This is a decent post to overview bots and botnets. It comes with nice graphics, in a PDF file.
5/5/09 this link still works - it DLs a PDF file - DNR
http://www.sans.org/reading_room/whitep ... =malicious
or here:
http://g.imagehost.org/download/0885/bo ... rview_1299
DNR
Bot tutorial
Bot tutorial
Last edited by DNR on 05 May 2009, 15:56, edited 1 time in total.
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
-
computathug
- Administrator
- Posts: 2693
- Joined: 29 Mar 2007, 16:00
- 17
- Location: UK
- Contact:
-
ebrizzlez
- Kage
- Posts: 732
- Joined: 31 Mar 2007, 16:00
- 17
- Location: Hidden in a Buffer Protection.
- Contact:
Definitely a nice read. 
Especially since botnets are becoming a common problem out there, even if you hinder off 30 bots the first time, you are guarantee that same hacker will come back with a net of twice as more bots.
Imo, I've noticed only skid use this type of backdoor from personal experience so they can http flood websites they can't hack. But elites have bigger botnets, which they sell or "rent" to other users for a certain amount of days or weeks.
Especially since botnets are becoming a common problem out there, even if you hinder off 30 bots the first time, you are guarantee that same hacker will come back with a net of twice as more bots.
Imo, I've noticed only skid use this type of backdoor from personal experience so they can http flood websites they can't hack. But elites have bigger botnets, which they sell or "rent" to other users for a certain amount of days or weeks.
[img]http://i81.photobucket.com/albums/j205/ebrizzlez/4lsint1.jpg[/img]
Re: Bot tutorial
well i tried to get to that link but all what i get is "addres not found any help plzDNR wrote:This is a decent post to overview bots and botnets. It comes with nice graphics, in a PDF file.
http://www.sans.org/reading_room/whitep ... =malicious
DNR
-
bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
Re: Bot tutorial
uploaded it for you:l0ngb1t wrote: well i tried to get to that link but all what i get is "addres not found any help plz
http://g.imagehost.org/download/0885/bo ... rview_1299
Pushdo Spambot
http://blog.trendmicro.com/pushdocutwai ... -spamming/
One of the biggest spamming botnets out there is Pushdo. This botnet has managed to stay under the radar since 2007 even though it has been reported to be responsible for a huge percentage of the spam worldwide. It has even managed to make it consistently to the Top 5 largest botnets without ever reaching number one. There are reports of 7.7 billion spammed emails per day coming from this botnet, which puts it in the Top 2 largest spamming botnets worldwide
Pushdo phones home asking for a bunch of malware executables, a lot of which are third-party malware. This is the only kind of communication with the command & control server. There are no P2P components at all, just very frequent updates from the central server, which always seems to be hosted in the US.
The famous Storm botnet from 2008 had strong links to the so-called Russian Business Network operating out of St.Petersburg, and from our research it appears that Pushdo is linked to the Moscow area.
It did not take long for the reason behind these email to become clear. The criminal gang behind Pushdo offer “local advertising” services—for as little as 100 euros your business can be advertised to millions of email addresses in a specific area
On finding a malicious file some network administrators will even proactively submit suspicious files to multi-scanner online services such as “Virus Total” - which will scan the file with 40 or so different vendors and give the files detection results.
Notice the word that has been used four times above – file. One of the core modules of antivirus technology is based on scanning executable files – which is why Pushdo goes out of its way to avoid them whenever possible.
We’ve mentioned previously that Pushdo contains a lot of different sub-components, and that must mean lots of exes, dlls and sys files littering up the system, right? Wrong – in fact Pushdo only needs to write two files to disk and does everything possible to avoid touching the disk in any other way. To better understand - let’s step you through a standard Pushdo attack (keep an eye out for the amount of times it actually accesses the hard disk).
A user gets lured to a malicious site triggering a series of exploits that injects the Pushdo installer directly into memory.
Pushdo copies itself as a single file to the System directory.
Right after this, and on every boot, it downloads other malware components - but keeps them in memory, never writing them to disk
One of these malicious components downloads a kernel mode rootkit, which is installed as a device driver in the system.
For our less eagle-eyed readers parts 2 and 4 are the only times that a malicious file is written to disk, in other words the real time scanner “can’t touch” any of the other components.
Pushdo/Cutwail – Sniffing for the Win
by David Sancho (Malware Researcher)
----
Pushdo trojan, a fairly new and prolific threat being circulated in fake "E-card" emails. From their description, it is clear that the author(s) of Pushdo are making a concerted effort to spread their malware far and wide. But what exactly is Pushdo, and how does it work? We decided to take a closer look at this malware family.
Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.
When executed, Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver.
The Bender Bending Rodriguez text is simply misdirection to mask the true nature of the server - if the HTTP request contains the following parameters, one or more executables will be delivered via HTTP:
The malware to be downloaded by Pushdo depends on the value following the "s-underscore" part of the URL. The Pushdo controller is preloaded with multiple executable files - the one we looked at contained 421 different malware samples ready to be delivered. The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the malware loads from infecting users located in a particular country, or provides the ability to target a specfic country or countries with a specific payload.
Pushdo keeps track of the IP address of the victim, whether or not that person is an administator on the computer, their primary hard drive serial number (obtained by SMART_RCV_DRIVE_DATA IO control code), whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version as returned by the GetVersionEx API call.
The use of the physical hard drive serial number as a identifier is interesting - it not only provides a unique ID for the infected system, but can also reveal information such as whether the code is running in a virtual machine or not. For instance, a VMware system might return a serial number of "00000000000000000001" or simply "00", which is very easily spotted in a list of serial numbers of major hard drive vendors. This could be a way for the malware author to spy on anti-virus companies using automated tools to monitor the malware download points.
As another anti-anti-malware function, Pushdo will look at the names of all running processes and compare them to the following list of anti-virus and personal firewall process names:
Instead of killing off these processes, as many other trojans/viruses attempt to do, Pushdo merely reports back to the controller which ones are running, by appending "proc=" and a list of the matching process names to the HTTP request parameters. This type of reconaissance is useful when determining which anti-virus engines or firewalls are preventing the malware from running or phoning home, by their absence from the statistics. This way the Pushdo author doesn't have to maintain a test environment for each AV/firewall product.
Most of the 421 malware samples from the Pushdo controller we examined were either the Wigon rootkit or the Cutwail spam trojan, however the following other trojans were being served by the controller:
PRG/Wsnpoem
PSW.LdPinch.NEL
TrojanDownloader.Agent.NPQ
Agent.AIA
BHO.NAT
Rustock.NBK
TrojanDownloader.Small.NYK
The large proportion of Cutwail/Wigon leads us to believe the same group is behind all three malware families. The Wigon rootkit is dropped onto the system when Pushdo is first executed, and is used to hide the Pushdo process and any subsequent malware that Pushdo might download.
http://www.secureworks.com/research/threats/pushdo/
DNR
One of the biggest spamming botnets out there is Pushdo. This botnet has managed to stay under the radar since 2007 even though it has been reported to be responsible for a huge percentage of the spam worldwide. It has even managed to make it consistently to the Top 5 largest botnets without ever reaching number one. There are reports of 7.7 billion spammed emails per day coming from this botnet, which puts it in the Top 2 largest spamming botnets worldwide
Pushdo phones home asking for a bunch of malware executables, a lot of which are third-party malware. This is the only kind of communication with the command & control server. There are no P2P components at all, just very frequent updates from the central server, which always seems to be hosted in the US.
The famous Storm botnet from 2008 had strong links to the so-called Russian Business Network operating out of St.Petersburg, and from our research it appears that Pushdo is linked to the Moscow area.
It did not take long for the reason behind these email to become clear. The criminal gang behind Pushdo offer “local advertising” services—for as little as 100 euros your business can be advertised to millions of email addresses in a specific area
On finding a malicious file some network administrators will even proactively submit suspicious files to multi-scanner online services such as “Virus Total” - which will scan the file with 40 or so different vendors and give the files detection results.
Notice the word that has been used four times above – file. One of the core modules of antivirus technology is based on scanning executable files – which is why Pushdo goes out of its way to avoid them whenever possible.
We’ve mentioned previously that Pushdo contains a lot of different sub-components, and that must mean lots of exes, dlls and sys files littering up the system, right? Wrong – in fact Pushdo only needs to write two files to disk and does everything possible to avoid touching the disk in any other way. To better understand - let’s step you through a standard Pushdo attack (keep an eye out for the amount of times it actually accesses the hard disk).
A user gets lured to a malicious site triggering a series of exploits that injects the Pushdo installer directly into memory.
Pushdo copies itself as a single file to the System directory.
Right after this, and on every boot, it downloads other malware components - but keeps them in memory, never writing them to disk
One of these malicious components downloads a kernel mode rootkit, which is installed as a device driver in the system.
For our less eagle-eyed readers parts 2 and 4 are the only times that a malicious file is written to disk, in other words the real time scanner “can’t touch” any of the other components.
Pushdo/Cutwail – Sniffing for the Win
by David Sancho (Malware Researcher)
----
Pushdo trojan, a fairly new and prolific threat being circulated in fake "E-card" emails. From their description, it is clear that the author(s) of Pushdo are making a concerted effort to spread their malware far and wide. But what exactly is Pushdo, and how does it work? We decided to take a closer look at this malware family.
Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.
When executed, Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver.
The Bender Bending Rodriguez text is simply misdirection to mask the true nature of the server - if the HTTP request contains the following parameters, one or more executables will be delivered via HTTP:
The malware to be downloaded by Pushdo depends on the value following the "s-underscore" part of the URL. The Pushdo controller is preloaded with multiple executable files - the one we looked at contained 421 different malware samples ready to be delivered. The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the malware loads from infecting users located in a particular country, or provides the ability to target a specfic country or countries with a specific payload.
Pushdo keeps track of the IP address of the victim, whether or not that person is an administator on the computer, their primary hard drive serial number (obtained by SMART_RCV_DRIVE_DATA IO control code), whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version as returned by the GetVersionEx API call.
The use of the physical hard drive serial number as a identifier is interesting - it not only provides a unique ID for the infected system, but can also reveal information such as whether the code is running in a virtual machine or not. For instance, a VMware system might return a serial number of "00000000000000000001" or simply "00", which is very easily spotted in a list of serial numbers of major hard drive vendors. This could be a way for the malware author to spy on anti-virus companies using automated tools to monitor the malware download points.
As another anti-anti-malware function, Pushdo will look at the names of all running processes and compare them to the following list of anti-virus and personal firewall process names:
Instead of killing off these processes, as many other trojans/viruses attempt to do, Pushdo merely reports back to the controller which ones are running, by appending "proc=" and a list of the matching process names to the HTTP request parameters. This type of reconaissance is useful when determining which anti-virus engines or firewalls are preventing the malware from running or phoning home, by their absence from the statistics. This way the Pushdo author doesn't have to maintain a test environment for each AV/firewall product.
Most of the 421 malware samples from the Pushdo controller we examined were either the Wigon rootkit or the Cutwail spam trojan, however the following other trojans were being served by the controller:
PRG/Wsnpoem
PSW.LdPinch.NEL
TrojanDownloader.Agent.NPQ
Agent.AIA
BHO.NAT
Rustock.NBK
TrojanDownloader.Small.NYK
The large proportion of Cutwail/Wigon leads us to believe the same group is behind all three malware families. The Wigon rootkit is dropped onto the system when Pushdo is first executed, and is used to hide the Pushdo process and any subsequent malware that Pushdo might download.
http://www.secureworks.com/research/threats/pushdo/
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.