What’s this, new mail? From [email protected], subject "undeliverable mail: user unknown". Strange, I don't recall sending any mail to anyone at america.com. I guess if I just click on the attachment, see what it was I sent that's being returned, maybe that'll jog my memory…
Fortunately, I'm not quite that naïve. And even if I was my virus checker wouldn't allow it. Which is just as well, because these are the symptoms of an Internet worm. This particular one is SWEN.A but any number of worms present a similar face. SWEN, though, is one of the more interesting ones.
Wearing my other hat, as a seismic software vendor and data management consultant, I've written some useful tools for analysing data files so I'm in a position to see what's under the hood. I decided to take a peek inside this little piece of nastiness for the benefit of Techworld’s readers.
The first two bytes are 'MZ' so, yes, it's an executable file alright. And it's Windows only, it won't run under DOS. But that's not too surprising, the size, 106 KB, suggests as much; good old DOS doesn't have that much baggage to add to a loadable image.
After the usual preamble there's a data area, followed by executable code starting at byte 4096. But understanding code in a human-readable language such as C is difficult enough, understanding machine code is downright hard, so let's skip over that and go straight to the two areas in a program that give obvious clues to what it does and how it does it - the symbol table (essentially, a list of the functions comprising the program, including the operating system functions it will invoke when it runs) and the list of text messages it can issue. SWEN.A has a text area starting at byte 58880. Here's the first surprise:
58880 ffff ffff 6eaf 4000 82af 4000 7275 6e74 696d 6520 [email protected]@.runtime 58900 6572 726f 7220 0000 544c 4f53 5320 6572 726f 720d error ..TLOSS error. 58920 0a00 0000 5349 4e47 2065 7272 6f72 0d0a 0000 0000 ....SING error...... – a list of error messages!
This text area also names a standard Windows function for posting messages on-screen. It looks suspiciously like an error handler routine. We have a worm that reports problems! (Which begs the questions, what happens if you get a bug? Who do you send it to? And if you do, does the writer sends you an updated version free?).
A little further on, at byte 60898, we find a symbol table:
60780 0300 0080 1700 0080 1000 0080 0000 0000 1b00 436c ..................Cl 60800 6f73 6548 616e 646c 6500 9e02 5465 726d 696e 6174 oseHandle...Terminat 60820 6550 726f 6365 7373 0000 ce02 5761 6974 466f 7253 eProcess....WaitForS 60840 696e 676c 654f 626a 6563 7400 ef01 4f70 656e 5072 ingleObject...OpenPr [and so on.]
These are standard Windows service functions. WaitForSingleObject, for example, allows a program to wait until some resource object such as a thread has been relinquished by another process. A number of other functions also relate to threading, suggesting the program uses threads. Other functions called by SWEN.A manage files and directories and other resources, including memory. It creates and manipulates windows using native Windows calls such as CreateWindowEx and PostQuitMessage and it queries, creates, sets and deletes keys in the Windows system registry (RegQueryValueEx etc.; the actual registry keys modified are listed later in the program).
Clearly this is not a lightweight application. But there's more… Byte 66020 starts a new list of names:
66020 7a6f 6e65 616c 6172 6d00 0000 7a61 7072 6f00 0000 zonealarm...zapro... 66040 7766 696e 6476 3332 0000 0000 7765 6274 7261 7000 wfindv32....webtrap. 66060 7673 7374 6174 0000 7673 6877 696e 3332 0000 0000 vsstat..vshwin32.... 66080 7673 6563 6f6d 7200 7673 6361 6e00 0000 7665 7474 vsecomr.vscan...vett
ZoneAlarm and ZoneAlarm Pro are two of the most popular firewalls. I use them myself. VirusScan is a leading anti-virus package. Further down the list are names relating to other common firewall and anti-virus programs, such as PC-cillin, Norton Anti-Virus and F-Prot. It looks as though SWEN.A tries to identify common security packages. Presumably, it then attempts to evade or disable them. But even that isn't the end of the story.
A little further on there are a number of text fragments from which SWEN.A constructs the mails it sends out once it has successfully infected a system. It normally mails itself in the guise of a returned mail, but the text fragments include phrases like "This update includes the functionality of all previously released patches" and the word "Microsoft" (complete with copyright claims – "Microsoft Corporation. All rights reserved" - references to the Microsoft support website and thanks for using Microsoft products…), so it does look like SWEN.A is able to present itself as some kind of security update.
Thus we have a worm that evades detection; that manages threads and manipulates resources such as files and memory; that claims, when it runs, to be a security patch from Microsoft (even down to asserting copyright); and behaves in every way like a serious application. What can we conclude from all this? Somehow it doesn't look like the amateur fumblings of a bored teenager. This is a professional job, the work of a skilled programmer, using Microsoft's own Visual C++ development environment. Furthermore it was coded in native Windows mode, not the simpler and more popular MFC (the Microsoft Foundation Classes or MFC are a set of libraries designed to make Windows programming easy; which they do, but at the cost of considerable overheads).
The attention to detail (all those error messages, the research involved in identifying anti-virus and firewall programs) suggests both time and money lavished on it. So who could have written it?
There are few clues. At one point (byte 74700) it contains the string "by begbie". Begbie, you may recall, was the violent psychopath in the 1996 film ‘Trainspotting’. Later (byte 87012) there are two odd grammatical errors "MAPI 32 needs these informations" and "Failure to do so may cause that some MAPI32". Could it be the work of an e-terrorist, funded by al-Qaeda millions? The grammatical errors certainly suggest a non-English speaker. Or, for all you conspiracy theorists out there, could it be a professional product from an anti-virus software company, to make sure business continues to boom? Code designed to disable virus checkers and firewalls suggests a high degree of technical knowledge.
My own theory, though, for what it's worth, is that we could be seeing the revenge of the over-50s, a 30-years-of-programming man who expected to work another five or ten years then take his comfortable company pension, suddenly made redundant, his job outsourced to India and no prospects of another at home, with time, skill and a generous redundancy package to indulge his bitterness. It could just be.
Another e-mail's arrived. [email protected] says "Hi" it seems. That sounds friendly. Nicely imaginative e-moniker too. What does it say? "See the attached file for details." Right, I guess I just have to click on the attachment…
Denis Crampton runs his own seismic data company, Arx3D Advanced Reservoir Imaging.