Bobax family of worms is being utilized to build a massive botnet to distribute spam.  Sophos and Hauri have released virus definitions that detect aliases of Bobax variants.

Version 13, December 29, 2005, 4:15 PM: Multiple vendors have released virus definitions that detect aliases of Bobax variants.

Version 12,  August 1, 2005, 2:27 PM: Multiple vendors have released virus definitions that detect aliases of Bobax variants.

Version 11, February 23, 2005, 12:58 PM: Trend Micro has released virus definitions that detect WORM_BOBAX.AA, an alias of W32.Bobax.N.

Version 10, February 9, 2005, 9:53 AM: Multiple vendors have released virus definitions that detect W32.Bobax.N, a variant of WORM_BOBAX.A.

Version 9, February 1, 2005, 5:27 PM: Sophos has released identity files that detect W32/Bobax-E, an alias of W32.Bobax.D.

Version 8, January 13, 2005, 3:16 PM: Sophos has released identity files to detect W32/Bobax-D, an alias of W32.Bobax.D.

Version 7, May 24, 2004, 3:32 PM: Multiple antivirus vendors have released virus definitions to detect aliases of Bobax variants.

Version 6, May 21, 2004, 10:52 AM: Multiple antivirus vendors have released virus definitions to detect aliases of Bobax variants.

Version 5, May 20, 2004, 10:24 AM: W32.Bobax.D is a variant of W32.Bobax that attempts to exploit the LSASS vulnerability reported in MS04-011.  The worm also connects to a web server and downloads files.  Virus definitions are available.

Version 4, May 19, 2004, 5:53 PM: Multiple antivirus vendors have released virus definitions that detect W32.Bobax.B and W32.Bobax.C, variants of WORM_BOBAX.A.

Version 3, May 18, 2004, 2:46 PM: Panda, Sophos and Symantec have released virus definitions that detect aliases of WORM_BOBAX.A.

Version 2, May 18, 2004, 7:38 AM: Computer Associates and McAfee have released virus definitions that detect aliases of WORM_BOBAX.A.

Version 1, May 17, 2004, 1:07 PM: WORM_BOBAX.A is a worm that exploits the LSASS vulnerability to spread and to allow remote command execution.  The worm also opens additional ports to allow a remote attacker access.  Virus definitions are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldMalicious Code Alert Original Release Base

Associated Products:
Microsoft, Inc.Windows 2000 Advanced Server Base, SP1, SP2, SP3, SP4 | Professional Base, SP1, SP2, SP3, SP4 | Server Base, SP1, SP2, SP3, SP4
Microsoft, Inc.Windows Server 2003 Datacenter Edition Base, SP1, SP2 | Datacenter Edition, 64-bit (Itanium) Base, SP1, SP2 | Datacenter Edition x64 (AMD/EM64T) Base, SP2 | Enterprise Edition Base, SP1, SP2 | Enterprise Edition, 64-bit (Itanium) Base, SP1, SP2 | Enterprise Edition x64 (AMD/EM64T) Base, SP2 | Standard Edition Base, SP1, SP2 | Standard Edition, 64-bit (Itanium) Base, SP1, SP2 | Standard Edition x64 (AMD/EM64T) Base, SP2 | Web Edition Base, SP1, SP2
Microsoft, Inc.Windows XP Home Edition Base, SP1, SP2 | Professional Edition Base, SP1, SP2 | Professional x64 (AMD/EM64T) Base, SP2




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield