Randex | |
---|---|
Type | Internet worm |
Creator | |
Date Discovered | 04-JUN-2003 |
Place of Origin | Missisauga, Ontario, Canada |
Source Language | |
Platform | Microsoft Windows |
File Types | .exe |
Infection Length | 24,064 bytes |
Reported Costs |
Randex is a worm from 2003. It spreads through networks using weak passwords and tries to steal the CD keys of certain games.
Behavior
Randex enters a system when it has successfully compromised a weak password. The file msmonk32.exe is sent from the remote computer to the victim then executed. When executed, it copies itself to the system folder as a variable name ending in an .exe extension, which it then adds to one or more registry keys to ensure it will start up when the system is restarted:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Randex then schedules a remote job that will attempt to run itself on a remote computer. It calculates random IP addresses looking for a computer to infect The worm tries using the following passwords:
- admin
- root
- 1
- 111
- 123
- 1234
- 123456
- 654321
- !@#$
- asdf
- asdfgh
- !@#$%
- !@#$%^
- !@#$%^&
- !@#$%^&*
- server
It sends the file msmonk32.exe to the folders \c$\winnt\system32\msmonk32.exe and '\Admin$\system32\msmonk32.exe.
IRC Backdoor
The worm contains an IRC backdoor component that is connected to a predefined IRC channel. It performs the usual IRC backdoor functions, allowing the attacker to get information on the system, download arbitrary files to the victim computer, execute programs on the computer, and perform Denial of Service attacks on cpecified servers. It may also try to steal the CD keys of the following games:
- Battlefield 1942 The Road to Rome
- Battlefield 1942 Secret Weapons of WWII
- Counter-Strike
- Unreal Tournament 2003
- Found Half-Life
Variants
A large number of variants were produced starting in late spring through the summer of 2003.
Randex.B
Randex.B appeared on the 4th of June of 2003. It is 17,920 bytes long. When searching for IP addresses to infect, it will avoid the following ranges:
- 10.0.0.0 - 10.255.255.255
- 172.16.0.0 - 172.16.255.255
- 192.168.0.0 - 192.168.255.255
- 127.0.0.0 - 127.255.255.255
- 240.0.0.0 - 240.255.255.255
This variant will also attempt to use a blank password. It uses the NetUserEnum() API to get a list of users on ther system and will attempt to log in as each user until it connects successfully or runs out of possible accounts. It may end up getting locked out because of too many unsuccessful attempts. It appears to use msslut32.exe as its file name in every stage of infection and only uses the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Randex.C
This variant appeared on the 18th of June in 2003. It weighs in at 40,960 bytes. The worm's filename when being sent to the target computer is msmonk32.exe and its name when copied becomes gesfm32.exe. It only uses one registry key, like Randex.B. It may open one or more of the following ports (as well as one random port): 20, 113, 445, 1024, and 55808.
This version has three commands that can be sent over IRC, including:
- ntscan: triggers a scan for new systems to infect.
- syn: triggers a SYN flood attack with a data size of 55808 bytes.
- sysinfo: sends the machine's information to the attacker, including CPU speed and memory.
Randex.D
This version appeared on the 27th of June 2003 and is either 32,256 bytes or 13,824 bytes long. It uses the file name msmsgri32.exe throughout the infection process. It adds the value "mssyslanhelper = msmsgri32.exe" to the same registry key used by previous versions.
Randex.D also drops the Backdoor.Roxy trojan. It drops and runs the the file "Payload.dat" containing the trojan. The trojan sets the registry key value "System Initialization = payload.dat" to the same registry key the worm modified so it would start up along with the system. It listens on ports 3330, 3331, 3332, and 3361, usingf the first three to receive remote commands.
Randex.J
This variant appeared on 8th of September 2003. It weighs in at 73,728 bytes and is uncompressed. Some text strings are encrypted.
The first thing it does when executed is to find and delete the file winnt32.dat in the Windows system folder. It then gets the API addresses of certain Windows functions and then checks to see if it is already installed on the system. If not, it will copy itself to the to the system folder as netd32.exe, a file name it will use throughout the infection. It will add the value "Microsoft Network Daemon for Win32 = netd32.exe" to the same registry key as the previous versions as well as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices.
Randex.J will then connect to one of two IRC channels with hardcoded names and creates a bot in channel also with a hardcoded name in the worm. The list of actions the bot can perform includes:
- Log in and out of the bot
- Display and clear masters list
- Terminate own process
- Generate another random nickname for the bot
- Connect and disconnec from IRC server
- List active threads
- Show log file
- Get connection type
- Get system information
- Start and stop NTScan
- Uninstall the worm
- Delete the WINNT32.DAT file
- Terminate theads or a selected thread
- Join and part from a channel, change bot's nickname
- Open or run a specified file
- Get DNS info
- Open a specified URL
- Perform SYN flood
- Send private message from a bot
- Create clones
- Redirect traffic for specific port
- Download files from a specified URL
- Execute specified files
- Change channel mode
- Update the worm from a specified URL
- Destroy current bot
- Perform a DoS (Denial of Service) attack
It can also steal CD keys from the following games:
- HalfLife
- Unreal Tournament 2003
- Battlefield 1942
- Battlefield 1942: Road To Rome
- Command and Conquer: Generals
When receiving an ntscan instruction, it copies itself to the system folder as WINNT32.DAT and generates random IP addresses to try to connect to them. The worm tries to retrieve network user names and connect using them, but in case this fails, the worm will try to connect as Administrator. Once connected the worm tries to access to IPC$ share on remote computer and to copy itself to the following locations as NETD32.EXE file:
- \ADMIN$\system32\netd32.exe
- \C$\WINNT\system32\netd32.exe
Effects
The Royal Canadian Mounted Police, who investigated and found the creator, estimated the worm infected over 9,000 computers. By spring of 2004, around 20 variants of the worm existed. By December the number of infected computers was estimated to be 30,000. As the worm had no destructive payload and only really caused a few low-profile DDoS attacks, damage was limited to wasted time cleaning systems.
Origin
Randex was written by a 16 year old from Mississauga, Ontario with collaboration with others from the US and Britain. He was arrested in May of 2004 for writing Randex. As a juvenile, he was never named and is not known to have any handles. A British 16 year old was arrested in December of that year and several people from Canada, the UK, and the US were involved in the creation and ditribution of the worm. At the end of their trials, they confirmed their motives were not fraud or spam, but rather to gain advantages in the game Outwar.
Some sources report the worm as first appearing in November of 2003, though most antivirus products had detections for it in June of 2003.
Sources
F-Secure, Randex.
Kaoru Hayashi. Symantec Security Response, W32.Randex. 13-FEB-2007
Douglas Knowles. Symantec Security Response, W32.Randex.C. 17-SEP-2003
Douglas Knowles. Symantec Security Response, W32.Randex.D. 31-JUL-2003
Heather Shannon. Symantec Security Response, Backdoor.Roxy. 07-AUG-2003
F-Secure, Randex.J.
John Leyden. The Register, Canadian, 16, on Randex worm rap. 27-MAY-2004
Jan Libbenga. The Register, Teenage British Trojan distributor escapes jail. 20-DEC-2004
John Leyden. The Register, Botnet used to boost online gaming scores. 21-DEC-2004