Technical details

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file written in Visual Basic. The size of the infected file can vary significantly. The functionality described below is characteristic of the most common variants of this worm.

Installation

When the infected file is first launched, the user will see a Windows Explorer window, with an open 'My Pictures' folder.

When installing, the worm modifies the following keys of the system registry, disabling system registry tools, the command line, and displaying files and folders in Windows Explorer.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"="1"
"DisableCMD"="0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"="0"
"HideFileExt"="1"
"ShowSuperHidden"="0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"="1"

For example, the following message will be displayed when the registry editor is launched:

The worm then gets a path to Application Data for the current user (%UserProfile%\Local Settings\Application Data) and copies its body to this directory under the following names:

%UserProfile%\Local Settings\Application Data\bron.exe
%UserProfile%\Local Settings\Application Data\csrss.exe
%UserProfile%\Local Settings\Application Data\inetinfo.exe
%UserProfile%\Local Settings\Application Data\lsass.exe
%UserProfile%\Local Settings\Application Data\services.exe
%UserProfile%\Local Settings\Application Data\smss.exe
%UserProfile%\Local Settings\Application Data\svchost.exe
%UserProfile%\Local Settings\Application Data\winlogon.exe

A text file called Kosong.Bron.Tok.txt (51 bytes in size) is also created in this directory. The file has the following contents:

Brontok.A
By: HVM31
-- JowoBot #VM Community --

The worm also copies its body to the Windows root directory (%WinDir%) under the following name:

%WinDir%\sembako-.exe

and to the ShellNew subdirectory under a name generated as follows: bbm-.exe:

%WinDir%\ShellNew\bbm-.exe

and to the Windows system directory under the following names:

%System%\DXBLBO.exe
%System%\cmd-bro-.exe
%System%\%UserName%'s Setting.scr

The worm also copies itself to the Start menu Autorun directory as Empty.pif:

%UserProfile%\%Autorun%\Empty.pif

and to the Document Template subdirectory:

%UserProfile%\Templates\-NendangBro.com

and to the My Pictures directory of the current user:

%MyPictures%\Mypictures.exe

An HTML page called about.Brontok.A.html is also created in this directory:

When this page is viewed using the browser, the following message is displayed:

This page contains the contents of the email message which the worm sends to email addresses harvested from the victim machine.

The copies of the worm will then be registered in the system registry to ensure that they are launched automatically:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Bron-Spizaetus"=""
"Bron-Spizaetus-"="%WinDir%\ShellNew\bbm-.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"=""
"Tok-Cirrhatus-"="%UserProfile%\Local Settings\Application Data\bron .exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe "%WinDir%\sembako-.exe""

[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell"="cmd-bro-.exe"

Once installed, the worm creates a file called sistem.sys in the Windows system directory. This file contains the date and time the worm was installed to the victim machine in the following format: mmddhhmm, where mm stands for the month, dd for the data, hh for the hour, and mm for the minute.

Propagation via email

The worm harvests addresses from the MS Windows address books and from files with the following extensions:

ASP
CFM
CSV
DOC
EML
HTM
HTML
PHP
TXT
WAB

All the harvested addresses are saved to %AppData%\Loc.Mail.Bron.Tok as files with email address names, an .ini extension and the following text:

Brontok.A
By: HVM31
-- JowoBot #VM Community –

A directory called Ok-SendMail-Bron-tok is created, and the addresses which messages are sent to are saved to this file.

When sending infected messages the worm uses its own SMTP engine.

Infected messages

Attachment name (chosen from the list below):

• ccapps.exe
• jangan dibuka.exe
• kangen.exe
• my heart.exe
• myheart.exe
• syslove.exe
• untukmu.exe
• winword.exe

Message text:

The HTML page shown above acts as the text of infected messages.

Payload

The worm checks the header of the open window, and if one of the following strings is present in the header, it will reboot the system:

..
.@
@.
.ASP
.EXE
.HTM
.JS
.PHP
ADMIN
ADOBE
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
APACHE
APPLICATION
ARCHIEVE
ASDF
ASSOCIATE
AVAST
AVG
AVIRA
BILLING@
BLACK
BLAH
BLEEP
BUILDER
CANON
CENTER
CILLIN
CISCO
CMD.
CNET
COMMAND
COMMAND PROMPT
CONTOH
CONTROL
CRACK
DARK
DATA
DATABASE
DEMO
DETIK
DEVELOP
DOMAIN
DOWNLOAD
ESAFE
ESAVE
ESCAN
EXAMPLE
FEEDBACK
FIREWALL
FOO@
FUCK
FUJITSU
GATEWAY
GOOGLE
GRISOFT
GROUP
HACK
HAURI
HIDDEN
HP.
IBM.
INFO@
INTEL.
KOMPUTER
LINUX
LOG OFF WINDOWS
LOTUS
MACRO
MALWARE
MASTER
MCAFEE
MICRO
MICROSOFT
MOZILLA
MYSQL
NETSCAPE
NETWORK
NEWS
NOD32
NOKIA
NORMAN
NORTON
NOVELL
NVIDIA
OPERA
OVERTURE
PANDA
PATCH
POSTGRE
PROGRAM
PROLAND
PROMPT
PROTECT
PROXY
RECIPIENT
REGISTRY
RELAY
RESPONSE
ROBOT
SCAN
SCRIPT HOST
SEARCH R
SECURE
SECURITY
SEKUR
SENIOR
SERVER
SERVICE
SHUT DOWN
SIEMENS
SMTP
SOFT
SOME
SOPHOS
SOURCE
SPAM
SPERSKY
SUN.
SUPPORT
SYBARI
SYMANTEC
SYSTEM CONFIGURATION
TEST
TREND
TRUST
UPDATE
UTILITY
VAKSIN
VIRUS
W3.
WINDOWS SECURITY.VBS
WWW
XEROX
XXX
YOUR
ZDNET
ZEND
ZOMBIE

The worm also modifies the contents of autoexec.bat in the C: root directory, adding "pause" to it.

Types of Trojan horse payloads

Trojan horse payloads are almost always designed to do various harmful things, but can also be harmless. They are broken down in classification based on how they breach and damage systems. The six main types of Trojan horse payloads are:

• Remote Access
• Data Destruction
• Downloader
• Server Trojan(Proxy, FTP , IRC, Email, HTTP/HTTPS, etc.)
• Security software disabler
• Denial-of-service attack (DoS)

Some examples of damage are:

• Erasing or overwriting data on a computer
• Encrypting files in a cryptoviral extortion attack
• Corrupting files in a subtle way
• Upload and download files
• Copying fake links, which lead to false websites, chats, or other account based websites, showing any local account name on the computer falsely engaging in untrue context
• Showing fake downloads of software movies, games, porn videos and porn websites, that you did not download nor go on.
• Allowing remote access to the victim's computer. This is called a RAT (remote access trojan)
• Spreading other malware, such as viruses: this type of Trojan horse is called a 'dropper' or 'vector'
• Setting up networks of zombie computers in order to launch DDoS attacks or send spam.
• Spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware)
• Making screenshots
• Logging keystrokes to steal information such as passwords and credit card numbers
• Phishing for bank or other account details, which can be used for criminal activities
• Installing a backdoor on a computer system
• Opening and closing CD-ROM tray
• Playing sounds, videos or displaying images.
• Calling using the modem to expensive numbers, thus causing massive phone bills.
• Harvesting e-mail addresses and using them for spam
• Restarting the computer whenever the infected program is started
• Deactivating or interfering with anti-virus and firewall programs
• Deactivating or interfering with other competing forms of malware
• Randomly shutting off the computer
• A virus

Setting Smohtwall

Beberapa hari ini koneksi internet diwarnet tidak stabil, terus saya mencoba untuk menginstall router dengan menggunakan aplikasi GNU Smootwall express 3.0, dan semoga saja bisa lebih stabil koneksinya amin….. Dalam tulisan ini saya mencoba berbagi pengalaman mengenai penginstallan smoothwall express 3.0. Saya banyak terbantu referensi dari situs www.smoothwall.org , http://zero.sentradev.com dan tentunya bantuan paman google yang baik hati, silahkan dibuka untuk tambahan bacaan.

Ok..!! langsung kita liat dulu apa kebelihan dari si Smoothwall ini :

• Firewall
• Intrusion Detection System
• Web proxy
• Pembagian koneksi internet pada user tertentu
• Koneksi Internet yang aman
• Pembagian koneksi internet pada user tertentu
• Pengaturan jam akses internet
• Pengaturan situs web yang bisa diakses
• Melakukan blocking terhadap situs yang diduga bisa mengandung virus, trojan, Ads Popup,phising, warez dan lain-lain
• Melayani service http, https, ftp, news, gopher dan service lain dari internet yang dipandang perlu
• Optimasi Bandwith

Gimana tertarik?.. lanjut mang…!!! Ini yang perlu disiapkan

Spesifikasi PC

(jadi inget pas ijab nikah “Kupinang engkau dengan seperangkat PC” wekekeke, gimana yah kalau jadi mahar nikah?) Spesifikasi PC yang saya gunakan dengan spesifikasi sebagai berikut :

• PIII 900 Mhz
• Memory 256 mb
• Harddisk 10 Gb.
• 2 LAN Ethernet (satu untuk jaringan lokal (green) dan satu lagi untuk jaringan internet (red))
• Koneksi Internet tentunya
• Jangan lupa setting BIOS nya, disetting agar bisa booting tanpa mouse dan keyboard
• Tambahan bisa di siapkan es blewah, camilan dan juga mungkin sedikit lagu biar agak rileks

Software yang perlu disiapkan

• Smoothwall express 3.0
• Putty untuk mengakses ssh, silahkan tanya paman google

Installasi Smoothwall.

Sebenarnya untuk panduan installasi yang lebih lengkap bisa download file panduannya di situs www.smoothwall.org

• Ubah file ISO hasil download an smoothwall ke CD melalui burn image di Nero
• Setting komputer booting melalui CD ROOM dan mulai penginstallan
• Smoothwall akan melakukan pembuatan partisi HardDisk dan tekan OK, Tunggu sampai proses pembuatan partisi selesai
• Pilih konfigurasi keyboard dan nama hostname
• Pilih tingkat setingan security policy ada open , half-open, dan closed (saya pilih half-open, untuk keterangan lebih baca panduannya)
• Akan muncul settingan network. Untuk network configuration type pilih green + red

• Selanjutnya adalah pendeteksian LAN crard sebagai Green atau Red, tekan probe untuk auto detect. Lakukan untuk GREEN dan RED

• Setelah selesai, untuk settingan GREEN Interface masukan IP address dan network mask, misalnya saya memasukkan 192.168.72.142 untuk network lokal

• Setting untuk RED Interface. Masukkan IP address yang anda inginkan dari smoothwall dan nantinya dapat mengakses modem anda. Misalnya IP RED smoothwall dibuat 192.168.0.2 dan modemnya 192.168.0.1. Jadi pada DHCP static ini masukan IP Address dari smoothwall yaitu 192.162.0.2

• Selanjutnya DNS and Gateway settings. Kalau anda pengguna ISP speedy, masukan primary DNS dan secondary yang telah diberikan speedy untuk daerah lokasi tempat anda. Sedangkan default gatewaynya masukan IP address dari modem yang anda inginkan tadi misalnya 192.168.0.1

• DHCP Server Configuration : Disabled. Smoothwall bisa dimanfaatkan sebagai DHCP Server. Jika enable berarti SmoothWall berfungsi sebagai DHCP Server sehingga komputer klien tidak perlu di set dengan IP Static dan proxy pada browser. Jika Smoothwall berfungsi sebagai DHCP Server maka tidak boleh ada DHCP Server lain dalam satu jaringan.
• Tentukan password untuk ADMIN – digunakan untuk mengkases server via web
• Tentukan password untuk ROOT – digunakan untuk konek ke server via console / putty
• reboot komputer

Sekarang tinggal cek n ricek hasil penginstallan tapi sebelumnya jangan lupa colokkan Ethernet dari modem ke LAN Ethernet Red dari server smoothwall, dan lan Ethernet yang Green colokan ke HUB, baru dari HUB akan dibagi ke client-client

Untuk mengecek server smootwall, buka browser anda dari dan masukkan IP Address dari smothwall tadi misalnya http://192.168.72.142:81 atau https://192.168.72.142:441 jika berhasil akan akan diminta memasukan admin login dan passwordnya

Untuk mengecek akses modem, buka browser anda dan masukkan IP Addres setting dari modem tadi misalnya http://192.168.0.1 jika berhasil ini berarti kita telah dapat mengakses modem melalui server smootwall

Terakhir untuk mengecek Internet, tapi sebelum itu pastikan bahwa settingan Internet TCP/IP protocol anda telah benar disetting. Masukkan default gateway dan prefered DNS server adalah IP Address dari server smoothwall tadi. Jika sudah coba akses situs tertentu misalnya www.siswo.web.id hehehehe ngiklan dikit..

Setelah semua selesai terinstall kita bisa mengaktifkan beberapa service dari smoothwall.

Mengaktifkan service IDS
Service IDS (Intrusion Detection System)dari smoothwall express 3.0 ada sedikit perlu menyetingan menggunakan putty dan juga mendapatkan OINK code dari www.snort.org. Untuk keterangan lebih lengkap dapat dibaca disini. Oh ya port ssh dari smoothwall menggunakan port 222 bukan port 22

Mengaktikan service dari Web proxy

• Aktikkan menu web proxy di service smoothwall
• Selanjutnya setting pada browser anda menggunakan proxy pada alamat IP Address smoothwall dengan port 800. Misalnya anda menggunakan browser mozilla klik tools > options > advanced > network > settings, contoh seperti berikut :

About the SmoothWall GPL Project

The SmoothWall GPL project was founded in the summer of 2000 by Lawrence Manning (Principle Code Author) and Richard Morrell (Project Manager). Their goal was to create a Linux distribution that could convert a redundant PC into a hardened internet firewall device. With help from other early contributors; John Faulty and Tom Ellils, the first SmoothWall Firewall was posted to sourceforge.net at the end of August 2000.

The project was immediately popular and grew rapidly. Within weeks, thousand of copies had been downloaded and SmoothWall was appearing regularly on magazine cover CDs in the UK and overseas. Many more developers joined the team and new versions were released almost weekly, incorporating new features based on software contributions from all round the world.

Version 0.9.9 was a major milestone for the project team, who perceive it as the point at which the project “grew up”. Released in September 2001, this version incorporated a web-based multi-language GUI so the firewall could be used and administered by non-Linux people. It also included the Snort Intrusion Detection System (IDS) and support for ADSL modems and PPPoE connections.

December 2003 saw the release of SmoothWall Express 2.0 and an array of comprehensive written documentation. By June 2004, Express 2.0 had seen over 200,000 installations.

The alpha version of Express 3 (code-named Koala) was released in September 2005. Based on the Linux 2.6 kernel, this test version featured new open architecture, designed to make it easy for developers to produce their own security components. With the benefit of software contributions from around the world, a Beta version followed in 2007. This version was code named “Degu”, in remembrance of one of our team’s pets, who sadly died during development. (Admittedly though this was not much of a surprise given the length of time it took us to get to beta!) A current, final and stable version of Express 3.0 (code-named Sammy) is currently available on the download page.

Over the years, the project team has changed and the SmoothWall community has grown to include over 15,000 forum members. The initial design goals are still the foundation of SmoothWall Express today:

1. Be simple enough to be installed by home users with no knowledge of Linux
2. Support a wide variety of network cards, modems and other hardware
3. Work with many different connection methods and ISPs from across the world
4. Use any web browser to manage and configure the software

The SmoothWall Open Source Project is funded and supported by SmoothWall Limited. All program code and other works are the copyright of their respective authors unless assigned and noted otherwise by the author. The Project in essence belongs to the community that contributes to it.

Malicious Software Removal Tool

The Microsoft Windows Malicious Software Removal Tool checks computers running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom—and helps remove any infection found. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed.

Microsoft releases an updated version of this tool on the second Tuesday of each month, and as needed to respond to security incidents. The tool is available from Microsoft Update, Windows Update and the Microsoft Download Center.

Note The version of the tool delivered by Microsoft Update and Windows Update runs in the background and then reports if an infection is found. If you would like to run this tool more than once a month, use the version on this Web page or install the version that is available in the Download Center.

Because computers can appear to function normally when infected, Microsoft advises you to run this tool even if your computer seems to be fine. You should also use up-to-date antivirus software to help protect your computer from other malicious software.

To download the latest version of this tool, please visit the Microsoft Download Center.

You can also perform an online scan of your computer using the Windows Live OneCare safety scanner.

Run an Online Scan of Your PC for Malicious Software

If you would like to scan your computer for malicious and potentially unwanted software from a website, please use the