[NCLUG] Hybris
Michael Dwyer
mdwyer at sixthdimension.com
Wed Mar 7 20:28:34 MST 2001
> > Off topic, I'm sure, but this one is really cool to me...
>
> Since I see this virus so much, I have been curious to know more.
This writeup is very good:
http://www.f-secure.com/v-descs/hybris.shtml
> > It hooks into the winsock library. It watches packets go by. If an
E-mail
> > address goes by on port 25, it remembers that address for a few minutes,
> > then sends the hahaha at sexyfun.net letter off to them.
>
> I see. So the message is actually being created and sent from the
> infected machine. This wasn't clear to me. Does it just change the
> mail headers to make it appear as if it's coming from elsewhere?
It changes the FROM: header, but it doesn't appear to change anything else.
That was how I traced this one back to my sister. At the very least, it
appears to generate the mail on a raw socket instead of calling the built-in
mailer functions of winsock. Also, according to the linked article, it
watches ALL sockets for E-mail addresses -- so it steals e-mail addresses
while you are surfing, too!
> > > That is, you get a message from them, and 2-10 minutes later, the
> > > hahaha at sexyfun.net one shows up. From what I've read, this worm
> > > contacts alt.comp.virus in the meantime and somehow (?) the newsgroup
> > Heh. The problem is that the snow white payload is one one of the many
> > payloads that Hybris can have. When it is reading newsgroups, it is
> > actually
> > trading payloads. There is one that does a spiral on the screen.
Another
> > eats all your zip files. The author could add another plugin at any
time,
> > and
> > just let it go.
>
> The thing I don't understand is how it interacts with the newsgroups. I
> assume that if it can't connect with alt.comp.virus, it just sends out
> the Snow White message. If it can connect, does it download something
> from the group? Does the group itself contain virus payloads from a
> specific user?
The groups contain virus payloads from *other Hybris viruses*. The writeup
above shows an what these payloads look like. The cracker need only insert
the payload once, and it will be picked up and spread from then on. I
assume that Hybris uses raw interfaces to netnews, as well. It tries to
talk to a one of seventy news servers. The odds are pretty good it will
find one. If nothing else, it looks for plugins at a webpage at
vietmedia.com, too... Someone's pulled that site down already, though...
I also wandered around on the alt.comp.viruses feed on FRII -- nothing
payloadish looking there. I suspect people have the cancelbots running
overtime to try to stem the tide.
> > (PS: Learn about Ramen here
> > http://www.cert.org/incident_notes/IN-2001-01.html )
> > (Not here: http://www.nissinfoods.com/ )
>
> Heheheh... Gotta admit, those noodles are good!
>
> I would really like to see the source code for Hybris, or at least have
> a detailed understanding of how it works. It seems pretty darned
> clever.
Its brilliant. I really wish it wasn't malicious, because it really is
tough to not give the guy some credit!
More information about the NCLUG
mailing list