Christopher Boyd: May 2006 Archives

Hot on the heels of the Botnet caught bundling Zango a few days ago, here's an interesting one I found while lurking in the outermost regions of IRC yesterday...

First off, check out this IRC server. It's fair to say it has a large userbase (at least 16,000 channels!):

http://blog.spywareguide.com/upload/2006/05/btchans1-thumb.jpg
Click to enlarge

...and with that many users, it's a prime target for Botnet pimping. So with that in mind, let's pick up that Pimp Goblet and get things moving!

Assume...just assume...that IRC is, in fact, full of spammers, viruses, Trojans, haxx0rs and Malware. Then...assume that lots of infected users fire spam messages at you to try and infect you with more garbage, making you a part of that particular Botnet.

Then...assume I was fired a Spam message myself, and decided to have a play with the files....

...and sure enough, that's what happened! At this point, I'd usually show you a screenshot of the infection taking hold of the PC, but the thing about "straight" Botnet installers (ie: minus Adware) is that they aren't much use if they put a big, flashing "Botnet Alert!!!!112" message in the middle of your screen. But what I can show you, is a walkthrough of what this particular nasty actually does.

Suffice to say, this install takes place in two parts, and is run via two different Botnets - the Spam installers come from one source, and the Scanner installers come from another. This is merely a safety precaution - if you lose all your Spam-bots due to being shut down, you still have your "Scanner Bots" (which hunt for exploitable machines), and vice versa. No point rebuilding an Empire from scratch, right?

Now let's examine the state of the Server itself - the view is not pretty. The Admins of the IRC server clearly know about the Bot problems - because I've never seen so many Bot kickers, drone watchers and channels full of infected users being dumped out of channels in my life:

http://blog.spywareguide.com/upload/2006/05/btbanned1-thumb.jpg
Click to enlarge

As you can see, my IP has been banned from that channel due to the fact it was used when I tested this infection previously - hence, I'm kicked out by a Channel Operator. In addition, I'm not even allowed to enter the other channel (blanked out) - such is the hatred here for Bots. Well, it's understandable.

At this point, I enter one of the (semi-random) channels I know this Bot tries to slip you into from my clean PC...and I wait for my infected test-box to show up. See, this thing works like this: user gets infected, infected PC enters and exits a number of IRC channels and has a particular phrase set as the "away" message. At this point, the away message is Spammed to lots of different users, or is viewable when they look up the infected user's contact info. While I'm waiting for my infected machine to show up, I'm bombarded with what looks like different Bot-spam from anything up to 12 different users within the first 10 seconds of entering the channel. Eventually, my infected PC turns up, and I know for sure that this Botnet is up and running correctly. Of course, all the infected PCs are called things like HOTGURL4YOU, to encourage foolish men to start messaging the Bot like crazy. Which they do....and they then see the away message:

http://blog.spywareguide.com/upload/2006/05/btwhois1-thumb.jpg
Click to enlarge

Ooh, yes please!! Want to make a guess how many people will fall for this simple bit of social engineering? Sure enough, anyone foolish enough to click the link and execute the - er - executable...will find themselves upgraded to a higher realm of Botnets!

The "higher realm" here means a Botnet that scans networks for specific vulnerabilities to spread itself still further. I know what you're thinking at this point - the story wouldn't be complete without a screenshot of the master infection channel, right? Well, have no fear, because the Ghostman has already predicted your need to see a payoff shot and here it is:

http://blog.spywareguide.com/upload/2006/05/btmaster1-thumb.jpg
Click to enlarge

Nice!

As a sideline, I should add that I don't just find Botnets and take a bunch of pretty pictures, before leaving them to go look for new ones - appropriate steps are taken to get them shut down where possible. I've since found out this one is also being investigated by another group, and I'll be forwarding the information I've collected here to see if it can be put to good use.

In the meantime, if you insist on navigating the dangrous currents of IRC, think twice before checking out SUPAHOTTIEGURL's latest batch of home-grown pictures, or you may find yourself appearing in my next collection of screenshots!

A Tiny Botnet...

| | Comments (2)

...with the potential to turn into a raging beast, or something. Check this out, it's what you might call a "holiday snap" from inside a real-live Botnet, minus the fake tan and short-shorts:

http://blog.spywareguide.com/upload/2006/05/tinynet1-thumb.jpg
Click image to enlarge

The most users this channel has ever had in it at one time is 18. However, the channel had a fair amount of activity in it while I was there...infected users kept dropping in and out at regular intervals. Could be one to keep an eye on.

Of course, what's even more fun than keeping an eye on a Botnet, is trying to get it shut down. Yes, it'll probably just re-emerge somewhere else, but you have to keep these guys on their toes. It's the only way to go...

...or should that be Smileys?

Check out the below site:

http://blog.spywareguide.com/upload/2006/05/dbrdl3-thumb.jpg
Click to enlarge

Looks nice and innocent, right? Mr Smiley of Smiley Central looking all happy and, er, smiley on a website that basically fires you off to various top 100 lists and other "get this now" kinds of places.

Sadly, this website has something nasty lurking in the background - because if you know where to look, the startled expression on Mr Smiley's face is given a whole new meaning. Enter the URL for the super-secret hidden Executable (instead of randomly clicking any of the links displayed onscreen), and...:

http://blog.spywareguide.com/upload/2006/05/dbrdl1-thumb.jpg

Is this an executable I see before me? Looks like it! Run the thing, and before you know it, your desktop is covered with all manner of popups and icons and who-knows-what else:

http://blog.spywareguide.com/upload/2006/05/dbrdl2-thumb.jpg
Click to enlarge

The startled look on Mr Smiley's visage is looking more and more like a horrified grimace, isn't it?

Interestingly, the payload is incredibly similar to the one covered here, minus the Zango installer (though a call is made to Zangocash.com).

Once again, we see friendly smileys subverted and used for the purpose of evil, instead of good.

Whoops.

Ever wondered if music should be assigned an "annoyance level" in the Spywareguide.com database? Probably not, but after seeing this latest hijack you might think twice. Throw in a browser which installs itself without your permission and you have one of the craziest hijacks I've seen this year:say hello to yhoo32.explr, courtesy of FaceTime Security Labs.

Sitting comfortably?

Then let's begin...

Want to see an example of the PM floating around Myspace as blogged by Brian Krebs that eventually leads to a Zango install? Because we've been looking at these bad boys for the last few days too. Good old multi-blog action - nothing finer!

Here you go:

http://blog.spywareguide.com/upload/2006/05/myspzango1-thumb.jpg
Click image to enlarge

The War is Not Lost

|

Lots of people have been pointing me to this writeup, entitled "Have we lost the war" (as you might have gathered!)

There's a lot of talk about what some products do (and don't) do, but the two main extracts are below. From the article:

"Have we really got to a point where users have to admit that they cannot get rid of the spyware infesting their PCs? Why else would we need to create a 'safe' connection before accessing an online bank?"

Well, why not create a safe connection? Isn't that what you're doing when you install Antivirus, Antispyware and a Firewall? Making things inherently safer? So how is applying tighter security some kind of "admission" that we've lost a so-called war?

"Instead of killing off spyware we are learning how to live with it, which makes me think that this battle is almost over."

Again, this is nothing new. We've been "living with Spyware" since forever, so either nothing has changed or the "battle" has been lost from day one. It all sounds a touch self-pitying to me. Either you do something about it or you shut up shop. And if you shut up shop, you can't expect any mercy from the bad guys. take Blue Security - they were recently smashed into the ground by angry Spammers. Well, they waved the white flag and "gave up" - because they didn't want anymore fallout hitting innocent websites. The thing that Blue Security missed, is that the Spammers don't care and have continued to blast them into little pieces (and the innocent bystanders, too).

I'm reminded of the Stones song, "All or Nothing". I'm also reminded of "Street Fighting Man", but mostly because I like the version by Rage Against the Machine. Which is also strangely fitting, come to think of it.

Well, not exactly. We don't have any balloons or men in funny hats - however, you may find this article interesting - it deals with the "local traits" of the US, Europe, China, Russia and more, "local traits" meaning "ability to do nasty things to your PC". According to the writeup, Europe is both attacker and victim, America needs to get a firm handle on where the danger is coming from before it's too late and China's ability to man the walls is severely lacking.

Is it just me, or did they base their study on World War 2?

Joking aside, there's some interesting information presented here:

"...the US does certainly harbour some of the most prolific spammers in the world, as well as the world's three worst ISPs for relaying spam, says Spamhaus."

The depth of Spam coming out of the States is not widely known by Joe Public, and it always seems to come as something of a surprise to them. In addition:

"The most recent figures from MessageLabs suggest almost one-fifth (18.1 per cent) of all compromised machines are located in the US - and it's a fair bet, based on recent police investigations, that many of those doing the infecting are also US-based."

Whoops.

China leads the way in attack volume, with the others playing catchup. Meanwhile, Russia slides down the table with less than 2% of attacks last year and the Middle East is mentioned in connection with Spyware. I have some personal experience of this, and I have to say - those guys are a tough nut to crack.

All in all, a good writeup - however, I'd like to have seen more detail. Some specific examples of what each region gets up to, maybe, or how about some anecdotal evidence. I'd also love to know what kind of actvities are going on in Korea, but that's a whole other ball game...!

I got this lovely missive in my mailbox a few days ago:

Tired of being scammed?
Tired of servers downtime?
Tired of high latency?
Being Blocked or Blacklisted too fast?

FORGET ABOUT THAT!
Get rid of asian datacenters and choose a better Spam friendly solution with us.We have the latest development in Bulletproof Webservers that will
handle your high complaint loads.

Contact us for pricing!
-----------------------------
ICQ #:
MSN Messenger:
AIM:
yahoo:

Botnet Hosting Servers
-------------------------------
5 Ips that changes every 10 minutes (with different ISP)
Excellent ping and uptime.
100 percent uptime guarantee. Easy Control Panel to add or delete your domains thru webinterface.
Redhat / Debian LINUX OS.
SSH Root Access.
FTP Access.
APACHE2 PHP CURL ZEND MYSQL FTP SSH.

We have Direct Sending Servers, and we also do Email Lists Mailings.

Spam friendly and Botnet hosting? Oh, dream come true! With that in mind, I decided to check out their website - not a good start, it was offline and the email address kept bouncing. Three of the four IM addresses didn't seem to work and we nearly had no writeup, but with the last address I tried...

No, not Teri Hatcher firing out hundreds of emails about the latest crazy goings-on in her street, but rather an individual by the name of "Gena Elmore" trying to scare people and failing miserably. As you can see here, the bad guys are becoming increasingly rattled by the steps taken to shut them down, drown them out and make them play fair. I'm not sure if anyone fell for their bullish tactics...have a look and see what you think.

By the way, I'd point you to the Blue Security blog, but it's currently down because of DoS attacks...!

Sanford Wallace is the guy responsible for plastering alarming messags across end-user's desktops, related to a hijack called Spy Wiper and Spy Deleter. As you might have guessed, he's now in a whole world of trouble with the FTC. For more information on Sanford (and his, er, lovely nickname) click here. For the full list of "really bad things" (TM) done in the name of mass emailing and Spyware pushing, check out the page on the FTC website. Notable quotables?...

"A default judgment against Wallace and Smartbot.Net orders them to give up $4,089,500 in ill-gotten gains. "

"Lansky, an ad broker who disseminated ads containing Wallace's spyware, will give up $227,000 in ill-gotten gains."

...ouch...

For more coverage on this issue check out Steve Shubitz at Stopscum.com He even has some of
Sanford's most treasured posts.

...security, according to this article. Well, no surprise there - but with that in mind, perhaps you'd like to check out the all new Jobs Section?

You'd think I'd be pleased about software telling you what it's going to do. However, sometimes there's a little too much information for the end-user to digest. Imagine my surprise at the following install, then, where the end-user has to sit through four EULAs, including two Zango agreements which could potentially conflict with one another! Sitting comfortably? Then let's begin...

Click image to enlarge

"Rubberfaces" is an application which takes pictures of celebrities and fires them around the screen, distorting their features in a humorous fashion. However, the real action takes place when you're attempting to install the thing. Firing up the executable presents you with the above EULA. Clicking "Next" brings you to a "MySearch" EULA box:

Click image to enlarge

About this Archive

This page is a archive of recent entries written by Christopher Boyd in May 2006.

Christopher Boyd: April 2006 is the previous archive.

Christopher Boyd: June 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.