Originally published on January 9th, 2001 on Techweb

A new worm called Hybris has been spreading across computers in Europe, the United States, and South America.

While it currently carries a non-destructive payload, some anti-virus software developers are worried that Hybris’ plug-in architecture could actually enable it to evolve into a much more dangerous virus, opening backdoors in computer systems and escalating the war between virus makers and anti-virus software developers.

First discovered by Russian developers at Kaspersky Labs (Cambridge, U.K.) as having originated in South America, the Hybris worm has spread through e-mail to Europe and the U.S. at an accelerating pace. “Hybris is one of the more common viruses we’re seeing right now,” said Brian Kinj, a member of the technical staff at Carnegie-Mellon’s CERT Coordination Center.

The true originality of Hybris — and possibly its true danger — lies in its plug-in architecture. Using a new model never before encountered, the worm can connect to either the alt.comp.virus Usenet newsgroup or to a series of Web sites, and transparently download its own updates similar to Trojan horse programs. One effect of this self-upgrading model is that the worm’s signature — the appearance it presents to anti-virus programs — can be altered in unpredictable ways, defeating anti-virus products that may only be able to detect its previously known signatures. And not only is Hybris’ payload self-upgrading, but its own binary core components are, too, leaving no single element of the worm persistently traceable.

In its original version, Hybris distributed itself as an e-mail attachment; however, recent reports indicate that it can also distribute itself using ICQ, an instant messaging platform used by over 30 million people. The worm infects the Windows Internet sockets library file WSOCK32.DLL, enabling it to control users’ Internet connections and intercept e-mail addresses of incoming messages using a method similar to that employed by the MTX virus. Once it has obtained an address, Hybris automatically sends itself to the next computer.

Surprisingly, Hybris can also modify the WSOCK32.DLL even if it has been write-protected. In such a case, Hybris makes a copy of WSOCK32.DLL, infects that copy, and then writes the name of the infected copy in the WIN.INI initialization file. The next time Windows is rebooted, the system recognizes the infected library rather than WSOCK32.DLL. The virus ensures its persistence by making a copy of itself with a random name, then writing an entry pointing to this copy in the Windows System Registry — specifically in the Run_Once Registry key. This way, Hybris can recopy itself even if its original copy is erased.

To date, all the plug-ins observed in the virus newsgroups have utilized a very strong encryption algorithm, which Patrick Nolan, virus researcher for McAfee.com Corp. (Sunnyvale, Calif.), characterized as “possibly encrypted with a PGP key or similar scheme used by virus writers.”

So even though they’re being posted out in the open, it isn’t clear what these plug-ins will do until after it’s been done. The following behavior, however, is known: One of Hybris’ components searches local hard drives for .ZIP and .RAR archive files. When it finds one, Hybris searches inside that file for an .EXE filename. It then renames that file with an .EX$ extension, and then adds a copy of itself to the archive using the .EXE filename.

Another Hybris component actually uploads infected files from users’ hard drives to the alt.comp.virus newsgroup. This same component also grabs e-mail addresses from the headers of messages posted to newsgroups to which the user subscribes, and sends copies of itself to those e-mail addresses as attachments. Over the past few weeks, this seems to have increasingly become the way by which the virus is propagating.

Experts Disagree Over Hybris’ Risk Status

The only observed, known danger attributed to Hybris is a payload component which, on the 24th of September of any year, or at one minute before the hour during any day in the year 2001, displays a large animated spiral in the middle of the screen that is difficult to close.

Since the only Hybris payloads observed thus far have been non-destructive, the anti-virus community has been split over the threat level that Hybris represents. The Pentagon’s Joint Task Force Computer Network Defense (JTF-CND) has upgraded the worm to a high-risk status.

Meanwhile, European virus tracker Peter Kruse, of virus112.com, has announced on Usenet that his company is upgrading Hybris’ threat to medium-risk status, due to its recent spread throughout Europe. Symantec and Sophos have given Hybris a low-risk status, since it currently carries a non-destructive payload. Meanwhile, McAfee has upgraded Hybris to medium-risk status based on its assessment of the worm’s more widespread propagation.

“Given its ability to become malicious, it’s up there, but there are more-malicious viruses to watch for,” said Jeremy Pacquette, vulnerability analyst for SecurityFocus.com. “However, writing code like this is probably more challenging than writing code to stop it.”

“As medium risks go, this is on the higher end of the spectrum,” said McAfee’s Patrick Nolan. “It illustrates that virus writers are not lazy, and that a few of them have taken it upon themselves [to use] certain skills in order to enhance the cat and mouse games they’re playing with anti-virus software.”

Aside from the standard practice of updating anti-virus signature files on a daily or weekly basis, Pacquette also recommends that IT managers educate their users about “safe ex” — the practice of being careful about whom you communicate with, and not opening plug-ins coming from unfamiliar sources.

Carnegie-Mellon’s Kinj added, “System administrators should consider installing a centralized e-mail filtering system to protect their users.”

McAfee’s Nolan said, “People who share their hard drive either through a cable modem, a DSL line, or a direct connection to the Internet, should password-protect that share.” This can protect devices from being accessed by viruses and worms such as Hybris.

Kaspersky Labs warns that a possible self-upgrading of certain Hybris components could transform the worm from harmless to hazardous. “What we have here is perhaps the most complex and refined malicious code in the history of virus writing,” said Eugene Kaspersky, Head of Kaspersky Labs’ Anti-Virus Research Center, in a statement on the company’s site. “It is defined by an extremely complex style of programming and all the plugins are encrypted with very strong RSA 128-bit crypto-algorithm key. The components themselves give the virus writer the possibility to modify his creation ‘in real time,’ and in fact allow him to control infected computers worldwide.”

“The architecture of the plug-in approach is interesting, and it makes it possible for a programmer to turn it into a dangerous virus,” said Pacquette. “New threats like this are going to promote changes in the work to fight viruses. These kinds of threats are an evolutionary pressure on AV technology.”

However, said Kinj, “once a virus has been discovered and analyzed, those sources are disabled, and that limits the impact of the virus.”

Nolan added, “The plug-ins can’t work without the base executable, and we now know how to stop the base executable file.”

The morphing nature of the virus could spawn several new versions. Already, older anti-virus programs can’t recognize Hybris because it evades CRC checks. “When you’re dealing with something that changes, you can’t use CRC checks, but our algorithms go beyond that and can identify threats like Hybris based on other factors” said Nolan.

<strong>What Steps Can You Take Now?</strong>

According to warnings posted on the Web sites of several anti-virus developers, such as <a href=”http://vil.mcafee.com/dispVirus.asp?virus_k=98873&amp;” title=”Virus Warning: McAfee”>McAfee</a>, the infected e-mail message reads as follows (misspellings included):

Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter…

The header for this message has been spotted as containing the return address [email protected]. New variants of Hybris are also sending e-mails with no subject and no user name, but including attachments containing the base executable.

The Hybris worm only attacks Windows-based systems, and most anti-virus packages have released patches that deal with it to at least some degree. Pami Katcho, spokesperson for Microsoft, said that “Microsoft is not currently planning to release a fix” to Windows or to Microsoft Outlook or Outlook Express. Instead, Katcho suggested, “users should download the latest virus definitions from their AV vendor.”

Sources in both the virus and anti-virus community have confirmed that Hybris has emerged from Brazil. “It’s a cousin of Babylonia, which was touted as the first of its kind in 1999, and it looks like it was written by the same author,” said Nolan.

As to whether Hybris is the beginning of a new trend, there is some disagreement. “It’s more a proof of concept than anything,” says Nolan. “It’s phase two of the existing technology, and has the potential to really be something else. System administrators should not be overly concerned about it right now. I doubt there will be a phase three, because the writer has proven his point.”

But in virus-writing circles, Hybris is providing a roadmap. One virus writer, who prefers to remain unidentified, said, “This is a great tool to learn new ways to propagate a payload. New variants of this will come out, and I think that within six months, Hybris and its kids could be the most widespread Trojan making the rounds.”