[NCLUG] Hybris

Wed Mar 7 20:28:34 MST 2001

> > Off topic, I'm sure, but this one is really cool to me...
>
> Since I see this virus so much, I have been curious to know more.

This writeup is very good:
http://www.f-secure.com/v-descs/hybris.shtml

> > It hooks into the winsock library.  It watches packets go by.  If an
E-mail
> > address goes by on port 25, it remembers that address for a few minutes,
> > then sends the hahaha at sexyfun.net letter off to them.
>
> I see.  So the message is actually being created and sent from the
> infected machine.  This wasn't clear to me.  Does it just change the
> mail headers to make it appear as if it's coming from elsewhere?

It changes the FROM: header, but it doesn't appear to change anything else.
That was how I traced this one back to my sister.  At the very least, it
appears to generate the mail on a raw socket instead of calling the built-in
mailer functions of winsock.  Also, according to the linked article, it
watches ALL sockets for E-mail addresses -- so it steals e-mail addresses
while you are surfing, too!

> > > That is, you get a message from them, and 2-10 minutes later, the
> > > hahaha at sexyfun.net one shows up.  From what I've read, this worm
> > > contacts alt.comp.virus in the meantime and somehow (?) the newsgroup
> > Heh.  The problem is that the snow white payload is one one of the many
> > payloads that Hybris can have.  When it is reading newsgroups, it is
> > actually
> > trading payloads.  There is one that does a spiral on the screen.
Another
> > eats all your zip files.  The author could add another plugin at any
time,
> > and
> > just let it go.
>
> The thing I don't understand is how it interacts with the newsgroups.  I
> assume that if it can't connect with alt.comp.virus, it just sends out
> the Snow White message.  If it can connect, does it download something
> from the group?  Does the group itself contain virus payloads from a
> specific user?

The groups contain virus payloads from *other Hybris viruses*.  The writeup
above shows an what these payloads look like.   The cracker need only insert
the payload once, and it will be picked up and spread from then on.  I
assume that Hybris uses raw interfaces to netnews, as well.  It tries to
talk to a one of seventy news servers.  The odds are pretty good it will
find one.  If nothing else, it looks for plugins at a webpage at
vietmedia.com, too...  Someone's pulled that site down already, though...

I also wandered around on the alt.comp.viruses feed on FRII -- nothing
payloadish looking there.  I suspect people have the cancelbots running
overtime to try to stem the tide.

> > (PS: Learn about Ramen here
> > http://www.cert.org/incident_notes/IN-2001-01.html )
> > (Not here: http://www.nissinfoods.com/ )
>
> Heheheh...  Gotta admit, those noodles are good!
>
> I would really like to see the source code for Hybris, or at least have
> a detailed understanding of how it works.  It seems pretty darned
> clever.

Its brilliant.  I really wish it wasn't malicious, because it really is
tough to not give the guy some credit!