Recently in Botnets Category

"This is going to be the ultimate tool to take down a webserver of our choosing. I need you guys help distributing it." - The creator of the below Botnet and related executables

Here's an interesting (and particularly unpleasant) Botnet. While building out the net, the creator posted this to a forum:

"This is a screenshot of me testing the program against Google, using 1 bot. As you can see, the loop speed of the program is so fast that it's downloading at an incredible speed. According to NetLimiter, this bot was downloading from Google at almost 4 times my connection line speed max, and uploading over 40kb faster than my max line speed."

A few revisions later, and the botnet is ready to roll. This Botnet is highly unusual in that the creator is freely advertising its services from both his website and inside downloadable zips of the infection executables - absolutely anyone can jump into the IRC Channel and give commands to the Bots. See where that whole "Infinite Ringmaster" thing comes into play now? In this net, everybody is famous for 15 minutes (or until their Bots stop bombing websites, whichever comes first).

The infection files themselves are disguised to look like hacking programs - anyone considering jumping on the hacking bandwagon and running any of the following:

....will quickly find themselves dumped into the Botnet as a drone.

The text from the supplied Readme is as follows:

********** IRC v2.0 by **********

For you fools out there, don't run the EXE. That is the file that you pass around to the victims.
This is an IRC BOTNET. You must connect to the IRC server listed below to be able to access these bots.
This new version is a very powerful HTTP bomber, as you may have seen from the screenshot I posted.

This version also contains the capability of self updating.
I've done my best to hide this program from AV's by using EXE packers.

YOU MUST TYPE THE COMMAND EXACT, OR YOU WILL RECEIVE ERROR AND/OR CRASH THE BOT
YOU MUST TYPE THE COMMAND EXACT, OR YOU WILL RECEIVE ERROR AND/OR CRASH THE BOT
YOU MUST TYPE THE COMMAND EXACT, OR YOU WILL RECEIVE ERROR AND/OR CRASH THE BOT

*instructions for issuing commands removed*

For example: You want to bomb www.google.com. Go to that site in your browser, and find the path of an image hosted on the site. For www.google.com, their main logo is www.google.com/intl/en_ALL/images/logo.gif

It is CRUCIAL that you DO NOT type http:// into the address that you are bombing. The colon : in the http:// will disrupt the bots data parsing technique and could possibly crash the bot.

So, if you wanted to bomb google, 10,000 times, you would type to the bots this command

*bombing instructions removed*

=============================PLEASE NOTE=============================
The bots WILL TELL YOU when they are done with the last accepted
command! Do not flood the bots!
=====================================================================

The rest goes into detail about the function of the executables, the server to join, channel information and the password to enter the channel correctly. Of course, posting your Botnet login data like this is a crazy thing to do, because you're practically begging for people to enter the channel who don't know what they're doing and start screwing up on a grand scale.

Inexperienced botnet wielders can quite easily start breaking lots of things they might not have even intended as targets. And how many of them (when frustrated by their inability to control the bots) will simply start using the details to attack Google as detailed in the readme? It's unlikely this would cause any problems for Google, of course - however, the intention here seems to be to jam as many people into the pilot seat as possible and have them fire at will.

Never a good thing, especially when the Botnet owner himself is apparently feeling the strain as seen in his, er, welcoming message to visitors:

...charming. As the executable files are being promoted on forums with up to 2000+ members (with the intention that they go out into the wide blue yonder and try to trick people into running the infection files) it could spread very quickly.

We detect this infection as HTBomber.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: podtech_news, facetime.com, facetime communications, skype, greynets, VoIP, IM security, instant_messenger_security, enteprise_security, perimeter_security, security_solutions, Enterprise_IM, control_applications, IT_managers_risks, ediscovery, tech_execs, web2.0, web_2.0, web2.0_security_risks, anonymizers, RTG, Real_Time_Guardian

Technorati Tags: podtech_news, facetime.com, facetime communications, skype, greynets, VoIP, IM security, instant_messenger_security, enteprise_security, perimeter_security, security_solutions, Enterprise_IM, control_applications, IT_managers_risks, ediscovery, tech_execs, web2.0, web_2.0, web2.0_security_risks, anonymizers, RTG, Real_Time_Guardian

Just in case you're not too familiar with the basics of what a Botnet actually is, you might want to check out this video over at EWeek. It's about five minutes long, and a nice introduction to all things Botnet.

Our friends at CastleCops' body of work is truly ground breaking and it has always been a pleasure to collaborate and exchange knowledge with Paul Laudanski, Microsoft MVP Windows-Security, on his projects into malware and phishing research. They will soon be giving away over $130,000 in donations from companies who recognize how valuable CastleCops and their body of volunteers have been to the Net. We have had the honor to work with them over the years and wish them continued success.

FaceTime supports independent efforts like CastleCops.com because they mirror facets of our own research philosophy, recognizing the value of talking to Netizens, listening to clients and participating in the community at large.

Internet security is a vast problem that is not only technological in scope, but social as well. Social problems - by their very nature - are often best tackled by businesses and people working together. Leaders like Paul Laundanski are important catalysts in driving communities which create venues for open dialogue, frank conversation and education. We are grateful to have the opportunity to contribute.

Learn more about CastleCops.com, their 5-year anniversary celebration, and the various prizes made available to members. It is a great place to learn more about computers, security in general, and to be a part of the security community. Their achievement is a glowing testament on the impact motivated individuals, working together toward common goals, can achieve. From training their volunteer staff in anti-malware, phishing, and rootkit academies and through additional services, including forums, news, reviews, and continuing education CastleCops is a genuine and valuable resource for all.

More from CastleCops.com.

Brian Krebbs at Washington Post reports.

Colleague Bill P. of WinPatrol.

More coverage at:

MarketWatch.com

MorningStar News

Forbes.com

I have just returned from Affiliate Summit West 2007 where I went scouting the current state of advertising, ethics, and what the future holds for people. I will have more on that later I will say that giant waves seem to be rippling under the surface, and *maybe* in the direction of cleaning up some of the problems...no miracles are in sight, but I saw some positive signs for a change.

With that jaunt over I have to dig in to grab a day or two of rest and then prepare for the RSA show with colleague Chris Boyd...Want to meet him? Now you can! He might do an autograph, conduct a symphony, or show you cool bow staff fighting skills as a bonus. He really CAN do that kind of stuff.

I wanted to take a moment here at the labs to cordially invite you to meet up with us at the RSA conference in San Francisco Feb 5-9. Yes- spend some facetime with FaceTime Communications, the leading provider of solutions for securing and managing instant messaging, peer-to-peer file sharing and Web-based greynets.

Where will you all be?

We will have folks at Booth #2537. Paperghost and I will be there and perhaps other places too...skulking about, being a general menace, and the usual things we do at events- look around, talk to people, and try to snag food.

What is RSA?
Recognized as the largest IT security conference and expo, RSA Conference 2007 is a must-attend event. With a variety of conference tracks to select from, you'll learn strategies to address today's information security problems, and gain insight into the issues of tomorrow. FaceTime is presenting not one, but two presentations for your enjoyment.

Presentation One

February 7th, 9:10 AM - 10:20 AM
Session Code: 2069
Botnet Live: Tracing, Chasing and Building the Case to Bust the Bad Guys
Speakers Chris Boyd and Wayne Porter, FaceTime Security Labs

This presentation is by Wayne Porter, yours truly, and led by the kung-fu style malware fighter Chris Boyd a.k.a. PaperGhost- we work in the labs doing all kinds of things you normally would not think about. For a little background on some of this I strongly suggest you check out the podcasts we did a few months ago- because they set the stage for just how incredible the cascade of events can become when you follow the story deep, deep into the abyss. We will also talk a bit about social media, the importance of being out in the field, economics and actually talking to people. Chris, who is a masterful story teller will give you a pretty amazing tour of the underbelly.

The Podcasts

Teaser Cast

Spyware Warriors and the Digital UnderGround Podcast: Part 1 and Part 2.
You can even download them into mp3 format and listen on the go.

Next Up....Our CEO in this Peer2Peer session....

February 7th, 12:30 PM - 1:20 PM
Session Code: P2P-204B
Skype and IM at the Office: User's Birthright or Security's Death Sentence?
Moderated by FaceTime President and CEO, Kailash Ambwani

Kailash, our CEO, while perhaps not as dashing as we research types in the drawn form you see before you, he knows his stuff when it comes to business communications and when you get a title with "Birthright and Death Sentence" in one line...well how can you not be intrigued? Given VoIP and IMs rapid adoption this is a must attend panel- especially if you want to understand some of the legal ramifications and understand the nature of greynets- when good can be bad, and bad can sometimes be good. It is all a matter of perspective and policy.

Want to meet other FaceTimers? Check in at booth #2537 to see demos of our products and solutions, including the recently announced FaceTime Internet Security Edition which includes our award-winning RTGuardian appliance- you can find more about it on the FaceTime Security Products Site.

This is a bit of a pitch, so you are warned, but this is what we do- We combine core gateway security capabilities such as Web filtering and anti-spyware with security for today's greynet applications on a single platform with common policy and management. The FaceTime Internet Security Edition reduces complexity and increases efficiency of the enterprise security infrastructure to reduce overall total cost of ownership. We will also have demonstrations of our flagship instant messaging security and compliance solution, FaceTime Enterprise Edition, will also be available. Why the big deal? FaceTime Enterprise Edition helps organizations meet the new eDiscovery regulations (here for whitepaper) for electronic communications that went into effect December 1, 2006.

So please be our guest we would love to meet you. You can even attend the RSA Conference 2007 Expo compliments of FaceTime. Just register at http://www.rsaconference.com/2007/us/ and use code EXH7FAC for your FREE Expo Pass - a $100 value!*

We hope to see you there!

* You must pre-register before February 2, 2007 for your FREE Expo Pass. Make a note of it!

Last month, a particular Instant Messaging attack was infecting users via Yahoo Instant Messenger and causing all kinds of problems. This month, we've discovered a variant that's linked to a sophisticated piece of possible clickfraud (depending on how you define it). We often hear about Botnets in relation to this kind of scam - indeed, a common tactic which we've seen a number of times is to hijack the infected drones' homepage and fill it full of clickable adverts that bring in a return for the Botnet owner. Here, we have an attacker going one step further and doing away with the complicated aspect of the Botnet altogether, substituting it for a more straightforward scheme involving the worm mentioned above as a launchpad. Effectively, we have a Botnet without bots, and the potential for financial fraud is in some ways more severe, because of the ease with which this particular attack spreads. First, let's take a look at the technical aspects of this attack...

Sometimes, I'm amazed at the ease with which it's possible to create a Botnet Empire [Define Botnet]. Don't believe me? Well, check out the screenshot below, obtained by a colleague of mine in a random IRC Chatroom:

Now, you would hope people wouldn't fall for this.

I am afraid you would be totally, utterly wrong. Check this out, it's the page hosting the infection file. The novel aspect here is, it's a webhosting page that shows how many times the file has been downloaded. Now, it's reasonable to assume that almost all the people who were naive enough to download the file, would also be naive enough to run the thing. Screenshot time:

Downloaded 375 times in 2 days.

Downloaded 380 times in 10 days.

...amazing. That's 375 brand new drones [Define Drone] for some random Botnet owner, in only two days.

The download rates drop sharply after the first few days- why is this? Well, they don't need to keep injecting the link in chatrooms to infect new boxes. They can simply use the drones they have to scan new machines for vulnerabilities instead.

You probably noticed that on the hosting page, they even tell you what the file is likely to do:

EXE:

EXE (short for 'executable') and COM are the common filename extension for denoting an executable file (a program) in the MS-DOS, Microsoft Windows, and OS/2 operating systems. Generally, "exe" may be used as a noun to refer to such a file.

...and yet, people will still run it. Whoops.

As for the Botnet itself, I imagine you probably want to see it, yes? Well, today is your lucky day. We skipped the boring part where I download and run the file, as that's not particularly interesting to watch. What is interesting, is seeing how these guys use some common tricks of the trade to convince the infected user that there's "nothing to see here".

At this point, I've run the executable and a new folder has "mysteriously" appeared in the System32 folder.

It's movie time...

Click here to play the movie in new window. (7.00 MB Flash file)
Hit the "Play" button to start video. Close Window to Return to Blog

Timeline:

00:00 to 00:08 seconds: We're looking at the folder dumped onto the system shortly after the Alexander file is let loose on the PC. Check out those file names...svchost.exe? With a mIRC icon? Sorry, that's just too suspicious! Ignoring the other files (which point to the relevant servers hosting the Botnet channel, pre-determined user nicknames and the like), I click the file to open it up. Whoops - it doesn't like that, as you can see. A small, minimised box appears in the extreme top -right hand corner of the screen, before vanishing (blink and you'll miss it!)

Again, I try - doh! We could be at this for a while.

00:10 to 00:12 seconds:Thankfully, this isn't a particularly difficult problem to resolve. See that file, "close.dll"? Think the name is a bit of a major clue? Well, you'd be right. Deleting the file means you can click on svchost.exe and it'll stay open - open it up, and...

00:13 to 00:18 seconds: Ah, a minimised IRC Channel! Shall we open it up? Yeah, let's do this thing. In Mystery Box Number 1, we have...

00:19 to 00:28 seconds: Botnet Central! I love the message:

"Please part because this is a private channel"

...no kidding! Perhaps you shouldn't be dumping people into a Botnet then?

In any case, you can see the channel is packed with people - sorry, drones - and from there, the aspiring Bot Master can do a wide variety of not so lovely things to pretty much anyone he pleases. Remember once they control the computer, what they can do is only limited by their imagination. We are actively working on getting this Botnet shut down...with any luck, it'll be out of the picture within a few days at most. Fingers crossed...

On a side-note my colleague, Wayne Porter and I have been conducting some new "top secret" methods in which to identify and knock out these rogues (that's why we are a lab - remember?) It has extended into a far deeper and more complex research project than we imagined, but it may produce some startling new ways to combat the menace at large...

I recently came across an installer file being pushed in a Botnet - nothing new there, but it serves up an interesting take on how Adware companies need to make sure that it's not just their software springing up in hijacks - it's their websites, too.

In this case, the Zango.com website is popped open on the user's desktop (ignore the box mentioning Poker, that's from a different popup):

...this is what's known in the trade as "strangeness incarnate". Usually someone will try and install something, so they can make money. Simply popping open the Zango.com website doesn't seem to point to any financial gain, unless the person behind it gets a cut of the profits from the clips on that page. But that would also be stupid, as it wouldn't be too hard for the Zango people to then find out who stuck what movie files where on their website. Plus, I'm under the impression that Zango themselves are responsible for placing the videoclips on Zango.com anyway.

I ran the infection again, and who should pop up in the next barrage of adverts but Bestoffers Network (another name for Direct Revenue):

....whoops. As for what's installed, it's the usual (rather popular) mish-mash of files from WebHancer, Dollar Revenue, SurfSidekick and Toolbar888, which is apparently a Maxifiles variant. I've spoken about Maxifiles in relation to Direct Revenue many times. At any rate, here's a screenshot:

Nice collection!

Of course, it goes without saying that the PC is hosed shortly after the install:

...ouch. Still, at least the hijacked end-user will have no shortage of Smileys to play with, pills to take and celebrity videos to watch while smoke starts to pour out the back of their monitor. All in all, I'd say that's a pretty good tradeoff...!

Every now and again, I see people firing URLs into chat-rooms - and this particular link (from an anonymous tipoff) would lead me to rather unusual destination. It's one of the oddest Botnet escapades I've seen in a while.

Our tale begins with me downloading and running an executable I'd been informed about. In case you're wondering (and you probably are), they've cunningly disguised it as a movie file:

...clever, eh? Well, not really. But you'd be amazed how many people will fall for something like this. And seeing how Botnets are flavour of the month around here at the moment, I thought I'd have a poke around this little operation and see what I could find. You'll never guess where this one ends up though...

...and we're in! Small to average sized net, as you can see from the numbers in the picture. Checking out the first channel didn't really bring up anything interesting - just the usual Botnet channel scanning for vulnerabilities:

Nothing to see here then, right?

Wrong. Because we still have one channel left, and it's the channel that's going to confirm the relation between the random URL link from my tipoff and this particular Botnet:

Now, deciding to investigate further, I went and checked out the site that this thing came from. usually it's an otherwise empty "holding page", or a site advertising pills of some description - imagine my surprise, then, when I saw the site hosting this thing was...

Yep, a popular forum (3,500 or so users!) about Christianity.

Of course, it's entirely possible that the site could have been hacked and a single file has been dumped there, randomly. It happens all the time. However - go back a step and check out the directory that the executable is sitting in:

Oh noes!

A whole pile of extremely nasty files. In addition, this directory has nothing to do with the Forum, so someone has some pretty high level access going on there.

Worse still, the first file appeared on the 26th December 05...and we know what day comes before the 26th, right? And the files have continued to grow until the 25th May 06.

So, we have a pile of nasty files, all sitting in a directory hidden behind a religious interest forum, with some of the files being used in a mini-Botnet Empire.

Did I mention the files were nasty?

Oh, yes indeed.

Some kick IRC into life in a vaguely obvious "you've been jacked" kind of fashion:

One of the files completely kills your ability to browse the web - IE? Firefox? Opera? Doesn't matter, it'll break them all. Another slaps you down with a lovely slice of virus pie, and if you're insane enough to run everything there just for laughs, well, don't be surprised when your PC slows to a crawl and demands to be put out of its misery.

As of this moment in time, Wayne Porter has attempted to contact the site owners via Email (it bounced due to the mailbox being full) and via their DNS information - so far, no reply. We'll keep you updated on how this one goes...

Hot on the heels of the Botnet caught bundling Zango a few days ago, here's an interesting one I found while lurking in the outermost regions of IRC yesterday...

First off, check out this IRC server. It's fair to say it has a large userbase (at least 16,000 channels!):

...and with that many users, it's a prime target for Botnet pimping. So with that in mind, let's pick up that Pimp Goblet and get things moving!

Assume...just assume...that IRC is, in fact, full of spammers, viruses, Trojans, haxx0rs and Malware. Then...assume that lots of infected users fire spam messages at you to try and infect you with more garbage, making you a part of that particular Botnet.

Then...assume I was fired a Spam message myself, and decided to have a play with the files....

...and sure enough, that's what happened! At this point, I'd usually show you a screenshot of the infection taking hold of the PC, but the thing about "straight" Botnet installers (ie: minus Adware) is that they aren't much use if they put a big, flashing "Botnet Alert!!!!112" message in the middle of your screen. But what I can show you, is a walkthrough of what this particular nasty actually does.

Suffice to say, this install takes place in two parts, and is run via two different Botnets - the Spam installers come from one source, and the Scanner installers come from another. This is merely a safety precaution - if you lose all your Spam-bots due to being shut down, you still have your "Scanner Bots" (which hunt for exploitable machines), and vice versa. No point rebuilding an Empire from scratch, right?

Now let's examine the state of the Server itself - the view is not pretty. The Admins of the IRC server clearly know about the Bot problems - because I've never seen so many Bot kickers, drone watchers and channels full of infected users being dumped out of channels in my life:

As you can see, my IP has been banned from that channel due to the fact it was used when I tested this infection previously - hence, I'm kicked out by a Channel Operator. In addition, I'm not even allowed to enter the other channel (blanked out) - such is the hatred here for Bots. Well, it's understandable.

At this point, I enter one of the (semi-random) channels I know this Bot tries to slip you into from my clean PC...and I wait for my infected test-box to show up. See, this thing works like this: user gets infected, infected PC enters and exits a number of IRC channels and has a particular phrase set as the "away" message. At this point, the away message is Spammed to lots of different users, or is viewable when they look up the infected user's contact info. While I'm waiting for my infected machine to show up, I'm bombarded with what looks like different Bot-spam from anything up to 12 different users within the first 10 seconds of entering the channel. Eventually, my infected PC turns up, and I know for sure that this Botnet is up and running correctly. Of course, all the infected PCs are called things like HOTGURL4YOU, to encourage foolish men to start messaging the Bot like crazy. Which they do....and they then see the away message:

Ooh, yes please!! Want to make a guess how many people will fall for this simple bit of social engineering? Sure enough, anyone foolish enough to click the link and execute the - er - executable...will find themselves upgraded to a higher realm of Botnets!

The "higher realm" here means a Botnet that scans networks for specific vulnerabilities to spread itself still further. I know what you're thinking at this point - the story wouldn't be complete without a screenshot of the master infection channel, right? Well, have no fear, because the Ghostman has already predicted your need to see a payoff shot and here it is:

Nice!

As a sideline, I should add that I don't just find Botnets and take a bunch of pretty pictures, before leaving them to go look for new ones - appropriate steps are taken to get them shut down where possible. I've since found out this one is also being investigated by another group, and I'll be forwarding the information I've collected here to see if it can be put to good use.

In the meantime, if you insist on navigating the dangrous currents of IRC, think twice before checking out SUPAHOTTIEGURL's latest batch of home-grown pictures, or you may find yourself appearing in my next collection of screenshots!