Keeping up with Nuwar

Few weeks ago I noticed a relative spike in the “You’ve received a postcard from …” spam. Not that I didn’t receive it occasionally before but now it was in noticeable numbers and hitting my mailbox several times an hour. My family told me they were receiving it too. It was, of course, a new wave of Nuwar (aka Zhelatin, aka Peacomm, aka “Storm worm”) spamming. So, I got curious and downloaded several samples from the spammed links. Not using IE or any other browser for that matter – that would be asking for trouble – but using a utility of my own, somewhat similar to wget but developed independently long time ago. I scanned the samples with our latest beta DATs and found that we missed some. Well, given that Nuwar is polymorphically repacked every few minutes and a functionally new version is released every day, that was hardly surprising. I zipped the samples up and sent them to our virus researchers to produce detection for them.

And it continued like that for the next two or three days: periodically I would check my mailbox for Nuwar spam, download the samples, scan them and forward whatever we did not detect to our virus analysts. And then I decided to automate the whole process. Firstly, because after a couple of days I got bored with doing it manually. And secondly, and more importantly, because manual processing was not good enough for keeping up with something changing as quickly as Nuwar. I needed a system that would poll given POP3 mailboxes every few minutes, recognize new Nuwar E-mails, extract the URLs and compromised computers’ IPs from them, submit those URLs to a URL monitoring subsytem. The URL monitoring subsytem should attempt to download samples from the URLs every so many minutes, exclude duplicates by means of calculating, storing and comparing MD5 hashes, periodically (say, once an hour) scan the downloaded samples with our latest DATs, collect whatever is not detected and E-mai it to human and automatic analysts for further processing. And a separate subsystem should keep the local copy of our Scan updated from beta DATs. On top of that, being preoccupied with my other projects, I could spend only an hour or two on this new project.

Fortunately, I already had all the necessary components developed long time ago for my other projects and all I had to do now was put them all together with something like a bunch of BAT files. My wget-like geturl utility I mentioned before supports not only http and ftp but a bunch of other protocols, in particular POP3 – so, that’s what I used for POP3 mailboxes polling. The scanner updating subsystem is part of my VGrep and MiniMavis projects (MiniMavis is a multi-scanner system predating VirusTotal and the likes by years. Not open to the public, though). I also developed a URL monitoring engine few years ago for an internal Avert project. And I have my own hashfile utility, capable of calculating a number of hashes over given files, including MD5. And I have my own mailit utility to send E-mails with attachments. The rest was a matter of using Windows  BATCH scripting – rather useful and powerful enough for statement in particular – and utilities like find and wzzip.

As a result, new Nuwar variants are now spotted and collected pretty much as soon as they appear and if we do not detect them on the spot, we detect them an hour or two later