Jump to content
Nytro

Reversing a Botnet

Recommended Posts

Posted

[h=1]Reversing a Botnet[/h]

Howdy fellow crackers and hackers alike! Have I got a treat for you? A live botnet.

The other day at work, I encountered a number of machines all attacking other hosts. Normally its just one machine, but this there were several.

We isolated the exe responsible because it was eating up 100% CPU (not exactly subtle). I was curious about what made it tick, so I disassembled it and this is what I found. Normally where I work, we’re hit by botnets, and never get to catch them in the act as tracking down the mothership is difficult.

First things first, I want to know more about the executable, like if its packed, or what have you.

reversing-botnet1-300x276.png

As the picture shows, the executable is NOT packed, rather just your standard run of the mill PE (portable executable) file. The 2 extra sectioned highlighted tell is the type of compiler used – GCC for windows aka mingw, meaning either CodeBlocks was used or Devcpp. I say this because the .bss and .idata sections are specific to GCC and remind me of ELF (executable linker format) used by Linux.

Since I don’t want to join said botnet, I’m sticking to static analysis. Opening the thing up in IDA, we find exactly what kind of malware we’re dealing with – amaturish.

reversing-botnet2-300x168.png

The strings are not encoded, nor are they hidden. The first thing I noticed was the IP address. For those curious, a quick search on ARIN reveals the IP address as belonging to some collocation service in Atlanta: http://whois.arin.net/rest/net/NET-199-229-248-0-1/pft

The next thing we see is the channel name #test(more on that in a sec), then the passwords. The ‘Operation Dildos’ name deduces that our malware writers are either 14, or immature. I still chuckled though.

The next thing I determined was the type of bot we were dealing with. Scrolling further through revealed IRC instructions. You’ve read RF C1459 right? IRCHelp.org — Untitled Page

reversing-botnet3-300x168.png

JOIN, PING, PONG, NICK, PRIVMSG – these are all IRC commands.

Further inspection of the bot revealed the commands the that can be issued to the bot by its master.

reversing-botnet4-300x168.png

The commands are

‘help’ – derp.

‘version’ – derrrr.

‘speedtest’ – perform a speed test by performing web request to 68.11.12.242 which traced this to Louisiana. I have a feeling our malware writer lives in that area because of the botnet server resides in Georgia. Just a guess icon_smile.gif

‘exec’ – Execute a command.

‘dle’ – Download and execute a file.

‘udp’ – Do a udp flood.

‘openurl’ – Open a hidden window of a URL.

‘syn’ – Do s syn flood.

‘stop’ – Stops execution.

If you’re curious how the bot performs the lookup on the command, here it is. What you can’t see is the stub at the top which belongs to the subroutine responsible for the IRC connection to the server.

reversing-botnet_command_list-300x168.png

Next thing I found scrolling through was the error handler data section – messages sent to alert the master that said command completed.

reversing-botnet5-300x168.png

The last thing in this reversing session I’d like to point out is just before the command listing – the password check.

reversing-1botnet6-300x168.png

The assembly instruction ‘repne scasb’ is a string operation. It means scan string for NULL decrementing the ecx (extended counter register) for each char. I see it primarily with string comparison operations.

Enough about the bot itself, lets learn more about the botnet.

botnet-300x188.png

A quick ping shows us its still online. You may also notice

botnet2-300x188.png

Connecting to it seems to work, so its still operational. The botnet itself seems to be growing because when I looked last night, there were only 400 hosts. Checking now, I see ‘There are 3 users and 1131 invisible on 2 servers’

When i connected, I was called out by the server admin within minutes whom I saw the first time I connected. Since I don’t want to throw rocks at a hornest’s nest (get my server DDOS’d off the net), I decided not to further pursue. My readers on the other hand, go nuts. You have the password to issue commands, you have the irc server address, you have the channel where the bots reside (#test).

Perhaps I may try again tonight at like 1 am when the admins are probably asleep. Until then, keep on cracking.

For those of you who are curious, you can download the bot here, complete with IDA 6 compatible db file:

The Bot.

1330480069115-269x300.jpg

Sursa: Reversing a Botnet

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...