FortiGuard Labs Threat Research
Just Because It’s Old Doesn’t Mean You Throw It Away (Including Malware!)
Art, automobiles, and wine are often associated with things that appreciate in value as they age. Malware isn’t usually thought of this way, as most threat actors strive to keep their tools as current as possible with new lures and exploitation techniques.
However, every once in a while, a campaign appears that turns this paradigm on its head. FortiGuard Labs came across one such recent campaign using the MyDoom worm.
MyDoom (also known as Novarg and Mimail) was first discovered back in 2004. And while it has seen some updates and modifications since its introduction, it is an anachronism in the malware world that continues to operate well beyond expectations.
Affected Platforms: Windows
Impacted Users: Windows users
Impact: Potential to deploy additional malware for additional purposes
Severity Level: Medium
Typical phishing e-mail
The typical MyDoom phishing e-mail contains subjects referencing a delivery error or testing. Email headers contain a rejection reason and a custom “Content-Type”. There is also an attachment that may or may not be zipped. This attachment (unless zipped) is the MyDoom executable.
Figure 1. Typical MyDoom phishing e-mail.
FortiGuard Labs encountered the following message subjects in our recent investigation:
- Click me baby, one more time
- RETURNED MAIL: SEE TRANSCRIPT FOR DETAILS
- Isnydosj anhr
- ayownizdiitis
- Delivery failed
- Test
- Delivery reports about your e-mail
- Status
- Returned mail: Data format error
- RETURNED MAIL: DATA FORMAT ERROR
- Returned mail: see transcript for details
- Mail System Error - Returned Mail
The following attachment names were also found to be used repeatedly:
- document.zip
- transcript.zip
- letter.zip
- attachment.zip
- .zip
- message.zip
- message.scr
- golfasian.com
- readme.scr
- mail.zip
- text.cmd
- <random number>@7686f6a96.com
- file.zip
- attachment.scr
Typical attachment
The MyDoom executables attached to its phishing e-mails have an extension hidden by default by most Windows deployments (.cmd, .scr, .com, etc.). This increases the chances that users won’t identify it as malicious.
Figure 2. MyDoom executable with hidden file extension.
Despite the extension, the file is a 32-bit Windows executable packed using the UPX (Ultimate Packer for Executables) packer (https://en.wikipedia.org/wiki/UPX) to compress and make it more difficult to analyze.
Figure 3. A tell-tale sign that an executable has been packed with UPX – a renamed PE header.
With that being said, UPX has been around for quite some time. When used without modification, it is quite easy to decompress the original executable using the tool itself.
Figure 4. Decompressing the MyDoom executable using the UPX utility.
MyDoom Unpacked
The packer decompresses and executes the actual MyDoom code. Upon execution, an attempt to alter the Windows firewall settings is made.
Figure 5. Rundll32.exe shown executing the firewall control applet.
A user logged on to the system would see a request to grant access for the executable to communicate out through the Firewall.
Figure 6. Windows firewall request made by MyDoom.
MyDoom next makes a copy of itself, places it in the “Temp” folder (C:\Users\<user>\AppData\Local\Temp), and changes the name to a known Windows application/process. In this case, it used “lsass.exe”.
Figure 7. Attempt by MyDoom to create a copy of itself.
It also creates a file full of garbage text that is not referenced again once created.
Figure 8. Garbage text file creation.
MyDoom communicates over port 1042 to both send and receive.
Figure 9. MyDoom with local port 1042 open to listen.
It rotates through a number of possible C2 domains in an attempt to locate an active one. As part of the legacy of spreading through file-sharing utilities, MyDoom also litters the “C:\Program Files\Common Files\Microsoft Shared” folder with multiple versions of itself. It renames itself as some now very old and obsolete applications (e.g., Kazaa Lite) with a random name or phrase attached.
Figure 10. Additional copies of MyDoom throughout the “Microsoft Shared” directory.
Application names include:
- Kazaa Lite
- Harry Potter
- ICQ 4 Lite
- WinRAR.v.3.2
- Winamp 5.0 (en) Crack
- Winamp 5.0 (en)
Conclusion
Despite its advanced age, there are still fresh infections of MyDoom occurring in the wild, along with corresponding phishing events. This goes to show that even older malware can still be dangerous no matter their age
Fortinet Protections
Fortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services:
FortiGuard customers are protected against this latest MyDoom campaign, which is blocked by FortiMail. The following (AV) signature detects the malware samples mentioned in this blog
W32/MyDoom.M@mm
W32/Mydoom.E!tr
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.
The WebFiltering client blocks all network-based URIs.
Fortinet has multiple solutions designed to help train users to understand and detect phishing threats, including the FortiPhish Phishing Simulation Service, which uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
In addition to these protections, we suggest that organizations have their end users undergo our FREE NSE training: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.
IOCs
File-based IOCs:
Filename |
SHA256 |
9ed08@7686f6a96.com |
5a6c1929f55baff2e786336c07f02c5d13194ff765073dcdfcae1b0cb53da5bc |
5713a@7686f6a96.com |
1b1e2421dc3d96a8b9dd58d9cc74730c966250df7c33a1e0df50d983e674b7bc |
atpysig.exe |
6223e126a65ba888182d3369adacc7268bd78555f0426653f5b5dd963d4c31a4 |
attachment.doc.scr |
ad37758c362a38a8718837ece40ed5699e40de11ed58a586c2a6a6d8bb5251bf |
attachment.scr |
9fc0179c7407476ced89b6124fa52f10d178f3a07e3d50c860b1ced98fb77541 |
attachment.doc.scr |
ad37758c362a38a8718837ece40ed5699e40de11ed58a586c2a6a6d8bb5251bf |
ATTACHMENT.SCR |
1302161ca791b3fc01188582a075bbfcfeb5f28715ad527be0fe625ec452b1eb |
attachment.scr |
9fc0179c7407476ced89b6124fa52f10d178f3a07e3d50c860b1ced98fb77541 |
ATTACHMENT.SCR |
1302161ca791b3fc01188582a075bbfcfeb5f28715ad527be0fe625ec452b1eb |
document.doc |
31fd079696a071a48fd4a66588adb22e36dd96028792fb416bcee0f099d6e5cb |
document.doc |
5e99396cf134fea102470525d5105afb697b9131d891990e2dc8c9e5e34f8165 |
file.htm.scr |
009ac15d56c3a5149f10c833b5cc191eede4d33485cab7bc3dd94675a462608c |
golfasian.com |
9fcf4b0e00d20060274861b41b2c13b68dfedbd2ac0012436b13960b2a570d4f |
golfasian.com |
34d9e11e71fe18f9eb290461714826e1069a129d44db25c6c4fe581f883cbc07 |
golfasian.com |
6155f0562adfaa75cf46f674cf094d3f23c27b38c8009b6982f48ca4e77c95b1 |
golfasian.com |
92018aff6737899f94aed2461b6e4182383b6677be2e8d4f82098265d74fb913 |
html.pif |
eba7ec36cb9cc3c3677f5325ee9f755fefe885235849aede61a0b130a9f6255b |
html.pif |
d438e3ec7bd0fa4b231a6a1704d89f117d3b6b6ba342915b4d095027d0fe4c90 |
john2@golfasian.com |
a966f61a86dae4737f99d5b7668b0fcab3124125d2030faa08855ae12c9525ee |
letter.exe |
48c70041def3bf288f7f85ee96eb59a2f7d965963a66e0c86fb3c88b3e079386 |
letter.scr |
2ddc70753893167b7b5d15c1e3cf6f22b6d8a0ee8a4aaea93c40655608f6fc75 |
mail.html |
20b372391f4d0fd9e4f69fc950456b557fab27f7bbbdeede36cff404e35614aa |
message.bat |
7b596caceaf2e8a139c01eaf67e5e52ff3247ca6d20112ea9ce59a02a1a5bb7d |
message.scr |
2744c29d98a144fabda0ac75264235cd82b798f3bd5a56fab2ad28ec218b94c8 |
Message.scr |
eb5bfbb3be5300c1231a8ece93d239b7a02a4f308d7efe85d604f06d3aca57ad |
readme.scr |
8d4dcf463e7a69cd1b3039779d9d36c8a4669444b30d3261f876b7720bdb6752 |
text.cmd |
5cb5efc8e0be0bf32eb73fbdaebedacf70cba946f5dfaea7166dcd0f4ca5989f |
tracy@golfasian.com |
c12e27b30706dd1d11e5822285e209a187724148a682d178f1e2bc3f8d670ea7 |
transcript.htm.pif |
2ddc70753893167b7b5d15c1e3cf6f22b6d8a0ee8a4aaea93c40655608f6fc75 |
transcript.txt |
6bbcc015c5a72b03601f8087c57024a7e74975dfb567b867c3404958e4239c9c |
txt.pif |
d599d4343fe3d831bcad8ea7305f050608a182f99636ea9e87c9400d19fae043 |
txt.scr |
f5dc449255319cebd38ce255060a8019e0f5697de8ac31353c7d067d9e1218e6 |
document.zip |
11a86a2388c501773b52ae79ee1f7504caca6c25d835d40b8afc9ebe29c7a26d |
.zip |
942ef9da07de7d70c2efcfc20e375e6919a521d44ddabf9369042aea1553f712 |
message.zip |
10502c24bb63af929da22ec306f44f9e557b4e3bbf588afd1a7f190aa9840938 |
letter.zip |
21ee754775ca9f76b2d18d0b87722ffa0c9ab0f676e4aa6ac4881dff580087ac |
.zip |
505b177a6c24c69a9fda1e78db7421fad4893d7c07e3cea91897decfbc4510be |
message.zip |
ad29b1c0423a878758a444ad6bf38aa2ad276a98f0ca552b475d890db631f48b |
file.zip |
113db96ddc72fb3300e981c7691cd202d3d0a5b097e84cd41eee6a54d868bf31 |
transcript.zip |
3df99ae8f2083419fd030c42ca6729b6e5319df6aca1204d7081ce6ea91c69da |
transcript.zip |
04123ec908c4a60282fa35fed76a377b22a49b6f9bfaf5a81121fd7204b4b83d |
.zip |
4864f84ea0f6939751310a2cca43e71a57171f37679cb7853d29a083b1617a09 |
.zip |
35bb66f1cc9e820ef50c22d0abb0f5f7ba8724bebb4a5a795e68790943742928 |
.zip |
9bf413a9d9b3b17767f0a93450f834947475765b2fd1ecccaa943f8ce9d58082 |
document.zip |
9a2f837a8adb16632ce4ec3c8b02037a4e96e66e6737ef1169afb2e48e46aa6a |
letter.zip |
bfaf49a691792a29024a75119a9841caacefb306494ca011a42b46c12ca65895 |
.zip |
59ad199d81590be7b83768227fe3a79b115f6c978b8715864ae0e22e5d324e36 |
mail.zip |
ecda9c446dd6aa0018cd5fc9c99ba846484f8d2a81d7f97167d89b890e4d5c1a |
attachment.zip |
e745cc1ae5a89a9f2b4b0eabbac342520703b03f68dafeb6d29194fe19e899e9 |
attachment.zip |
1f442b9ff3c9225e3eaa9c74d16b3a74117bb66e1d372ca15b6154d386a93e57 |
Network-Based IOCs:
IOC |
IOC type |
15.244.197.9:1042 |
Attempted C2 Connection |
141.240.203.6:1042 |
Attempted C2 Connection |
16.115.197.163:1042 |
Attempted C2 Connection |
67.120.102.206:1042 |
Attempted C2 Connection |
220.234.104.158:1042 |
Attempted C2 Connection |
166.77.123.68:1042 |
Attempted C2 Connection |
198.89.160.22:1042 |
Attempted C2 Connection |
15.98.11.12:1042 |
Attempted C2 Connection |
67.121.94.10:1042 |
Attempted C2 Connection |
15.24.69.27:1042 |
Attempted C2 Connection |
129.204.109.121:1042 |
Attempted C2 Connection |
70.241.87.215:1042 |
Attempted C2 Connection |
16.80.195.68:1042 |
Attempted C2 Connection |
15.9.79.129:1042 |
Attempted C2 Connection |
15.14.59.199:1042 |
Attempted C2 Connection |
216.114.194.30:1042 |
Attempted C2 Connection |
15.228.15.126:1042 |
Attempted C2 Connection |
16.100.121.101:1042 |
Attempted C2 Connection |
15.63.9.76:1042 |
Attempted C2 Connection |
65.6.113.38:1042 |
Attempted C2 Connection |
141.240.211.237:1042 |
Attempted C2 Connection |
16.83.199.36:1042 |
Attempted C2 Connection |
66.248.57.65:1042 |
Attempted C2 Connection |
15.59.127.133:1042 |
Attempted C2 Connection |
16.150.138.126:1042 |
Attempted C2 Connection |
141.154.253.115:1042 |
Attempted C2 Connection |
66.43.244.133:1042 |
Attempted C2 Connection |
68.158.45.83:1042 |
Attempted C2 Connection |
152.16.43.135:1042 |
Attempted C2 Connection |
129.81.101.242:1042 |
Attempted C2 Connection |
16.102.137.19:1042 |
Attempted C2 Connection |
16.102.153.27:1042 |
Attempted C2 Connection |
67.171.253.156:1042 |
Attempted C2 Connection |
15.75.188.252:1042 |
Attempted C2 Connection |
216.128.188.41:1042 |
Attempted C2 Connection |
16.126.107.216:1042 |
Attempted C2 Connection |
16.125.202.53:1042 |
Attempted C2 Connection |
162.28.185.188:1042 |
Attempted C2 Connection |
195.75.252.98:1042 |
Attempted C2 Connection |
68.223.45.7:1042 |
Attempted C2 Connection |
24.148.141.102:1042 |
Attempted C2 Connection |
141.240.190.28:1042 |
Attempted C2 Connection |
129.243.132.29:1042 |
Attempted C2 Connection |
148.193.135.228:1042 |
Attempted C2 Connection |
24.190.210.189:1042 |
Attempted C2 Connection |
12.166.196.8:1042 |
Attempted C2 Connection |
15.228.161.161:1042 |
Attempted C2 Connection |
220.234.104.158:1042 |
Attempted C2 Connection |
