\n
![\"reversing](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/03\/reversing-botnet1.png\")
<\/a>\nAs the picture shows, the executable is NOT packed, rather just your standard run of the mill PE (portable executable) file. The 2 extra sectioned highlighted tell is the type of compiler used – GCC for windows aka mingw, meaning either CodeBlocks was used or Devcpp. I say this because the .bss and .idata sections are specific to GCC and remind me of ELF (executable linker format) used by Linux.<\/p>\n
Since I don’t want to join said botnet, I’m sticking to static analysis. Opening the thing up in IDA, we find exactly what kind of malware we’re dealing with – amaturish. The next thing I determined was the type of bot we were dealing with. Scrolling further through revealed IRC instructions. You’ve read RF C1459 right? http:\/\/www.irchelp.org\/irchelp\/rfc\/rfc.html Further inspection of the bot revealed the commands the that can be issued to the bot by its master. Next thing I found scrolling through was the error handler data section – messages sent to alert the master that said command completed. The last thing in this reversing session I’d like to point out is just before the command listing – the password check. Enough about the bot itself, lets learn more about the botnet. When i connected, I was called out by the server admin within minutes whom I saw the first time I connected. Since I don’t want to throw rocks at a hornest’s nest (get my server DDOS’d off the net), I decided not to further pursue. My readers on the other hand, go nuts. You have the password to issue commands, you have the irc server address, you have the channel where the bots reside (#test). <\/p>\n Perhaps I may try again tonight at like 1 am when the admins are probably asleep. Until then, keep on cracking.<\/p>\n For those of you who are curious, you can download the bot here, complete with IDA 6 compatible db file:
\n<\/a>
\nThe strings are not encoded, nor are they hidden. The first thing I noticed was the IP address. For those curious, a quick search on ARIN reveals the IP address as belonging to some collocation service in Atlanta: http:\/\/whois.arin.net\/rest\/net\/NET-199-229-248-0-1\/pft
\nThe next thing we see is the channel name #test(more on that in a sec), then the passwords. The ‘Operation Dildos’ name deduces that our malware writers are either 14, or immature. I still chuckled though.<\/p>\n
\n<\/a>
\nJOIN, PING, PONG, NICK, PRIVMSG – these are all IRC commands. <\/p>\n
\n<\/a>
\nThe commands are
\n‘help’ – derp.
\n‘version’ – derrrr.
\n‘speedtest’ – perform a speed test by performing web request to 68.11.12.242 which traced this to Louisiana. I have a feeling our malware writer lives in that area because of the botnet server resides in Georgia. Just a guess \ud83d\ude42
\n‘exec’ – Execute a command.
\n‘dle’ – Download and execute a file.
\n‘udp’ – Do a udp flood.
\n‘openurl’ – Open a hidden window of a URL.
\n‘syn’ – Do s syn flood.
\n‘stop’ – Stops execution.
\nIf you’re curious how the bot performs the lookup on the command, here it is. What you can’t see is the stub at the top which belongs to the subroutine responsible for the IRC connection to the server.
\n<\/a><\/p>\n
\n<\/a><\/p>\n
\n<\/a>
\nThe assembly instruction ‘repne scasb’ is a string operation. It means scan string for NULL decrementing the ecx (extended counter register) for each char. I see it primarily with string comparison operations. <\/p>\n
\n<\/a>
\nA quick ping shows us its still online. You may also notice <\/p>\n<\/a>
\nConnecting to it seems to work, so its still operational. The botnet itself seems to be growing because when I looked last night, there were only 400 hosts. Checking now, I see ‘There are 3 users and 1131 invisible on 2 servers’<\/p>\n
\nThe Bot.<\/a><\/p>\n