Under Attack? Call (844) END.DDoS

Nugache: TCP port 8 Bot

Over this past weekend, ASERT received samples of the Nugache bot and analyzed them Monday morning. Nugache has been noticed because it appears to employ P2P to communicate rather than a more traditional IRC channel. People have been discussing it as a Waste-based protocol, the same method that people use to share MP3s.

The list of alisases by major vendors who detect it:

  • (Symantec Corp.) W32.Nugache.A@mm
  • (Trend Micro Inc.) WORM_NUGACHE.A
  • (Bitdefender) Win32.Nugache.A@mm
  • (Kaspersky Lab Inc.) Email-Worm.Win32.Nugache.a
  • (Doctor Web Ltd.) BackDoor.IRC.Sdbot.579
  • (F-Secure Corp.) Backdoor.Win32.SdBot.aqy
  • (Computer Associates International Inc.) Win32/Nugache.A
  • (Sophos Plc.) W32/Rbot-DDI
  • (Panda Software International S.L.) W32/Nugache.A.worm
  • (Norman ASA) W32/Nugache.A@mm

Some of its characteristics:

  • It’s packed with the Enigma Protector packer, which means it’s partially obfuscated.
  • When fired up, it listens on TCP port 8.
  • Communications employ a simple cryptor/decryptor (which I didn’t analyze; to be honest, I just wanted to look at the network traffic).
  • When you attach and dump the PE executable, you don’t see the “juicy bits” in an unobfuscated format. You have to watch the bot work in a debugger, manually stepping through to watch various memory regions get decrypted, used, and then wiped away.
  • It has several debugger checks in it that get called frequently. You can’t just use OllyDbg and let it run, or you’ll lose your work. What I did was fire it up and attach, then single step through it to get to a point where the info I was after was available.
  • OllyDbg screenshot

Useful tools in analyzing this sample on an isolated Windows XP Professional host: OllyDbg, IDA Pro (to some degree, although less than you would expect), Process Explorer and TCPView.

We’ve seen large-scale traffic on TCP port 8 for a few days now, and it looks like this malware isn’t horribly widespread (i.e. compared to Blaster, Sasser, or even things like Toxbot) although we do see hosts that appear to be infected. Not surprising. Why the author chose TCP port 8 is a different matter; it’s too simple to filter a service that no one uses. What is interesting to note is that the spikes in traffic we see are, I think, due to people scanning for TCP/8 listeners to identify them.

TCP/8 traffic for the past 24 hours

People have hypothesized that this is just a proof of concept. If so, it’s a decent effort. The author(s) appears to be better than some bot authors, and used some decent drop-in methods to obfuscate their code. I expect that people will adopt this method in the coming days and weeks and improve on Nugache. What this means to botnet monitoring I’m not entirely sure, but we knew this day was coming.