Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« Data-Theft Worm Targets Google's Orkut | Main | PIRT Top Phish Kills- Google Checkout- What Does it Mean? »

  • Building a Botnet Empire in Two Days

Sometimes, I'm amazed at the ease with which it's possible to create a Botnet Empire [Define Botnet]. Don't believe me? Well, check out the screenshot below, obtained by a colleague of mine in a random IRC Chatroom:

http://blog.spywareguide.com/upload/2006/06/alxdr1-thumb.jpg
Click Image to Enlarge

Now, you would hope people wouldn't fall for this.

I am afraid you would be totally, utterly wrong. Check this out, it's the page hosting the infection file. The novel aspect here is, it's a webhosting page that shows how many times the file has been downloaded. Now, it's reasonable to assume that almost all the people who were naive enough to download the file, would also be naive enough to run the thing. Screenshot time:

http://blog.spywareguide.com/upload/2006/06/alxdr2-thumb.jpg
Click Image to Enlarge
http://blog.spywareguide.com/upload/2006/06/alxdr3-thumb.jpg
Click Image to Enlarge

Downloaded 375 times in 2 days.

Downloaded 380 times in 10 days.

...amazing. That's 375 brand new drones [Define Drone] for some random Botnet owner, in only two days.

The download rates drop sharply after the first few days- why is this? Well, they don't need to keep injecting the link in chatrooms to infect new boxes. They can simply use the drones they have to scan new machines for vulnerabilities instead.

You probably noticed that on the hosting page, they even tell you what the file is likely to do:

EXE:

EXE (short for 'executable') and COM are the common filename extension for denoting an executable file (a program) in the MS-DOS, Microsoft Windows, and OS/2 operating systems. Generally, "exe" may be used as a noun to refer to such a file.

...and yet, people will still run it. Whoops.

As for the Botnet itself, I imagine you probably want to see it, yes? Well, today is your lucky day. We skipped the boring part where I download and run the file, as that's not particularly interesting to watch. What is interesting, is seeing how these guys use some common tricks of the trade to convince the infected user that there's "nothing to see here".

At this point, I've run the executable and a new folder has "mysteriously" appeared in the System32 folder.

It's movie time...

flmtckr1.jpg Click here to play the movie in new window. (7.00 MB Flash file)
Hit the "Play" button to start video. Close Window to Return to Blog

Timeline:

00:00 to 00:08 seconds: We're looking at the folder dumped onto the system shortly after the Alexander file is let loose on the PC. Check out those file names...svchost.exe? With a mIRC icon? Sorry, that's just too suspicious! Ignoring the other files (which point to the relevant servers hosting the Botnet channel, pre-determined user nicknames and the like), I click the file to open it up. Whoops - it doesn't like that, as you can see. A small, minimised box appears in the extreme top -right hand corner of the screen, before vanishing (blink and you'll miss it!)

Again, I try - doh! We could be at this for a while.

00:10 to 00:12 seconds:Thankfully, this isn't a particularly difficult problem to resolve. See that file, "close.dll"? Think the name is a bit of a major clue? Well, you'd be right. Deleting the file means you can click on svchost.exe and it'll stay open - open it up, and...

00:13 to 00:18 seconds: Ah, a minimised IRC Channel! Shall we open it up? Yeah, let's do this thing. In Mystery Box Number 1, we have...

00:19 to 00:28 seconds: Botnet Central! I love the message:

"Please part because this is a private channel"

...no kidding! Perhaps you shouldn't be dumping people into a Botnet then?

In any case, you can see the channel is packed with people - sorry, drones - and from there, the aspiring Bot Master can do a wide variety of not so lovely things to pretty much anyone he pleases. Remember once they control the computer, what they can do is only limited by their imagination. We are actively working on getting this Botnet shut down...with any luck, it'll be out of the picture within a few days at most. Fingers crossed...

On a side-note my colleague, Wayne Porter and I have been conducting some new "top secret" methods in which to identify and knock out these rogues (that's why we are a lab - remember?) It has extended into a far deeper and more complex research project than we imagined, but it may produce some startling new ways to combat the menace at large...


Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.