Botnets: June 2006 Archives

Sometimes, I'm amazed at the ease with which it's possible to create a Botnet Empire [Define Botnet]. Don't believe me? Well, check out the screenshot below, obtained by a colleague of mine in a random IRC Chatroom:

http://blog.spywareguide.com/upload/2006/06/alxdr1-thumb.jpg
Click Image to Enlarge

Now, you would hope people wouldn't fall for this.

I am afraid you would be totally, utterly wrong. Check this out, it's the page hosting the infection file. The novel aspect here is, it's a webhosting page that shows how many times the file has been downloaded. Now, it's reasonable to assume that almost all the people who were naive enough to download the file, would also be naive enough to run the thing. Screenshot time:

http://blog.spywareguide.com/upload/2006/06/alxdr2-thumb.jpg
Click Image to Enlarge
http://blog.spywareguide.com/upload/2006/06/alxdr3-thumb.jpg
Click Image to Enlarge

Downloaded 375 times in 2 days.

Downloaded 380 times in 10 days.

...amazing. That's 375 brand new drones [Define Drone] for some random Botnet owner, in only two days.

The download rates drop sharply after the first few days- why is this? Well, they don't need to keep injecting the link in chatrooms to infect new boxes. They can simply use the drones they have to scan new machines for vulnerabilities instead.

You probably noticed that on the hosting page, they even tell you what the file is likely to do:

EXE:

EXE (short for 'executable') and COM are the common filename extension for denoting an executable file (a program) in the MS-DOS, Microsoft Windows, and OS/2 operating systems. Generally, "exe" may be used as a noun to refer to such a file.

...and yet, people will still run it. Whoops.

As for the Botnet itself, I imagine you probably want to see it, yes? Well, today is your lucky day. We skipped the boring part where I download and run the file, as that's not particularly interesting to watch. What is interesting, is seeing how these guys use some common tricks of the trade to convince the infected user that there's "nothing to see here".

At this point, I've run the executable and a new folder has "mysteriously" appeared in the System32 folder.

It's movie time...

flmtckr1.jpg Click here to play the movie in new window. (7.00 MB Flash file)
Hit the "Play" button to start video. Close Window to Return to Blog

Timeline:

00:00 to 00:08 seconds: We're looking at the folder dumped onto the system shortly after the Alexander file is let loose on the PC. Check out those file names...svchost.exe? With a mIRC icon? Sorry, that's just too suspicious! Ignoring the other files (which point to the relevant servers hosting the Botnet channel, pre-determined user nicknames and the like), I click the file to open it up. Whoops - it doesn't like that, as you can see. A small, minimised box appears in the extreme top -right hand corner of the screen, before vanishing (blink and you'll miss it!)

Again, I try - doh! We could be at this for a while.

00:10 to 00:12 seconds:Thankfully, this isn't a particularly difficult problem to resolve. See that file, "close.dll"? Think the name is a bit of a major clue? Well, you'd be right. Deleting the file means you can click on svchost.exe and it'll stay open - open it up, and...

00:13 to 00:18 seconds: Ah, a minimised IRC Channel! Shall we open it up? Yeah, let's do this thing. In Mystery Box Number 1, we have...

00:19 to 00:28 seconds: Botnet Central! I love the message:

"Please part because this is a private channel"

...no kidding! Perhaps you shouldn't be dumping people into a Botnet then?

In any case, you can see the channel is packed with people - sorry, drones - and from there, the aspiring Bot Master can do a wide variety of not so lovely things to pretty much anyone he pleases. Remember once they control the computer, what they can do is only limited by their imagination. We are actively working on getting this Botnet shut down...with any luck, it'll be out of the picture within a few days at most. Fingers crossed...

On a side-note my colleague, Wayne Porter and I have been conducting some new "top secret" methods in which to identify and knock out these rogues (that's why we are a lab - remember?) It has extended into a far deeper and more complex research project than we imagined, but it may produce some startling new ways to combat the menace at large...

I recently came across an installer file being pushed in a Botnet - nothing new there, but it serves up an interesting take on how Adware companies need to make sure that it's not just their software springing up in hijacks - it's their websites, too.

In this case, the Zango.com website is popped open on the user's desktop (ignore the box mentioning Poker, that's from a different popup):

http://blog.spywareguide.com/upload/2006/06/zangobbs1-thumb.jpg
Click image to enlarge

...this is what's known in the trade as "strangeness incarnate". Usually someone will try and install something, so they can make money. Simply popping open the Zango.com website doesn't seem to point to any financial gain, unless the person behind it gets a cut of the profits from the clips on that page. But that would also be stupid, as it wouldn't be too hard for the Zango people to then find out who stuck what movie files where on their website. Plus, I'm under the impression that Zango themselves are responsible for placing the videoclips on Zango.com anyway.

I ran the infection again, and who should pop up in the next barrage of adverts but Bestoffers Network (another name for Direct Revenue):

http://blog.spywareguide.com/upload/2006/06/zangdrpop-thumb.jpg
Click image to enlarge

....whoops. As for what's installed, it's the usual (rather popular) mish-mash of files from WebHancer, Dollar Revenue, SurfSidekick and Toolbar888, which is apparently a Maxifiles variant. I've spoken about Maxifiles in relation to Direct Revenue many times. At any rate, here's a screenshot:

http://blog.spywareguide.com/upload/2006/06/zangfiles-thumb.jpg
Click image to enlarge

Nice collection!

Of course, it goes without saying that the PC is hosed shortly after the install:

http://blog.spywareguide.com/upload/2006/06/zangdrpop3-thumb.jpg
Click image to enlarge

...ouch. Still, at least the hijacked end-user will have no shortage of Smileys to play with, pills to take and celebrity videos to watch while smoke starts to pour out the back of their monitor. All in all, I'd say that's a pretty good tradeoff...!

Every now and again, I see people firing URLs into chat-rooms - and this particular link (from an anonymous tipoff) would lead me to rather unusual destination. It's one of the oddest Botnet escapades I've seen in a while.

Our tale begins with me downloading and running an executable I'd been informed about. In case you're wondering (and you probably are), they've cunningly disguised it as a movie file:

gncinffile1.jpg

...clever, eh? Well, not really. But you'd be amazed how many people will fall for something like this. And seeing how Botnets are flavour of the month around here at the moment, I thought I'd have a poke around this little operation and see what I could find. You'll never guess where this one ends up though...

http://blog.spywareguide.com/upload/2006/06/welcomegnc-thumb.jpg
Click image to enlarge

...and we're in! Small to average sized net, as you can see from the numbers in the picture. Checking out the first channel didn't really bring up anything interesting - just the usual Botnet channel scanning for vulnerabilities:

http://blog.spywareguide.com/upload/2006/06/gncchan1-thumb.JPG
Click image to enlarge

Nothing to see here then, right?

Wrong. Because we still have one channel left, and it's the channel that's going to confirm the relation between the random URL link from my tipoff and this particular Botnet:

http://blog.spywareguide.com/upload/2006/06/gncchan2-thumb.jpg
Click image to enlarge

Now, deciding to investigate further, I went and checked out the site that this thing came from. usually it's an otherwise empty "holding page", or a site advertising pills of some description - imagine my surprise, then, when I saw the site hosting this thing was...

http://blog.spywareguide.com/upload/2006/05/gncforum-thumb.jpg
Click image to enlarge

Yep, a popular forum (3,500 or so users!) about Christianity.

Of course, it's entirely possible that the site could have been hacked and a single file has been dumped there, randomly. It happens all the time. However - go back a step and check out the directory that the executable is sitting in:

http://blog.spywareguide.com/upload/2006/05/gncfiles-thumb.jpg
Click image to enlarge

Oh noes!

A whole pile of extremely nasty files. In addition, this directory has nothing to do with the Forum, so someone has some pretty high level access going on there.

Worse still, the first file appeared on the 26th December 05...and we know what day comes before the 26th, right? And the files have continued to grow until the 25th May 06.

So, we have a pile of nasty files, all sitting in a directory hidden behind a religious interest forum, with some of the files being used in a mini-Botnet Empire.

Did I mention the files were nasty?

Oh, yes indeed.

Some kick IRC into life in a vaguely obvious "you've been jacked" kind of fashion:

http://blog.spywareguide.com/upload/2006/06/gncircbx1-thumb.jpg
Click to enlarge

One of the files completely kills your ability to browse the web - IE? Firefox? Opera? Doesn't matter, it'll break them all. Another slaps you down with a lovely slice of virus pie, and if you're insane enough to run everything there just for laughs, well, don't be surprised when your PC slows to a crawl and demands to be put out of its misery.

As of this moment in time, Wayne Porter has attempted to contact the site owners via Email (it bounced due to the mailbox being full) and via their DNS information - so far, no reply. We'll keep you updated on how this one goes...

About this Archive

This page is a archive of entries in the Botnets category from June 2006.

Botnets: May 2006 is the previous archive.

Botnets: October 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.