[NCLUG] Hybris

dobbster dobbster at dobbster.com
Wed Mar 7 19:48:56 MST 2001 

> 
> Off topic, I'm sure, but this one is really cool to me...
> 

Since I see this virus so much, I have been curious to know more.

> It hooks into the winsock library.  It watches packets go by.  If an E-mail
> address goes by on port 25, it remembers that address for a few minutes,
> then sends the hahaha at sexyfun.net letter off to them.

I see.  So the message is actually being created and sent from the
infected machine.  This wasn't clear to me.  Does it just change the
mail headers to make it appear as if it's coming from elsewhere?

I guess it must screen out its own messages in the meantime.
 
> > That is, you get a message from them, and 2-10 minutes later, the
> > hahaha at sexyfun.net one shows up.  From what I've read, this worm
> > contacts alt.comp.virus in the meantime and somehow (?) the newsgroup
> > indirectly sends the message.  Anyway, knowing this has helped me to
> > inform people that they were infected through a simple test: I have them
> > send out a blank email, wait a few minutes, and see if Snow White shows
> > up...
> 
> Heh.  The problem is that the snow white payload is one one of the many
> payloads that Hybris can have.  When it is reading newsgroups, it is
> actually
> trading payloads.  There is one that does a spiral on the screen.  Another
> eats all your zip files.  The author could add another plugin at any time,
> and
> just let it go.

The thing I don't understand is how it interacts with the newsgroups.  I
assume that if it can't connect with alt.comp.virus, it just sends out
the Snow White message.  If it can connect, does it download something
from the group?  Does the group itself contain virus payloads from a
specific user?
 
> > I've also received Hybris as an attachment from an unknown sender with a
> > blank message (a mutant, perhaps?)  A simple way to detect Hybris is to
> > save the attachment to disk and 'grep -i hybris whatever.exe'.
> 
> Really?  Its in plaintext?  That's cool.  My sister keep receiving them from
> herself.  Oops.

Actually, I saw it in the first page with vi.  For what it's worth, the
files have the same size, although diff says they aren't the same.

-rw-r--r--    1 dobbs    users       23040 Mar  7 19:43 joke.exe
-rw-r--r--    1 dobbs    users       23040 Mar  7 19:38 midgets.scr
   
> Ramen may be the best thing to happen to us, though.  We've been a wee
> bit too lax, and we needed the wakeup call.

Too lax?  Not sure about that.  I could probably spend all of my time
fine-tuning the security for our systems.
 
> (PS: Learn about Ramen here
> http://www.cert.org/incident_notes/IN-2001-01.html )
> (Not here: http://www.nissinfoods.com/ )

Heheheh...  Gotta admit, those noodles are good!

I would really like to see the source code for Hybris, or at least have
a detailed understanding of how it works.  It seems pretty darned
clever.

Mark (dobbster at dobbster.com)

More information about the NCLUG mailing list