CERT^® Incident Note IN-2001-02

Open mail relays used to deliver "Hybris Worm"

Date: Friday, March 02, 2001

Overview

It is well documented that intruders have used open mail relays for years to deliver unsolicited email. Recently, the CERT/CC has received reports of intruders using open mail relays to propagate malicious code such as the "Hybris Worm." This represents a threat because intruders are increasingly using open mail relays to increase the number of messages propagated containing malicious code by leveraging the increased bandwidth and processing power of hosts connected to the Internet.

Description

The Hybris Worm is a piece of malicious code that propagates through email messages and newsgroup postings, specifically targeting Windows machines. To become infected a user must execute an attachment received in email or a posting; no special mail or news reader program is required to become infected.

This worm infects the Windows networking library WSOCK32.DLL file, thereby subverting "normal" email behavior. Whenever a user sends an email on an infected machine, the malicious code sends out another email to the same recipient with a copy of itself as an attachment. Based on reports the CERT/CC has received, Hybris only affects Win32 systems and does not contain a destructive payload. However, the malicious code appears to contain code modules that can be upgraded from the web to give it a destructive payload. There are several variants, although all variants have the same behavior with very minor differences.

Versions of Hybris reported to the CERT/CC have these characteristics:

From: Hahaha <hahaha@sexyfun.net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and
          polite with Snowhite. When they go out work at mornign, they promissed a 
          *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven
          Dwarfs enter...
Attachment: .SCR or .EXE file (name randomly chosen from a predefined list)

Or...

From: Hahaha <hahaha@sexyfun.net>
Subject: Enanito si, pero con que pedazo!
Body: Faltaba apenas un dia para su aniversario de de 18 a?ņos. Blanca de Nieve fuera
          siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande*
          sorpresa para su fiesta de complea?ņos. Al entardecer, llegaron. Tenian un brillo
          incomun en los ojos...  
Attachment: .SCR or .EXE file (name randomly chosen from a predefined list)

While these characteristics are the most common in reports we have received, it is possible for any mail message to contain Hybris as a file attachment.

Intruders are using open mail relays to propagate Hybris. An "open" mail relay is a mail transport agent (MTA) that is configured to forward mail between senders and recipients who are not a part of the MTA's operational domain."Open mail relays" are sometimes called "open mail servers," "mail relays," "third-party mail servers," or similar names. Intruders who wish to obscure their identity often send mail through an open mail relay. Using an open mail relay from another site is attractive to the intruder because accountability is far less enforceable. For more information on open mail relays, please see

For more details about Hybris, please check an antivirus vendor database. A sample collection is listed on the CERT/CC's Computer Virus Resources page:

Impact

Sites with open mail relays may be used to send mail to arbitrary third parties with possible malicious payloads such as Hybris. The use of the mail server's cycles and bandwidth can degrade the quality of service.

Solution

It may be possible for an organization to be an open mail relay without knowing it. Generally speaking, there are few circumstances under which a network should have an open mail relay. We encourage sites to review their mail server configuration and evaluate their exposure to this type of abuse.

As good security practice, users should always exercise caution when receiving email with attachments. Disable auto-opening or previewing of email attachments in your mail program. Do not open attachments from an untrusted origins or those that appear suspicious in any way. Finally cryptographic checksums can be used to validate the integrity of the file.

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 2001 Carnegie Mellon University.