Recently in Botnets Category

Pastebin Botnets?

| | Comments (1)
I've always been interested in Botnet research, and a piece of code in circulation on forums at the moment seemed interesting enough to write about. The subject is "Pastebin Botnets", but first we'd better talk a little bit about Pastebins...

Pastebins - what are they?

From Wikipedia:

A pastebin, also known as a nopaste, is a web application which allows its users to upload snippets of text, usually samples of source code, for public viewing. It is very popular in IRC channels where pasting large amounts of text is considered bad etiquette. A vast number of pastebins exist on the Internet, suiting a number of different needs and provided features tailored towards the crowd they focus on most.

Pastebins have become very popular in certain hacking communities, where quick and easy sharing of a targets personal information ("Dox") is perfectly at home in the world of pastebins.

pbinbot1.jpg
Click to Enlarge

That's for another writeup, but at least we now have a decent idea of Pastebins and how easy they make things where rapid sharing /storage of data is concerned.

What does this have to do with Botnets? Well, over the past week or two I've seen a piece of code floating around on various forums that (according to the author) has the potential to be used in conjunction with a Pastebin to issue commands to a Botnet. I'm not aware of pastebins being used for issuing Botnet commands (though of course that doesn't necessarily mean it's a new technique) and was curious to see if this is indeed something relatively new or a method that's been around for a while.

Why is a Pastebin Botnet a good idea for a Botnet owner?

In a nutshell, the Botnet owner can post Botnet drone commands quickly and without fuss to a Pastebin page (your "Botnet Hub"), and the drones will carry out those commands.

Web based Botnets have been all the rage for some time, as they're usually harder to detect than the rather obvious IRC traffic of old. There are some other advantages, too - Pastebins are plentiful and the main sites (such as Pastebin.com) are rarely offline.

In addition to this, you don't have to waste time setting up webpages & hosting accounts while hoping your host doesn't shut you down - it's simply a case of cutting and pasting text onto a Pastebin. If your page dies, it takes seconds to start again (as a sidenote, there's an interesting recent post here regarding the use of RSS feeds in conjunction with Pastebins to issue commands to Botnets from changing locations which is pretty smart).

As you can see then, Pastebins appear to be a bit of a hot topic for people discussing Botnets at the moment and a clever spin on web based Botnets in general. So how does it work?

Ye Olde Disclaimer

Although the idea behind it is sound, it seems the code doing the rounds on various forums (written in Perl) is "proof of concept" and would need some work doing to it to unleash a fully formed Botnet. Despite this, according to the creator it can already read pastebin posts for text (which are then used to issue commands to the Bots), post in the previously mentioned "Botnet hub", post in its own individual private pastebin, and get the latest post by the botnet owner.

Here's a few screenshots of said code:

pbbnet2.jpg
Click to Enlarge


pbbnet3.jpg
Click to Enlarge

The idea of using Pastebins in this way is a clever one -  I've seen people post Bot drone code (which needs compiling in an external application) to Pastebin pages for "storage" many times (in much the same way people post "dox" to pages for safe keeping), but this is the first time I can remember seeing someone thinking about using a Pastebin itself to act as a kind of Command & Control center for a Botnet.

If you've seen this technique before, feel free to share your thoughts in the comments - it's certainly one of the more interesting Botnet ideas I've seen in a while.

The SOL Botnet(s)

| | Comments (0)
Over the last week or two, we've seen a couple of Botnets running infection files we haven't come across before. With a little further research, we discovered the tool used to create these Botnets, and  were able to learn a little bit more about these new nets.

The SOL Botnet system allows you to control up to 100 drones at a time, and (as you'll see) uses UDP to perform DDoS attacks against a target of your choosing. In addition, there are paid-for versions (so far, unreleased) that supposedly allow control of up to 200 drones at a time, Windows XP product key theft, "huge bandwidth attacks" through image spamming and "lifetime support".

Nice.

Shall we take a look at the SOL Botnet creation tool? Let's start by grabbing a snapshot of  what our budding Botnet builder will see on their desktop:

solbtnt1.jpg

I guess they're supposed to be circuit boards or something - almost reminds me of Tron. As with most hacking related creation tools these days, the emphasis is on being idiot proof and easy to use. Owning a Botnet has never been simpler - just fire up the Builder, and...

solbtnt2.jpg

Easy as pie. Enter the IP address you want your rogue executable to connect to (usually,  this would be your own IP address via a service like no-ip, so you can control your drones) and your file pops into life with yet another funky looking icon:

solbtnt4.jpg

Let's look inside the code.

Note the fake error message in the first line, and the wonderfully charming "you got owned" message further down (with nifty swear word removed):

solbtnt5.jpg

As you can see, "Winservice.exe" is going to end up in the System32 Folder, assuming the victim can be convinced to run the file (which usually isn't too hard).

This is the fake error message our unwilling Botnet participant will see if they run the file:

solbtnt6.jpg

...and here's the "Winservice" file, now resident and active in the System32 Folder:

solbtnt7.jpg

At this point, we move back to the attacker who has fired up the Admin console. Note our test drone is now connected to the person controlling the Botnet:

solbtnt8.jpg
Click to Enlarge

Simply enter the ip address of your target, hit "send" and...

solbtnt9.jpg
Click to Enlarge

...the attack is underway, ending (logically enough) when you hit the "Stop" button.

Compiled on the 15/03/09, this is probably the most straightforward Botnet creation tool we've seen - I imagine there'll be quite a few SOL nets out there over the coming weeks / months.

Even so, there's a few drawbacks for wannabe net owners - specifically, having to register a number of files in order to run the Admin console. It might not sound like much, but you'd be surprised how many leet kids give up their life of E-Crime when faced with an array of .OCX files and Windows directories.

Thank goodness...
Television often relies on fake codes, phone-numbers and addresses to make up part of their fictional worlds. Sometimes, it can go slightly wrong - how many people tried to call Doctor Who last week?

D'oh.

Actually, "D'oh" is rather appropriate here. In an old episode of The Simpsons, it was revealed that Chunkylover53@aol.com was Homers Email address. Of course, Simpsons fans galore with net access immediately added "Chunkylover53" to their AIM contact list. As this article points out....

Homer's e-mail address chunkylover53@aol.com, as seen on EABF03, was registered by writer-producer Matt Selman, who also replied to e-mails from fans testing it. "He logged in the night that the episode aired and it was immediately filled with the maximum number of responses. He's tried to answer every one of them and then as soon as he answers a hundred, a hundred more pop in," Al Jean told the New York Post in January 2003.

What's interesting here is that as far as I'm aware (and please, correct me if I'm wrong), the AIM screen-name"Chunkylover53" is not necessarily connected to the "official" chunkylover53@aol.com email address - anyone could have set up that AIM screen-name, using whatever EMail address they feel like. However, people will naturally add "Chunkylover53" to their AIM accounts thinking it will be the "real" Homer. This is where the problems set in

The "Chunkylover53" AIM screen-name hasn't logged in for quite some time, apparently. Imagine the puzzled expressions worn by Simpsons fans when, all of a sudden, the account came back to life in the last few days with this in their "Away" message....

kimya0.gif

...yes, "Homer" has seemingly returned, and he comes bearing infection files!

Of course, the "exclusive Simpsons episode" is nothing of the kind - what you actually download is a file called "Kimya.exe", about 150kb in size, and it looks like this:

kimya1.jpg


Run the file, and you won't see a new Simpsons episode - you're actually more likely to see this:

kimya2.jpg


....a strange error message that mentions "photos" (probably fake), followed by lots of real error messages as most of your desktop fails, leaving you with an entirely blank screen:

kimya3.jpg


kimya4.jpg

Click to Enlarge (if you really must!)

From this point onwards, the PC will likely need a reboot and will be sluggish until cleaned up, constantly throwing out error messages, crashing when attempting to open Windows Explorer etc.

Now, given that the infection links are being passed around via IM Away messages, there was always going to be the possibility of an Instant Messaging worm attack. However, a lot of testing has taken place and so far, we haven't seen any malicious messages or URLs sent via AIM or MSN Messenger.

That's no reason to get complacent though, because what we have seen taking place is possibly quite a bit worse. First of all, a number of hidden files are dropped onto the PC, including Rootkit technology (which the bad guys have helpfully pointed out in the code):

rootkitkim.jpg


Worse, your PC is deposited into a Botnet of Turkish origin - here's the giveaway traffic stream via an Ethereal log:

kimyabots.gif


....awaiting further instructions from the Botnet C&C center. This particular Botnet has been around since March of this year. The Turkish connection is interesting, because I haven't seen too many Turkish Botnets - and there's been quite a surge in hacking activity from Turkey recently (most notably the DNS attacks on Photobucket and ICAAN by NeTDevilz).

Finally, the infection drops a number of other files onto the PC besides the Rootkit, which are seemingly related to a new variant of this Chinese infection.

It's worth noting that there may only be Instant Messaging infection links sent out if the person running the Botnet Command Center decides to issue all the drones with such a command - so while we haven't seen any IM infection activity, it would be wise not to rule it out completely. We recommend infected users keep an eye on all Instant Messaging activity until they can clean the infection from their computer, just in case.

Whoever is responsible for these messages has changed them a couple of times already - last night, the download link had been updated to look like this:

kimya66.gif


...and it currently advertises a link for a dating website:

chunkyaway.jpg


We've reported all links related to this attack, and at least two of the files claiming to be "exclusive Simpsons episodes" are currently offline, though there's bound to be more out there. For now, this is a good reminder to be cautious when randomly adding cool things seen on TV and film to your online applications - you can't always assume the person at the other end is entirely in control, or indeed, related to what you're looking for in the first place.

We detect this infection as Kimya.

Additional Research: Chris Mannon, FSL Senior Threat Researcher
Deepak Setty, FSL Senior Threat Research Engineer

Fast Track to Botnet Central

| | Comments (0)
Its true, you too can finally get into the botnet you always wanted.  Finally the ability to be a zombie computer under some losers control is yours!

Seriously though, becoming a victim to a hacker's botnet is incredibly easy.  These attacks are not typical to other forms of destruction found on the internet.  There true intent is usually to remain hidden from view until called upon.  In the case of FastTrackBot however there is a new objective.  FastTrackBot downloads several executable files that keep your computer clicking on the attacker's affiliate links.  These executable files keep the webpages in hidden iexplore.exe windows in order to hide the application from suspicious eyes.  If you're using X-cleaner, I suggest you take a look at the Expert Tab.  The Show All Hidden Windows function is great for showing you exactly what is open at the time.


replace ad.pngFastTrackBot phones home to several of these sites in order to keep the user clicks through affiliate links.

Aside from creating invisible windows to hog your bandwidth up, it also attempts to install a rogue anti-spyware application.  This is a popular technique when attempting to fraud the victim into leaking credit card information when actually attempting to purchase the fake product.  FastTrackBot inserts a fake security center that appears identical to the one found in Windows XP.

securitycenter.pngAs you can see in the address bar, this is not the actual security center.  Clicking anywhere on this window means almost certain doom in the worst way possible...a never ending stream of fake "YOU ARE INFECTED!!!!" alerts.

infect.png
In order to kill the actual application, you have to remove it from memory first, then remove its autostart which is found in 5 different locations - or simply remove with our free Microscanner.

"This is going to be the ultimate tool to take down a webserver of our choosing. I need you guys help distributing it." - The creator of the below Botnet and related executables

Here's an interesting (and particularly unpleasant) Botnet. While building out the net, the creator posted this to a forum:

"This is a screenshot of me testing the program against Google, using 1 bot. As you can see, the loop speed of the program is so fast that it's downloading at an incredible speed. According to NetLimiter, this bot was downloading from Google at almost 4 times my connection line speed max, and uploading over 40kb faster than my max line speed."

A few revisions later, and the botnet is ready to roll. This Botnet is highly unusual in that the creator is freely advertising its services from both his website and inside downloadable zips of the infection executables - absolutely anyone can jump into the IRC Channel and give commands to the Bots. See where that whole "Infinite Ringmaster" thing comes into play now? In this net, everybody is famous for 15 minutes (or until their Bots stop bombing websites, whichever comes first).

The infection files themselves are disguised to look like hacking programs - anyone considering jumping on the hacking bandwagon and running any of the following:

hbt1.gif

....will quickly find themselves dumped into the Botnet as a drone.

The text from the supplied Readme is as follows:

********** IRC v2.0 by **********

For you fools out there, don't run the EXE. That is the file that you pass around to the victims.
This is an IRC BOTNET. You must connect to the IRC server listed below to be able to access these bots.
This new version is a very powerful HTTP bomber, as you may have seen from the screenshot I posted.

This version also contains the capability of self updating.
I've done my best to hide this program from AV's by using EXE packers.

YOU MUST TYPE THE COMMAND EXACT, OR YOU WILL RECEIVE ERROR AND/OR CRASH THE BOT
YOU MUST TYPE THE COMMAND EXACT, OR YOU WILL RECEIVE ERROR AND/OR CRASH THE BOT
YOU MUST TYPE THE COMMAND EXACT, OR YOU WILL RECEIVE ERROR AND/OR CRASH THE BOT

*instructions for issuing commands removed*

For example: You want to bomb www.google.com. Go to that site in your browser, and find the path of an image hosted on the site. For www.google.com, their main logo is www.google.com/intl/en_ALL/images/logo.gif

It is CRUCIAL that you DO NOT type http:// into the address that you are bombing. The colon : in the http:// will disrupt the bots data parsing technique and could possibly crash the bot.

So, if you wanted to bomb google, 10,000 times, you would type to the bots this command

*bombing instructions removed*

=============================PLEASE NOTE=============================
The bots WILL TELL YOU when they are done with the last accepted
command! Do not flood the bots!
=====================================================================

The rest goes into detail about the function of the executables, the server to join, channel information and the password to enter the channel correctly. Of course, posting your Botnet login data like this is a crazy thing to do, because you're practically begging for people to enter the channel who don't know what they're doing and start screwing up on a grand scale.

Inexperienced botnet wielders can quite easily start breaking lots of things they might not have even intended as targets. And how many of them (when frustrated by their inability to control the bots) will simply start using the details to attack Google as detailed in the readme? It's unlikely this would cause any problems for Google, of course - however, the intention here seems to be to jam as many people into the pilot seat as possible and have them fire at will.

Never a good thing, especially when the Botnet owner himself is apparently feeling the strain as seen in his, er, welcoming message to visitors:

http://blog.spywareguide.com/upload/2008/02/angry_botnet_guy-thumb.gif
Click to Enlarge

...charming. As the executable files are being promoted on forums with up to 2000+ members (with the intention that they go out into the wide blue yonder and try to trick people into running the infection files) it could spread very quickly.

We detect this infection as HTBomber.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

Botnet Basics

| | Comments (0)

Just in case you're not too familiar with the basics of what a Botnet actually is, you might want to check out this video over at EWeek. It's about five minutes long, and a nice introduction to all things Botnet.

Our friends at CastleCops' body of work is truly ground breaking and it has always been a pleasure to collaborate and exchange knowledge with Paul Laudanski, Microsoft MVP Windows-Security, on his projects into malware and phishing research. They will soon be giving away over $130,000 in donations from companies who recognize how valuable CastleCops and their body of volunteers have been to the Net. We have had the honor to work with them over the years and wish them continued success.

FaceTime supports independent efforts like CastleCops.com because they mirror facets of our own research philosophy, recognizing the value of talking to Netizens, listening to clients and participating in the community at large.

Internet security is a vast problem that is not only technological in scope, but social as well. Social problems - by their very nature - are often best tackled by businesses and people working together. Leaders like Paul Laundanski are important catalysts in driving communities which create venues for open dialogue, frank conversation and education. We are grateful to have the opportunity to contribute.

Learn more about CastleCops.com, their 5-year anniversary celebration, and the various prizes made available to members. It is a great place to learn more about computers, security in general, and to be a part of the security community. Their achievement is a glowing testament on the impact motivated individuals, working together toward common goals, can achieve. From training their volunteer staff in anti-malware, phishing, and rootkit academies and through additional services, including forums, news, reviews, and continuing education CastleCops is a genuine and valuable resource for all.


More from CastleCops.com.

Brian Krebbs at Washington Post reports.

Colleague Bill P. of WinPatrol.

More coverage at:

MarketWatch.com

MorningStar News

Forbes.com

I have just returned from Affiliate Summit West 2007 where I went scouting the current state of advertising, ethics, and what the future holds for people. I will have more on that later I will say that giant waves seem to be rippling under the surface, and *maybe* in the direction of cleaning up some of the problems...no miracles are in sight, but I saw some positive signs for a change.

With that jaunt over I have to dig in to grab a day or two of rest and then prepare for the RSA show with colleague Chris Boyd...Want to meet him? Now you can! He might do an autograph, conduct a symphony, or show you cool bow staff fighting skills as a bonus. He really CAN do that kind of stuff.

I wanted to take a moment here at the labs to cordially invite you to meet up with us at the RSA conference in San Francisco Feb 5-9. Yes- spend some facetime with FaceTime Communications, the leading provider of solutions for securing and managing instant messaging, peer-to-peer file sharing and Web-based greynets.

Where will you all be?

We will have folks at Booth #2537. Paperghost and I will be there and perhaps other places too...skulking about, being a general menace, and the usual things we do at events- look around, talk to people, and try to snag food.

What is RSA?
Recognized as the largest IT security conference and expo, RSA Conference 2007 is a must-attend event. With a variety of conference tracks to select from, you'll learn strategies to address today's information security problems, and gain insight into the issues of tomorrow. FaceTime is presenting not one, but two presentations for your enjoyment.

Presentation One

February 7th, 9:10 AM - 10:20 AM
Session Code: 2069
Botnet Live: Tracing, Chasing and Building the Case to Bust the Bad Guys
Speakers Chris Boyd and Wayne Porter, FaceTime Security Labs

jan07_rsa_poster.gif

This presentation is by Wayne Porter, yours truly, and led by the kung-fu style malware fighter Chris Boyd a.k.a. PaperGhost- we work in the labs doing all kinds of things you normally would not think about. For a little background on some of this I strongly suggest you check out the podcasts we did a few months ago- because they set the stage for just how incredible the cascade of events can become when you follow the story deep, deep into the abyss. We will also talk a bit about social media, the importance of being out in the field, economics and actually talking to people. Chris, who is a masterful story teller will give you a pretty amazing tour of the underbelly.

The Podcasts

Teaser Cast

Spyware Warriors and the Digital UnderGround Podcast: Part 1 and Part 2.
You can even download them into mp3 format and listen on the go.

Next Up....Our CEO in this Peer2Peer session....

February 7th, 12:30 PM - 1:20 PM
Session Code: P2P-204B
Skype and IM at the Office: User's Birthright or Security's Death Sentence?
Moderated by FaceTime President and CEO, Kailash Ambwani

jan07_rsa_poster_kailash.gif

Kailash, our CEO, while perhaps not as dashing as we research types in the drawn form you see before you, he knows his stuff when it comes to business communications and when you get a title with "Birthright and Death Sentence" in one line...well how can you not be intrigued? Given VoIP and IMs rapid adoption this is a must attend panel- especially if you want to understand some of the legal ramifications and understand the nature of greynets- when good can be bad, and bad can sometimes be good. It is all a matter of perspective and policy.

Want to meet other FaceTimers? Check in at booth #2537 to see demos of our products and solutions, including the recently announced FaceTime Internet Security Edition which includes our award-winning RTGuardian appliance- you can find more about it on the FaceTime Security Products Site.

This is a bit of a pitch, so you are warned, but this is what we do- We combine core gateway security capabilities such as Web filtering and anti-spyware with security for today's greynet applications on a single platform with common policy and management. The FaceTime Internet Security Edition reduces complexity and increases efficiency of the enterprise security infrastructure to reduce overall total cost of ownership. We will also have demonstrations of our flagship instant messaging security and compliance solution, FaceTime Enterprise Edition, will also be available. Why the big deal? FaceTime Enterprise Edition helps organizations meet the new eDiscovery regulations (here for whitepaper) for electronic communications that went into effect December 1, 2006.

So please be our guest we would love to meet you. You can even attend the RSA Conference 2007 Expo compliments of FaceTime. Just register at http://www.rsaconference.com/2007/us/ and use code EXH7FAC for your FREE Expo Pass - a $100 value!*

We hope to see you there!

* You must pre-register before February 2, 2007 for your FREE Expo Pass. Make a note of it!

Last month, a particular Instant Messaging attack was infecting users via Yahoo Instant Messenger and causing all kinds of problems. This month, we've discovered a variant that's linked to a sophisticated piece of possible clickfraud (depending on how you define it). We often hear about Botnets in relation to this kind of scam - indeed, a common tactic which we've seen a number of times is to hijack the infected drones' homepage and fill it full of clickable adverts that bring in a return for the Botnet owner. Here, we have an attacker going one step further and doing away with the complicated aspect of the Botnet altogether, substituting it for a more straightforward scheme involving the worm mentioned above as a launchpad. Effectively, we have a Botnet without bots, and the potential for financial fraud is in some ways more severe, because of the ease with which this particular attack spreads. First, let's take a look at the technical aspects of this attack...

About this Archive

This page is a archive of recent entries in the Botnets category.

Adware Research is the previous category.

Conferences is the next category.

Find recent content on the main index or look in the archives to find all content.