Today we analyze a classic SMB worm that leverages GMAIL for Command and Control (C2) check-ins and drops a persistent backdoor on infected machines.
Filename: smb-4ppzilmr.tmp
MD5: 3844EC6EC70347913BD1156F8CD159B8
Sample: Download via Reverse.it
Video Walkthrough
History & Context
The last worm I analyzed was WannaCry, which weaponized the ETERNALBLUE SMB exploit to spread with terrifying speed. Today’s example is not quite as sophisticated. It relies on "old-school" propagation: brute-forcing SMB shares and installing backdoors. It’s a fascinating look at malware evolution—a true blast from the past.
Technical Details: Privilege Check
Opening the sample in IDA Pro, we immediately encounter a function that checks the current username. It compares the result against the string SYSTEM. This is a critical pivot point: if the malware isn't running as SYSTEM, it enters the propagation loop. If it is running as SYSTEM (meaning it was successfully launched as a service), it proceeds to install the backdoor.
Worm Propagation: Brute Forcing the Web
The propagation path spins off approximately 50 threads. Each thread enters a loop that calculates four octets using GetTickCount and rand to generate random IP addresses. This "spray and pray" method allows the worm to scan an immense number of targets globally.
When a generated IP responds, the worm checks for an open SMB port (445). If successful, it attempts to connect to IPC$ and ADMIN$ shares using common administrative usernames like administrator or db2admin and a built-in list of ~60 weak passwords.
C2 via SMTP: The GMAIL Check-in
The malware attempts to report successful infections via GMAIL's SMTP service on Port 25. This is an antiquated technique; Google has since moved to secure ports (465, 587) and limited Port 25 access for non-SSL devices. However, we can still analyze the SMTP session logic: the worm attempts to send an email to [email protected] containing the victim's IP, OS version, and the credentials used to breach the machine.
Infection Flow & Backdoor Deployment
Once a target is breached, the worm follows a specific sequence to elevate its privileges:
- Remote Service Creation: It creates a service on the target to open the
ADMIN$share. - Self-Copy: The worm copies itself to the target's
%SYSTEMROOT%directory asCSRSS.EXE. - Execution: It launches the new
CSRSS.EXEas a Windows Service.
Because Windows Services run under the LocalSystem account, the new copy now passes the SYSTEM check we saw in IDA Pro. This triggers the backdoor path: dropping a PETITE packed executable named lsasvc.exe and establishing persistence in the registry.
Conclusion
Based on the lack of protection, the specific brute-force lists, and the SMTP logic, this is likely the Brambul worm (circa 2015), used to drop the Duuzer backdoor. While the C2 mechanism is largely deprecated, seeing it active in modern sandbox databases suggests someone may be attempting to repurpose this classic codebase. Always keep SMB ports firewalled and use strong, unique passwords for administrative accounts.