Spanish police arrest alleged phone-virus creator

More...

Spanish police arrest alleged phone-virus creator
Published: 2007-06-25

Click here for Core!!

Authorities in Spain charged a 28-year-old man with creating more than 20 different variants of the Cabir and CommWarrior viruses, which could infect mobile phones based on the Symbian operating system, antivirus firms stated on Sunday.

Law enforcement officers arrested the man in Valencia, Spain, after a seven-month investigation into the viruses, which infected an estimated 115,000 phones, according to a police statement cited by antivirus firm Sophos. The viruses reportedly contain a reference to "Leslie," which Sophos claims is the name of the suspect's fiancée.

"Cellphone viruses are not as common as the malware which strikes Windows desktops on a regular basis, but it is just as illegal in its intent," Graham Cluley, senior technology consultant for Sophos, said in a statement announcing the arrest. "Viruses are not harmless pranks; they cause real harm disrupting business and personal communications as well as destroying and stealing sensitive data."

In the past, virus writers have seldom been caught. Authorities arrested two people on charges of creating separate variants of the MSBlast -- or Blaster -- worm. The worm, which spread to at least 25 million computers in 2003 and 2004, led Microsoft to establish a bounty program to pay for information about those responsible for releasing viruses. In 2005, the program divvied up $250,000 between two informants who led authorities to the author of the Sasser worm.

The latest arrest is not the first for Spanish authorities. In 2003, Spanish police arrested a 23-year-old man on charges of creating and releasing the Raleka worm, which exploited the same vulnerability as the MSBlast worm.

Attacks on mobile phones have dramatically declined in 2007, compared to the year before, according to antivirus firm McAfee.


Posted by: Robert Lemos

F-Secure Virus Descriptions : Raleka
[Summary] | [Detailed Description] | [Detection]



NAME: Raleka
ALIAS: Worm.Win32.Raleka, W32/Raleka, W32/Raleka.worm, WORM_RALEKA
SIZE: 14880
ORIGIN: Spain

Summary

Raleka is a network worm that exploits the same RPC vulnerability as the MSBlast/Lovsan family. The worm contains an IRC-controlled backdoor with a command that downloads the patch from Microsoft and fixes the RPC vulnerability on the infected computer.

Please refer to the Lovsan description for links and instructions on patching vulnerable hosts:

F-Secure Computer Virus Information Pages: Lovsan

Detailed Description

The Raleka worm was written in C language and spreads in UPX-packed form. The worm's body weights 41504 bytes when it's unpacked.

When the worm is started it attempts to download three files from predefined web locations from the web:

- svchost32.exe: possibly and updated version of the worm

- ntrootkit.exe: update for the NT backdoor

- ntrootkit.reg: update for the NT backdoor's installation registry file

The registry file contains compatibility settings for the backdoor when running under Windows XP. Since the tool (reg.exe) the worm uses to install the registry file is part of Windows XP only these settings will be applied only on that version.

The downloaded backdoor components are detected as Backdoor.RtKit.11.a by FSAV.

Network Propagation

Raleka scans random ranges of IP addresses attempting to exploit the RPC/DCOM vulnerability. It uses 100 parallel threads for scanning which makes it quite aggressive.

When a vulnerable hosts is found the worm creates a file called 'down.com' through the shell the RPC exploit provides. There is a bug in the worm which results in broken 'down.com' if the host is attacked by two Raleka worms at the same time. Even though this does not sound probable, it has been reported from several different places.

The file 'down.com' is a small downloader application wrapped into and ASCII armor using and old DOS utility called NETSEND. When the DOS COM file is executed it drops the decoded Windows executable and runs it.

The worm has a built-in HTTP server. This server is used by the downloader to transfer the worm and the backdoor components. The HTTP server is listening on a random port above 32768. When the downloader is invoked on the remote host it gets the attacker computer's IP address and the random HTPP port number as parameters. Using this information the downloader fetches the necessary files and installs the worm.

The following files are copied using the HTTP server:

- svchost.exe: the worm from Windows System directory

- ntrootkit.exe: NT backdoor

- ntrootkit.reg: Registry file for the backdoor

As soon as the files are installed the worm runs and starts to scan for vulnerable hosts.

In the end the infection manifests on the computer in the following places:

Files:

%windir%\system\svchost.exe: the worm itself %windir%\system\svchost32.exe: the updated version of the worm

%windir%\system32\ntrootkit.exe: NT backdoor %windir%\system32\ntrootkit.reg: Registry file for NT backdoor

%windir%\system32\svchost.cmd: Batch file to start the worm

Registry Key:

Under

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]

"^%SystemRoot^%\\SYSTEM32\\NTROOTKIT.exe"="WIN2000"

"C:\\WINDOWS\\SYSTEM32\\NTROOTKIT.exe"="WIN2000"

A service named 'svchost' is created with the description 'Remote_Procedure_Call'

F-Secure Computer Virus Information Pages: Raleka

__________________