Just when you thought it was safe to run IIS...

Mar 17, 2016

Maybe CERT-FI is following in the footsteps of US-CERT (free tip for you guys: 300 bps is obsolete!), which is why it's taken them eight months to say anything about this, but there is a particularly interesting worm that attacks Windows crawling around on the Net called Allaple-A which is remarkably subtle for an infectious agent. First of all, it's polymorphic, meaning that it rewrites parts of itself whenever it spreads, which makes it difficult for antivirus software to find and kill it. At first, it spread by bruteforcing passwords against the Radmin service and open network shares, but there are versions that use other attack vectors extant at this time, usually a package of remotely exploitable vulnerabilities. Even more evil, however, is its facility for finding HTML files on the infected box - it quietly edits each one it finds to drop a tag into the text. Whenever a user with sufficient privileges (and more often than not these days, everyone has Administrator privileges on their workstation) views an HTML document, the object file referenced by that tag (vis a vis, the worm's executable portion) is executed.

Think that's not a big deal? A lot of applications these days don't have user interfaces the way we used to think of them, but HTML pages that are viewed by hooking the HTML rendering functions in the Windows API. It makes it easy to design really slick user interfaces without a lot of work or skull-sweat, but it can also come back and bite you on the ass at times like this.

Oh, and did I mention the DDoS functionality? That's right, a beastie like this has to have a payload... SYN floods and endlessly loading a certain website's frontpage are its weapons of choice, dependent upon what version has infected a particular system at a particular time. This worm's particularly hard to spot because it doesn't have a C&C channel, unlike a lot of malware. It doesn't try to connect to a hidden IRC server to get its commands, it has a small number of tasks that it carries out quite well. In some ways, it's a return to an earlier era of infectious software, when worms didn't have the full bags of tricks of their creators and only spread and detonated at unlikely times.

The versions that CERT-FI has been watching tend to ping the local network's broadcast address to find other hosts to attack; the packets contain the payload Babcdefghijklmnopqrstuvwabcdefghi, but you can expect that to change with the next generation released.

As always, if you've got firewall software on your box, run it, and if you don't have antivirus software, run to the store, get it, and keep it updated. The box you save will be your own.