Howdy fellow crackers and hackers alike! Have I got a treat for you? A live botnet.
The other day at work, I encountered a number of machines all attacking other hosts. Normally its just one machine, but this there were several.
We isolated the exe responsible because it was eating up 100% CPU (not exactly subtle). I was curious about what made it tick, so I disassembled it and this is what I found. Normally where I work, we’re hit by botnets, and never get to catch them in the act as tracking down the mothership is difficult.
First things first, I want to know more about the executable, like if its packed, or what have you.
As the picture shows, the executable is NOT packed, rather just your standard run of the mill PE (portable executable) file. The 2 extra sectioned highlighted tell is the type of compiler used – GCC for windows aka mingw, meaning either CodeBlocks was used or Devcpp. I say this because the .bss and .idata sections are specific to GCC and remind me of ELF (executable linker format) used by Linux.
Since I don’t want to join said botnet, I’m sticking to static analysis. Opening the thing up in IDA, we find exactly what kind of malware we’re dealing with – amaturish.
The strings are not encoded, nor are they hidden. The first thing I noticed was the IP address. For those curious, a quick search on ARIN reveals the IP address as belonging to some collocation service in Atlanta: http://whois.arin.net/rest/net/NET-199-229-248-0-1/pft
The next thing we see is the channel name #test(more on that in a sec), then the passwords. The ‘Operation Dildos’ name deduces that our malware writers are either 14, or immature. I still chuckled though.
The next thing I determined was the type of bot we were dealing with. Scrolling further through revealed IRC instructions. You’ve read RF C1459 right? http://www.irchelp.org/irchelp/rfc/rfc.html
JOIN, PING, PONG, NICK, PRIVMSG – these are all IRC commands.
Further inspection of the bot revealed the commands the that can be issued to the bot by its master.
The commands are
‘help’ – derp.
‘version’ – derrrr.
‘speedtest’ – perform a speed test by performing web request to 22.214.171.124 which traced this to Louisiana. I have a feeling our malware writer lives in that area because of the botnet server resides in Georgia. Just a guess
‘exec’ – Execute a command.
‘dle’ – Download and execute a file.
‘udp’ – Do a udp flood.
‘openurl’ – Open a hidden window of a URL.
‘syn’ – Do s syn flood.
‘stop’ – Stops execution.
If you’re curious how the bot performs the lookup on the command, here it is. What you can’t see is the stub at the top which belongs to the subroutine responsible for the IRC connection to the server.
The last thing in this reversing session I’d like to point out is just before the command listing – the password check.
The assembly instruction ‘repne scasb’ is a string operation. It means scan string for NULL decrementing the ecx (extended counter register) for each char. I see it primarily with string comparison operations.
Connecting to it seems to work, so its still operational. The botnet itself seems to be growing because when I looked last night, there were only 400 hosts. Checking now, I see ‘There are 3 users and 1131 invisible on 2 servers’
When i connected, I was called out by the server admin within minutes whom I saw the first time I connected. Since I don’t want to throw rocks at a hornest’s nest (get my server DDOS’d off the net), I decided not to further pursue. My readers on the other hand, go nuts. You have the password to issue commands, you have the irc server address, you have the channel where the bots reside (#test).
Perhaps I may try again tonight at like 1 am when the admins are probably asleep. Until then, keep on cracking.
For those of you who are curious, you can download the bot here, complete with IDA 6 compatible db file: