Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Community Blog

W32.Inabot - Support Perspective and Battle Plan

Created: 25 Apr 2013 • 2 comments
Brandon Noble's picture
+3 3 Votes
Login to vote

I. BACKGROUND:
We have been receiving a few scattered cases of outbreaks from a file labeled snkb00ptz.exe or snkb0ptz.exe, but it seems to be on the rise.

It's normally considered poor troubleshooting to use the file name for any type of identification of a threat, but recent examples have made this practical. Even though these files were detected as many different threat names and families (Trojan.gen, w32.IRCBot.NG, Downloader, etc), the cases all reported the same behavior and symptoms.

After some additional investigation, Symantec Security Response has broken out detection for W32.Inabot. That's short for the Insomnia IRC bot. More information is available from the makers of this threat in their manual, here: http://pastebin.com/dvpu8Zwb

For those of you familiar with W32.Changeup, much of this threat's behavior should seem familar.

 

II. THREAT DETAILS: Note this section is being updated with new information as we find it. (BN)

  • Creates the following registry entry so that it runs every time Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM KEY]" =
"%UserProfile%\Application Data\[RANDOM CHARACTERS FILE NAME].exe"

  • Gathers information from the compromised computer and sends it to the remote attacker.
  • Perform the following actions:
    • Spread itself through removable drives
    • Spread itself through network shares
    • Download and execute other malicious files
    • Perform distributed-denial-of-service (DDoS) attacks through UDP or TCP flooding

Known Aliases:

  • Win32/Dorkbot.AM [Microsoft]

How it spreads: Note this section is being updated with new information as we find it. (BN)

  • W32.Inabot uses AutoPlay (autorun.inf) files to launch remotely. 
  • W32.Inabot copies itself to open shares, hides legitimate folders, and then imitates folders in the share.
  • W32.Inabot current iteration does not appear to be also using vulnerabilities to spread.

Common file names:

  • snkb00ptz.exe
  • snkb0ptz.exe

Communication for the current w32.Inabot campaign:

  • e.eastmoon.pl
  • gigasbh.org
  • gigasphere.su
  • h.opennews.su
  • o.dailyradio.su
  • photobeat.su
  • s.richlab.pl
  • uranus.kei.su
  • xixbh.com
  • xixbh.net

Symantec Endpoint Protection:

Antivirus Signatures

Intrusion Prevention System

  • TBD

Applying the 5 Steps of Virus Troubleshooting to a W32.Inabot Outbreak AKA
Inabot Battle Plan

Step 1. Identify the threat

  • See above, but don't guess. Submit the files if you're not sure.

Step 2. Identify infected machines:

  • Machines with Auto-Protect alerts should be scanned with up-to-date definitions.
  • The entire network needs to be audited for unprotected machines, out of date machines, and infected or likely infected machines.
  • Traffic on the ports or to known W32.Inabot domains is a good indicator of a potentially infected machine. See W32.Inabot
  • Protecting and managing fileservers is often the key to solving any outbreak scenario. - unprotected NAS devices are at risk!

Step 3. Quarantine the infected/unprotected/under protected machines: 

  • Unprotected and under-protected machines need to be removed from the network until cleaned and protected.
  • Unprotected machines should be returned to the network only after being protected, checked for suspect files, and scanned clean.

Step 4. Clean the infected machines:

  • Infected machines need to be scanned clean. Safe Mode is not necessary, just a basic Full System Scan.
  • Don’t forget file servers. This bears repeating.
  • Folders may have to be manually renamed or unhidden
  • These changes cannot be done as part of the automatic repair routine of Endpoint, as many users have intentionally hidden folders or disabled automatic Windows Update.

Step 5. Prevent future outbreaks:

  • AutoPlay is a spreading mechanism for thousands of worms and should be disabled. Microsoft has moved to this position as well.
  • An “Open Share” is any share that does not require a password to access. Password-restricting shares can slow or stop a worm like this in their tracks.
  • Remove write-access on shares from users not needing this level of access.
  • Maintain a strict patching regimen. Inabot and threats like it often add new capabilities in response to new vulnerabilities.
  • Infected customers should block the Command and Control (C&C) servers or they quickly will become re-infected with new variants.
  • Upgrade to SEP 12.1 with SONAR and Download Insight

 

Comments 2 CommentsJump to latest comment

fdicarlo's picture

 

After removal to restore the attributes of the folder you can follow this procedures:

  • If you view folders in homedir (i.e. c:\users or whatever drive\users) the folders that are hidden (transparent) are affected users (or open cmd cd to the users path (i.e. c:\users or whatever), then type dir /ah (this will display only the files/folders with the hidden attribute to get a fast list of all affected users, and sometimes even with fiew hidden files/folders on, you won’t be able to view the hidden files/folders that this thing hid)
  • Give yourself full control to the folder
  • Open cmd and navigate to to the homedir path (c:\users or whatever)
  • Type attrib <username> -h -s /s /d  (makes the folder unhidden)
  • Type cd  <username> to navigate inside the users folder
  • Type attrib *. -h -s /s /d (unhides all subfolders and files in users folder)
  • Remove yourself from security permissions of user
  • Navigate to users folder c:\users\<username> or users share\<username>: look for a file named Snkb0pt - maybe have icon of remote desktop connection or quicktime. Delete this.
  • There will probably be a lot of Folder Shortcuts with a recent date and most likely all dated the same. DELETE all of these shortcuts. They are fake shortcuts that launch the malware. If you view the properties of the shortcuts you will see in the target the Snkb0pt.exe file being pointed to.
  • There will probably be an autorun.inf with the same date. DELETE this as well. If you open it to edit it, you will see this is an autorun to also launch the Snkb0pt.exe file.

Fabrizio Di Carlo

Technical Support Analyst
Enterprise Support Services EMEA
Symantec Services Group (SSG)
Symantec Corporation

0
Login to vote
Berino's picture

Step 4. Cleaning the infected machine can be done in a more efficient way using the SERT 

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

 

Article:TECH131732  |  Created: 2010-01-15  |  Updated: 2012-06-25  |  Article URL http://www.symantec.com/docs/TECH131732

 

0
Login to vote